Addigy supports deploying System Updates for your devices via Mobile Device Management (MDM) and Declarative Device Management (DDM) by setting rules per policy. These settings can be combined with Auto Assignment (Flex), allowing you to manage the OS of all devices within your policy or organization. System Updates via MDM and DDM brings new functionality to updating and allows administrators to deploy new operating systems.
Note on DDM enablement:
If DDM is enabled (via Account > Account Integrations > Addigy Add-Ons > DDM OS Updates) macOS 14+ and iOS/iPadOS 17+ will use DDM Enforcement Specific by default and DDM Global Settings if optionally enabled. If DDM is not enabled at the organization level MDM will cover all OS types listed in these requirements and up.
- Requirements
- Setting System Update Rules in Your Policy
- Update Experience/Restart Options
- End User Prompting MDM
- End User Prompting (DDM via Enforcement Specific)
- End User Prompting (DDM via Global Settings)
- Deployment Scheduling and Timing (MDM Updates)
- Deployment Scheduling and Timing (DDM Updates via Enforcement Specific)
- The MDM Update Workflow from Start to Finish
- Available Updates and Update Status
- System Update History and Reports
- Want to stop end users seeing Updates in Settings.app? (DDM Enforcement Specific and MDM will still push over the top if needed)
Requirements
System Updates via MDM require the below for your devices:
- Device is Supervised via ADE or MDM Manual Device Enrollment
- If the device is a Mac and has an Apple Silicon processor, device must be enrolled using any of these methods:
- ADE
-
Reduced Security Mode with a MDM Manual Device Enrollment (only below Monterey)
- For OS Updates Major & Minor updates. Safari, XProtect and other non reboot updates can run in regular mode
- Bootstrap token escrowed to Addigy (Apple documentation). The bootstrap token should automatically escrow upon MDM enrollment.
- macOS 12 and newer
- iOS 9 and newer
- iPadOS 13 and newer
- tvOS 12 and newer
System Updates via DDM Enforcement Specific require the below for your devices:
- Device is Supervised via ADE or MDM Manual Device Enrollment
- macOS 14 and newer
- iOS 17 and newer
- iPadOS 17 and newer
- DDM Addigy Add-on Enabled
System Updates via DDM Global Settings require the below for your devices:
- Device is Supervised via ADE or MDM Manual Device Enrollment
- macOS 15 and newer
- iOS 18 and newer
- iPadOS 18 and newer
- DDM Addigy Add-on Enabled
DDM vs. MDM install and enforcements
When DDM is enabled for OS updates this chart explains how updates will be sent to devices (as DDM only supports OS major, minor, and supplemental updates and excludes other products such as Safari.app or XProtect).
macOS 14+ | macOS 13 & 12 | iOS 17+ | iOS 16, 14, 13, 12, 11, 10, and 9 | iPadOS 17+ | iPadOS 16, 15, 14, and 13 | tvOS 12+ | |
OS Updates Major & Minor |
DDM (macOS 15+ Global Settings available) |
MDM |
DDM (iOS 18+ Global Settings available) |
MDM |
DDM (iPadOS 18+ Global Settings available) |
MDM | MDM |
Safari | MDM | MDM | N/A | N/A | N/A | N/A | N/A |
XProtect Definitions, etc. | MDM | MDM | N/A | N/A | N/A | N/A | N/A |
Apple Apps | MDM | MDM | MDM | MDM | MDM | MDM | MDM |
Setting System Updates Rules in your Policy
There are three options for rules inside the Policies > [policy name] > Updates > System Updates section.
- Set maximum version (Addigy recommended for change control)
- Can be used with:
- MDM OS Updates
- DDM OS Updates via Enforcement Specific
- Can be used with:
- Keep devices updated to the latest OS (including major versions) (Apple recommended for latest OS)
- Can be used with:
- MDM OS Updates
- DDM OS Updates via Enforcement Specific
- DDM OS Updates via Global Settings
-
Why can I only use keep to latest?
- This is because the new Global Settings declaration handles the OS update logic on device as part of the new Deferrals and Automatic Actions keys. Devices not on macOS 15+ or iOS/iPadOS 18+ will default to the latest with this set because the policy blanket covers all devices in scope. If you want to hold devices not on macOS 15+ or iOS/iPadOS 18+ to a specific version but use the new Global Settings declaration on macOS 15+ or iOS/iPadOS 18+ on devices try placing those newer OS devices in a separate policy that only applies to them.
-
Why can I only use keep to latest?
- Can be used with:
-
Re-send update command if last status is older than (default is 24 hours)
- This applies to MDM based updates only (as DDM send the Enforcement Specific or Global Settings to the device at the time of creation and deployment then the device takes over) and will resend if the MDM based update has not completed
In the example above, setting the maximum version number to 15.99.99 allows for devices in this policy to get all of the minor and patch versions of macOS Sequoia (15) while not deploying a future version of macOS past v15. This field follows the major.minor.patch versioning standard. These same rules apply to the iOS, iPadOS, and tvOS options.
After setting up your rule set, click Save Settings to apply these settings to your policy. These settings will inherit down through any descendant policies you have underneath this policy.
Update Method/Restart Options
System Updates via MDM follows the restart options listed in Apple's documentation. iOS, iPadOS, and tvOS only have the Default restart option available.
macOS has the below options available:
-
MDM Updates
-
Default
- Download or install the update or upgrade, depending on the current state.
- End user will get 60 second count down in Notification Center if a reboot is needed
- Download or install the update or upgrade, depending on the current state.
-
InstallForceRestart
- Perform the default action, and then force a restart if the update requires it. An upgrade always requires it. Important: InstallForceRestart may result in data loss.
-
InstallLater (this option supports end user deferrals)
- Download the software update and install it at a later time.
- With Deferrals allowed set, the system will prompt the user once a day, up to the maximum amount of times, before showing the reboot pending (in Notification Center just like Default option) and having the device to continue with the minor update.
- If "Allow user to defer minor updates" is not selected, the user will be able to infinitely defer updates.
-
Default
-
DDM Updates via Enforcement Specific
- Update will be run on the macOS, iOS, or iPadOS device after the defined value of days after the update is published to Apple's software update catalog. On that day at the defined time (device local time) the device will force the update. Prior to that date and time the end user will get prompts and when the clock runs down to 24 hours they will get an hourly prompt if the device is awake and then 60 min. from install the prompts will increase.
-
- Note: On iOS devices an update can be deferred by the end user even if the install time is lapsed if they chose the emergency call option and then back out of that menu, however minutes later the device will prompt again.
- Note: Per Apple, a device can only install a supplemental update (such as 14.2.1) if the device is already on the relevant minor version (such as 14.2). You may see situations where a device does not update to the latest version due to this behavior.
- More information can be found here: https://developer.apple.com/documentation/devicemanagement/softwareupdateenforcementspecific#discussion
-
-
DDM Updates via Global Settings
- Updates will be run on the macOS, iOS, or iPadOS devices after the download and preparation from the automatic download action is complete, and devices Global Settings have automatic software updates or Rapid Security Responses turned on and the deferral window (1-90 days) has passed.
-
When will the updates run?
- Per Apple, the device uses on-device machine learning to determine a suitable time to install them when the device is not busy and is in sleep and meets power, network, and free space requirements.
- Will the end user be prompted?
- To authorize the update, devices try to use the passcode or password from a recent unlock to perform an automatic update, but may prompt the user if no stashed unlock in the OS exists.
- What can be running on macOS?
- In addition to other software update requirements, Mac computers must have no apps or processes running which block a restart. Mac laptops can have their lid closed.
- Power requirements
- Depending on the type of the update and how it is initiated, devices must be connected to power or have the following minimum battery charging level to download, prepare, and install a software update with automatic install
- iPhone
- 30% SOC
- iPad
- 30% SOC
- Mac with Apple
silicon- 50% SOC
- Intel-based Mac
- 50% SOC
- iPhone
- Depending on the type of the update and how it is initiated, devices must be connected to power or have the following minimum battery charging level to download, prepare, and install a software update with automatic install
- Automatic Actions values
- Download
- Allowed: The user can turn on or turn off automatic downloads.
- AlwaysOn: Automatic downloads are always turned on.
- AlwaysOff: Automatic downloads are always turned off.
- Install OS Updates
- Allowed: The user can turn on or turn off automatic installations.
- AlwaysOn: Automatic installations are always turned on.
- AlwaysOff: Automatic installations are always turned off.
- Install Security Updates - Note: macOS only
- Allowed: The user can turn on or turn off automatic installations.
- AlwaysOn: Automatic installations are always turned on.
- AlwaysOff: Automatic installations are always turned off.
- Download
- Deferring a software update on iOS and iPadOS
- Combined Period In Days
- Range: 1 - 90 days
- Specifies the number of days to defer a software update. When set, software updates and upgrades appear only after the specified delay, following the release of the software update or upgrade.
- Recommended Cadence
- Specifies how the device shows software upgrades to the user. When a software update and upgrade is available, the device behaves as follows:
- All: Shows all software updates and upgrades.
- Oldest: Shows only updates for the oldest (lower numbered) software version.
- Newest: Shows only a software upgrade to the newest (highest numbered) software version.
- Specifies how the device shows software upgrades to the user. When a software update and upgrade is available, the device behaves as follows:
- Combined Period In Days
- Deferring a software update on macOS
- Major Updates
- Range: 1 - 90 days
- Specifies the number of days to defer a software upgrade on the device. When set, software upgrades appear only after the specified delay, following the release of the software upgrade.
- Minor Updates
- Specifies the number of days to defer a software update only (not a software upgrade or Rapid Security Response) on the device. When set, software updates appear only after the specified delay, following the release of the software update.
- Security Updates
- Specifies the number of days to defer non-operating system updates. When set, updates appear only after the specified delay, following the release of the update.
- Users preforming major/minor updates
- If true, a standard user can perform updates and upgrades.
- If false, only administrators can perform updates and upgrades.
- Major Updates
- Update will be run on the macOS, iOS, or iPadOS device after the defined value of days after the update is published to Apple's software update catalog. On that day at the defined time (device local time) the device will force the update. Prior to that date and time the end user will get prompts and when the clock runs down to 24 hours they will get an hourly prompt if the device is awake and then 60 min. from install the prompts will increase.
End User Prompting (MDM)
If allow user to defer minor updates is enabled for macOS devices, then the end user will receive a prompt like this below. They can click on install immediately, try the install tonight, or remind them tomorrow.
If the allow user to defer minor updates setting is disabled but InstallLater is still being used, the end user will receive a prompt similar to the following:
If the Default or InstallLater option is selected, and the download process has completed, then the prompt to restart the device will show to the end user. The prompt will appear once during the Time Window set; if one is not set, it will appear once daily.
If the end user clicks on the 60-second prompt, then the installation of the update will be indefinitely postpone until the end-user reboots or shuts down their device.
End User Prompting (DDM via Enforcement Specific)
The DDM based OS updates via Enforcement Specific have a richer prompting experience to the end user. They will first be shown a notification that an update is going to be installed at a date and time, and will be given the option to update early if they so chose. If the end user navigates in to System Settings to view the details of the update they can see the date and time that update enforcement is enabled for.
macOS
iOS
If that date and time of the enforced update is past due it will then go into a prompt and countdown cycle to the install point.
End User Prompting (DDM via Global Settings)
The DDM based OS updates via Global Settings utilizes much of the same prompting process that the consumer Apple OS Updates use, and then leverages the automatic actions to install the update if the right conditions are met. The end user will first be shown a notification that an update is available for install. If the end user clicks on that notification or navigates in to System Settings to view the details of the update they can see the version that is available and if it is cached and booked to install when the devices in in PowerNap etc. later that night.
If the end user clicks on that notification or navigates in to System Settings to view the details of the update they can see the version that is available and if it is cached and booked to install when the devices in in PowerNap etc. later that night.
Deployment Scheduling and Timing (MDM Updates)
There are three timing options by which MDM System Updates will run.
- Nightly at 2AM UTC (default, automatic)
- This process will automatically run at the time listed above and send the appropriate commands to all devices. If the devices are offline, the commands will be queued and then executed when the device comes back online.
- On-Demand by Administrators (manual)
- This process can be started by administrators and will start the System Update process immediately. This supersedes any schedule that you have set. This can be done device by device or by an entire policy.
- Schedule
- If enabled, the Schedule disables the "Nightly at 2AM UTC" default process.
- The process now will start based on the schedule settings created.
- macOS 12+, iOS 14+, iPadOS 14+, tvOS 14+ will have this process run based on the device's time and time zone.
- iOS 13-, iPadOS 13-, tvOS 13- will continue to run on UTC time as MDM does not report device time zone in iOS 13 and lower.
- A time window can be set in 2 hour increments.
- Moreover, you can have Addigy stop sending commands 30, 45, or 60 minutes from the end of the time window so that devices in your fleet can finish up prior to the end of the time window set for your System Updates.
If a device has more than 1 minor update, System Updates will always select the latest version to deploy skipping all lower versions.
Example: I have a macOS device that's on Monterey 12.3.1. The policy that the device is in has a System Updates setting that states the maximum version allowed is macOS 12.5. When checking the Available Updates for the device, it shows that it has macOS 12.4, macOS 12.5, macOS 12.5.1, macOS 12.6, and Safari 16 available. When the System Update process runs for this device, it will be updated to macOS 12.5 and will also install Safari 16 (skipping macOS 12.4 and not installing macOS 12.5.1 or 12.6).
When update commands are deployed, the following will be included (if applicable):
- 1 update that requires a restart
- Any other updates that do not require a restart
The On-Demand updates via MDM option, Start System Updates can be found in the following locations within Addigy:
- Policy-wide: Policies > [policy name] > Updates > System Updates
- Per Device: Policies > [policy name] > Devices
Deployment Scheduling and Timing (DDM Updates via Enforcement Specific)
There are options available in the policy settings to adjust and control when the enforcement (Install Date/Time) declaration is built and set for that the Apple device will install the OS update at.
-
Force install X days after release, at XX:XX
- This setting will be the number of days after release/publication to the Apple OS updates catalog that the update is scheduled to be enforced and installed at. This also includes the time of day (24 hour time) that this install enforcement is to be set on the device; this value is in local machine time.
-
Update Schedule
- Allows for specific days to be selected for the OS update to be scheduled, enforced and installed at.
- If a day of enforcement as calculated by number of days after release/publication to the Apple OS updates catalog falls on a NON selected day the will be re-calculated to the next available day and time.
- Avoid update declarations from X (date) to X (date)
- This will allow for the blocking off of set days/week spans where NO OS updates should be scheduled, enforced and installed at. This is a fixed value that will be set upon save, and will be invalid after the time passes.
- Example
- If Apple publishes an update (macOS 15.2 on December 11th 2024) that would be enforced and take place during this avoided time period the update would take place on the next available day that updates are enforced after the avoided period passes. For example above, with macOS 15.2 dropping on December 11th 2024 this update would normally install on December 25th if the device is online. However, we have an update avoidance period booked for December 20th to January 2nd for a change control freeze. That means this update will now install on the next up Sunday, Friday, or Saturday after January 2nd meaning the Update would run on January 3rd at noon device time if the device is online. If the device is not online on the 3rd and it boots up next on Saturday the 4th because the declaration was set on the device by the OS for January 3rd at noon it will be seen as past due and the DDM via Enforcement Specific update will do 60 min. after boot and can not be delayed.
- Allows for specific days to be selected for the OS update to be scheduled, enforced and installed at.
The MDM Update Workflow from Start to Finish
-
If macOS, the System Updates process is started by sending the
ScheduleOSUpdateScan
command. If non-macOS, the process will start with theAvailableOSUpdate
command - Addigy waits until we receive the response from the device that the command was executed, then, we go ahead and queue the
AvailableOSUpdate
command to check if any OS updates are available - Once we receive a response from the device via the
AvailableOSUpdate
command, we go through the list of available updates and validate what needs to be installed on the device depending on the version requirements configured in the Policy. If the Available Updates match the criteria, we will then send theScheduleOSUpdate
command to queue applicable updates - We use the
OsUpdateStatus
command to track the progress of the update. This command is sent to devices as part of our audits that occur automatically, approximately every hour - When we receive a list of statuses that are missing a previous status, we will try to use a combination of
ScheduleOSUpdateScan
andAvailableOSUpdate
to determine if the update was installed or interrupted. If the update was installed, we will mark it as complete and move it into the history of installed updates.
Ways Update Scans can be Initiated
- If using the "Default" scheduling, the devices will scan at 2 AM UTC
- Overriding the recurring schedule via the Schedule Updates section in System Updates via MDM
- By individual device by clicking on “Fetch updates from device” via GoLive > Updates (individual device)
- By APIv2 via
System Updates Scan
endpoint to kick off the scan, and then theSystem Updates Available
endpoints to narrow down what is available on the device(s)
Available Updates and Update Status
GoLive and the Policies > [policy name] > Devices section provide ways to know which updates are available for a device as well as the status of an update that is currently in progress.
- GoLive: Click the OS link found in the upper section
- Policies > [policy name] > Devices: Click the Actions menu and select System Updates
This will bring up a modal showing what updates are available for the device and the status of an update if it is currently in progress.
System Update History and Reports
GoLive and the Policies > [policy name] > Devices section provide ways to know which updates have been installed on the device. The System Updates Status modal has a History tab that will show the last 90 days worth of historical data.
Moreover, you can request a report giving you the historical data around System Updates for a policy and its devices. By heading over to Policies > [policy name] > Updates > System Updates, you can click Send Report (found on the top right) to have a report sent to your email with this data.