Recommended approach for managing macOS updates

There are three MDM mechanisms available to manage how and when your Macs update:

1. Software update settings via Configuration Profiles
   Used to define
   - Whether to automatically download and install certain updates
   - Whether to delay visibility of updates from users
   - Whether to allow the installation of a beta OS release

2. Intune’s Update Policies for macOS
   Define how and when each update type is deployed.

3. Declarative software update policy (macOS 14 only)
   Forces a target OS or target build version deadline.

This document outlines Devicie’s recommended approach to all three mechanisms.

ℹ️ We recommend that you define your update pilot group in preparation for deploying these configuration changes (see Creating an update pilot group for more info)

1. Software update settings via Configuration Profiles

The following settings can be deployed to all users

The following settings determine the delay for which certain update types become available to users. The macOS pilot group is assigned different values to the rest of the Mac fleet.

2. Intune's Update Policies for macOS

Intune’s Update Policies for macOS is a mechanism by which a series of MDM commands are deployed in order to schedule and enforce macOS updates, according to update type.

There are three update policies that we recommend, one of which (a scheduled policy) requires defining the business hours and timezone of your organisation. Only one timezone can be assigned per policy, so if your organisation works across multiple timezones you will need to create a scheduled policy for each one. You will also need to have timezone specific user groups, in order to assign the scheduled policy to the correct users.

Update policy #1: Scheduled policy

Description: When outside of business hours, install all updates immediately

Assignment: All Users

Update policy #2: Unscheduled updates for Pilot users

Description: Install all updates at next check-in

Assignment: Pilot Users

Update policy #2: Unscheduled updates for Pilot users

Description: Install critical and config file updates at next check-in, and allow minor OS updates to be postponed by the user at most 2 times before the install is enforced (with a 60 second countdown).

The system prompts the user once a day.

For Apple Silicon Macs, the policy’s priority level determines the minimum battery level required for a minor OS update.

Assignment: All Users, Except Pilot Users

📚 Additional information on how update policies work

3. Declarative Software Update policy (available for macOS 14+ only)

A Declarative Software Update policy allows you to install a specific update by an enforced deadline. The policy takes precedence over other policies that configure software updates.

Set the following values per policy:

• Target OS Version: The target OS version to update the device to. This value is the OS version number, like 16.1. You can also include a supplemental version identifier, like 16.1.1.

• Target Build Version: The target build version to update the device to, like 20A242. The build version can include a supplemental version identifier, like 20A242a.

  If the build version you enter isn't consistent with the Target OS Version value you enter, then the Target OS Version value takes precedence.

• Target Local Date Time: The local date time value that specifies when to force the installation of the software update. This setting uses the yyyy-mm-ddThh:mm:sss format. For example:

  • To install an update on January 1, 2024 at 6 AM EST, enter 2024-01-01T06:00:000.

  • To install an update on December 31, 2023 at 9 PM PST, enter 2023-12-31T21:00:000.

📚 Use the settings catalog to configure declarative software updates | Microsoft Learn