Microsoft Message ID

microsoftmessageid

Admin guide and checklist for macOS software updates – Microsoft Intune

Microsoft Technical Article






macOS Software Update Planning Guide for IT Admins

🚀 Overview

Ensuring that your fleet of macOS devices remains up-to-date is a fundamental requirement for modern security posture. For IT administrators, the primary challenge is balancing the urgent need to mitigate security vulnerabilities with the necessity of maintaining high levels of user productivity. Microsoft Intune provides a robust framework for managing these updates, allowing admins to dictate when updates occur, how they are delivered, and providing visibility into the update status across the organization.

This guide focuses specifically on organization-owned macOS devices enrolled in Intune. It highlights the shift from legacy Mobile Device Management (MDM) protocols to the modern Declarative Device Management (DDM) approach recommended by Apple for newer operating systems.

🛠️ Key Technical Details

Successful update deployment depends on both device state and specific policy configurations. Before deploying any policies, ensure that target devices are powered on (or in a sleep state), connected to a reliable power source, and have active internet connectivity.

🍏 Management Strategies by OS Version

  • macOS 14 (Sonoma) and Newer: Apple has deprecated legacy MDM-based software update workloads. For these devices, administrators should utilize Declarative Device Management (DDM). This modern approach moves the update logic to the device itself, allowing it to handle the download, preparation, and installation lifecycle autonomously based on an enforced deadline. These settings are configured via the Intune Settings Catalog.
  • macOS 13 (Ventura) and Older: For these versions, a dual-policy MDM approach is required to manage both the timing and the behavior of updates.

⚙️ MDM Policy Configuration (For macOS 13 and Older)

To effectively manage legacy versions, admins must implement two distinct policies:

Step 1: Define Update Timing
Navigate to Devices > Apple updates > macOS update policies to establish when updates are triggered. Microsoft recommends the following “Install Later” configuration to minimize immediate user disruption:

  • Critical updates: Install later
  • Firmware updates: Install later
  • Configuration file updates: Install later
  • All other updates (OS, built-in apps): Install later
  • Maximum user deferrals: 5
  • Priority: High
  • Schedule type: Update at next check-in

Note: Most modern updates fall under “Configuration data files” or “All other updates.” Also, remember that scheduling times reflect the Intune service time, not the local device time.

Step 2: Define Installation Behavior
Navigate to Devices > Manage devices > Configuration > Settings catalog > Software Update. This policy locks the device settings to ensure updates are downloaded and ready without user intervention:

  • Allow Pre Release Installation: False
  • Automatic Download: True
  • Automatically Install App Updates: True
  • Critical Update Install: True
  • Restrict Software Update Require Admin To Install: False
  • Config Data Install: True
  • Automatically Install MacOS Updates: True
  • Automatic Check Enabled: True

📢 Community Solutions

Many administrators supplement Intune policies with Nudge, a popular open-source community tool. Nudge provides a more customizable and visual interface to encourage users to apply updates before the hard deadline is reached. Microsoft provides sample scripts and .mobileconfig files in their shell script repository to assist with Nudge deployment.

⚠️ Impact

Implementing these policies significantly changes the end-user experience and the administrative workflow:

  • Administrative Control: By locking update settings, admins prevent users from disabling update checks or applying unapproved OS versions that might cause application compatibility issues.
  • User Experience: Under the MDM “Install Later” workflow, users are prompted to install updates and can defer the action up to five times. This gives them the flexibility to finish critical tasks before restarting.
  • Forced Compliance: Once the maximum number of deferrals is reached, the device will force the installation. Admins should warn users that forced restarts do not prompt for a save, which could result in data loss.
  • Reporting: Admins gain granular visibility through the Intune Admin Center (Devices > macOS > Update policies for macOS), where they can monitor the success or failure of update deployments across the entire fleet.

🛡️ Official Source: Read the full article on Microsoft.com


Prev :
Next :

Most Read

Recent News