![Full Logo.png]](https://help.devicie.com/hs-fs/hubfs/Full%20Logo.png?height=30&name=Full%20Logo.png){kind=small}
Recommended macOS Updates Ring Policy
Device Requirements
Update polices for macOS are a series of MDM commands deployed to the device to schedule and enforce macOS updates. To do this, the device MUST:
-
Be running a supported macOS version.
-
Be supervised (MDM managed)
|
Enforcing Major upgrades via MDM commands |
||
|
Current macOS version |
Target OS: macOS Monterey |
Target: Major update to macOS Monterey |
|
11.0-11.3.1 |
Not Supported |
Not Supported |
|
11.4 |
Not Supported |
Not Supported |
|
11.5 - 11.6.1 |
MDM Commands |
MDM Commands |
|
12.0.1+ |
MDM Commands |
MDM Commands |
|
Enforcing Minor updates via MDM commands |
|
|
macOS version |
|
|
12.0.1+ |
MDM Commands |
|
13.0+ |
MDM Commands |
Pre-requisites
Step 1: Setup a pilot group
This is an optional step, but highly recommended.
The design and set up of a pilot group is very much dependent on the needs of each organisation, so when planning out your organisation’s pilot group make sure to consider the following:
-
Who is best suited to be a pilot member?
Aim for the members of your pilot group to be as close to a representative sample of the broader user base as possible. Having the right mix of users will help increase the chances that a broader range of update issues will be identified early on.
-
How many pilotees?
There’s no hard rule on how many users to have in a pilot group, but somewhere below the 5% mark can help give a breadth of users without the support overhead.
-
How long should updates and upgrades be piloted?
When choosing the length to assign for pilot testing, consider the support team’s capacity to investigate any potential issues that arise.
Step 2: Pilot user group
- Create a group, macOS Pilot Users, of your pilot users.
Group type: Security
Membership Type: Assigned
Recommended Update Schedule
We recommend using the update rings detailed below. Though this can of course be changed to better suit your needs.
Useful Info
- Because the command handles both downloading and installation of updates, there can be potential delays and user wait times from when a device receives an update command and when the update installation is complete.
- Additionally, macOS doesn't provide user-visible progress during the process. Macs will simply restart when ready.
- ⚠️ If a Mac is configured to automatically download updates and it receives the install action command for an update that has already been cached or is in progress, macOS will assume that the update is already in progress and consequently not proceed with the installation.
To prevent this conflict from occurring, it is recommended that automatic downloads be disabled.
Recommended Software Update Settings
|
Category |
Setting |
Recommended Value for Pilot Group |
Recommended Value for |
Details |
|---|---|---|---|---|
|
Restrictions |
Force Delayed Major Software Updates |
true |
true |
Delays user visibility of major upgrades to OS Software. Delay is 30 days unless Enforced Software Update Major OS Deferred Install Delay is another value. |
|
Restrictions |
Force Delayed Software Updates |
true |
true |
Delays user visibility of software updates. The delay is determined by Enforced Software Update Delay and Enforced Software Update Minor OS Deferred Install Delay |
|
Restrictions |
Force Delayed App Software Updates |
true |
true |
Delays user visibility of non-OS Software Updates. The delay is 30 days, unless Enforced Software Update Non OS Deferred Install Delay is another value. |
|
Restrictions |
Enforced Software Update Non-OS Deferred Install Delay |
2 |
7 (days) |
Sets how many days to delay an app software update on the device. When this restriction is in place the user sees a non-OS software update only after the specified delay after the release of the software. Default: 30 days |
|
Restrictions |
Enforced Software Update Minor OS Deferred Install Delay |
2 |
7 (days) |
Set how many days to delay a minor OS software update on the device. When this restriction is in place the user sees a software update only after the specified delay after the release of the software update. Default: 30 days |
|
Restrictions |
Enforced Software Update Major OS Deferred Install Delay |
7 |
14 |
Set how many days to delay a major OS software upgrade on the device. When this restriction is in place the user see a software upgrade only after the specified delay after the release of the software update. Default: 30 days |
|
Restrictions |
Enforced Software Update Delay |
2 |
7 |
Sets how many days to delay software update on the device. With this restriction in place, the user doesn’t see a software update until the specified number of days after the software update release date.
Default: 30 days |
|
Software Update |
Restrict Software Update Require Admin to Install |
false |
false |
If true, restrict app installations to admin users. Default: False |
|
Software Update |
Critical Update Install |
true |
true |
If false, disables the automatic installation of critical updates and prevents the user from changing the "Install system data files and security updates" option.
Default: true |
|
Software Update |
Config Data Install |
true |
true |
If false, restricts the automatic installation of configuration data. Default: true |
|
Software Update |
Automatically Install Mac OS Updates |
true |
true |
If false, restricts the "Install macOS Updates" option and prevents the user from changing the option.
Default: true |
|
Software Update |
Automatically Install App Updates |
true |
true |
If false, deselects the "Install app updates from the App Store" option and prevents the user from changing the option.
Default: true |
|
Software Update |
Automatic Download |
false* |
false* |
If false, deselects the "Download new updates when available from the App Store" option and prevents the user from changing the option. ⚠️* If a Mac is configured to automatically download updates and it receives the install action command for an update that has already been cached or is in progress, macOS will assume that the update is already in progress and consequently not proceed with the installation.
Default: true |
|
Software Update |
Automatic Check Enabled |
true |
true |
If false, deselects the "Check for updates" option and prevents the user from changing the option.
Default: true |
|
Software Update |
Allow Pre-Release Installation |
false |
false |
If true, pre-release software can be installed on this computer. Default: true |
Update enforcement schedule
If you would like to have updates run on certain days or times (recommended to prevent non-critical interruptions during work hours), then consider how many distinct time zones are required. Each update policy has one time zone that it adheres to, so consider how many distinct time zones are required, and what device groups will be used in assigning them.
To help ensure that updates and upgrades are adhered to in a timely manner, consider having all update types be installed immediately, and define the inclusion or exclusion schedule to help minimise interruptions during work hours.
|
Update Type |
Recommended value |
|---|---|
|
Critical updates |
Install immediately |
|
Firmware updates |
Install immediately |
|
Configuration file updates |
Install immediately |
|
All other updates (OS, built-in apps) |
Install immediately |
Update Policies for macOS is a series of MDM commands deployed to the client to schedule and enforce macOS updates.