Skip to main content
  1. Addigy
  2. Policies & Catalog
  3. Software Updates

System Updates via MDM

Updated:

Addigy supports deploying System Updates for your devices via mobile device management (MDM) by setting rules per policy.  These settings can be combined with Auto Assignment (Flex), allowing you to manage the OS of all devices within your policy or organization.  System Updates via MDM brings new functionality to updating and allows administrators to deploy new operating systems.

Requirements

System Updates via MDM require the below for your devices:

Note: Devices with an Apple Silicon processor that have not been enrolled via Automated Device Enrollment will need to be set to Reduced Security Mode. See our article How to fix the Kernel Extensions and Software Updates Warning on Apple Silicon for instructions to enable Reduced Security Mode.

Setting System Updates Rules in Your Policy

There are two options for rules inside the Policies > [policy name] > Updates > System Updates section. 

  • Set maximum version (Addigy recommended)
  • Keep devices updated to the latest OS (including major versions)

Screenshot_2022-10-03_at_11.18.56_AM.png

In the example above, setting the maximum version number to 12.9.99 allows for devices in this policy to get all of the minor and patch versions of macOS Monterey (12) while not deploying macOS Ventura (13).  This field follows the major.minor.patch versioning standard.  These same rules apply to the iOS, iPadOS, and tvOS options.

By default, all Enable options are unchecked.  Moreover, when you check an Enable option, the Set maximum version option is selected by default.

After setting up your rule set, click Save Settings to apply these settings to your policy.  These settings will inherit down through any descendant policies you have underneath this policy.

Restart Options

System Updates via MDM follows the restart options listed in Apple's documentation.  iOS, iPadOS, and tvOS only have the Default restart option available.  macOS has the below options available:

  • Default
    • Download or install the update or upgrade, depending on the current state.
      • End user will get 60 second count down in Notification Center if a reboot is needed
  • InstallForceRestart
    • Perform the default action, and then force a restart if the update requires it. An upgrade always requires it. Important: InstallForceRestart may result in data loss.
  • InstallLater (this option supports end user deferrals)
    • Download the software update or upgrade and install it at a later time.
    • With Deferrals allowed set, the system will prompt the user once a day, up to the maximum amount of times, before showing the reboot pending (in Notification Center just like Default option) and having the device to continue with the minor update.
    • If "Allow user to defer minor updates" is not selected, the user will be able to infinitely defer updates.

Screenshot_2022-12-27_at_2.21.43_PM.png

End User Prompting

If allow user to defer minor updates is enabled for macOS devices, then the end user will receive a prompt like this below. They can click on install immediately, try the install tonight, or remind them tomorrow. 

 

If the Default or InstallLater option is selected, and the download process has completed, then the prompt to restart the device will show to the end user. The prompt will appear once during the Time Window set; if one is not set, it will appear once daily.

mceclip0.png

If the end user clicks on the 60-second prompt, then the installation of the update will be indefinitely postpone until the end-user reboots or shuts down their device.

 

Deployment Scheduling and Timing

There are three timing options by which System Updates will run:

  • Nightly at 2AM UTC (default, automatic)
    • This process will automatically run at the time listed above and send the appropriate commands to all devices.  If the devices are offline, the commands will be queued and then executed when the device comes back online.
  • On-Demand by Administrators (manual)
    • This process can be started by administrators and will start the System Update process immediately.  This supersedes any schedule that you have set.  This can be done device by device or by an entire policy.
  • Schedule
    • If enabled, the Schedule disables the "Nightly at 2AM UTC" default process.
    • The process now will start based on the schedule settings created.
    • macOS 12+, iOS 14+, iPadOS 14+, tvOS 14+ will have this process run based on the device's time and time zone.
      • iOS 13-, iPadOS 13-, tvOS 13- will continue to run on UTC time as MDM does not report device time zone in iOS 13 and lower.
    • A time window can be set in 2 hour increments.
    • Moreover, you can have Addigy stop sending commands 30, 45, or 60 minutes from the end of the time window so that devices in your fleet can finish up prior to the end of the time window set for your System Updates.

Screenshot_2022-10-20_at_1.43.27_PM.png

If a device has more than 1 minor update, System Updates will always select the latest version to deploy skipping all lower versions.

Example: I have a macOS device that's on Monterey 12.3.1.  The policy that the device is in has a System Updates setting that states the maximum version allowed is macOS 12.5.  When checking the Available Updates for the device, it shows that it has macOS 12.4, macOS 12.5, macOS 12.5.1, macOS 12.6, and Safari 16 available.  When the System Update process runs for this device, it will be updated to macOS 12.5 and will also install Safari 16 (skipping macOS 12.4 and not installing macOS 12.5.1 or 12.6).

When update commands are deployed, the following will be included (if applicable):

  • 1 update that requires a restart
  • Any other updates that do not require a restart

The On-Demand option, Start System Updates can be found in the following locations within Addigy:

  • Policy-wide: Policies > [policy name] > Updates > System Updates

Screenshot_2022-10-03_at_11.52.56_AM.png

  • Per Device: Policies > [policy name] > Devices

Screenshot_2022-10-05_at_2.41.11_PM.png

Available Updates and Update Status

GoLive and the Policies > [policy name] > Devices section provide ways to know which updates are available for a device as well as the status of an update that is currently in progress.

  • GoLive: Click the OS link found in the upper section

Screenshot_2022-10-03_at_12.05.29_PM.png

  • Policies > [policy name] > Devices: Click the Actions menu and select System Updates

Screenshot_2022-10-03_at_12.05.59_PM.png

This will bring up a modal showing what updates are available for the device and the status of an update if it is currently in progress.

image__8_.pngScreenshot_2022-10-03_at_12.12.14_PM.png

System Update History and Reports

GoLive and the Policies > [policy name] > Devices section provide ways to know which updates have been installed on the device.  The System Updates Status modal has a History tab that will show the last 90 days worth of historical data.

Screenshot_2023-01-20_at_3.27.52_PM.png

Moreover, you can request a report giving you the historical data around System Updates for a policy and its devices.  By heading over to Policies > [policy name] > Updates > System Updates, you can click Send Report (found on the top right) to have a report sent to your email with this data.

Screenshot_2023-01-20_at_3.37.15_PM.png

Was this article helpful?
9 out of 9 found this helpful
Return to top

Didn’t find what you’re looking for?

Contact our Support Team