Overview: System Updates via MDM

Addigy supports deploying System Updates for your devices via Mobile Device Management (MDM) and Declarative Device Management (DDM) by setting rules per policy. These settings can be combined with Auto Assignment (Flex), allowing you to manage the OS of all devices within your policy or organization. 

State of MDM currently - link to DDM (use it if applicable)

• Requirements
• Configuring the Version to Enforce
• Update Method/Restart Options
• Deployment Scheduling and Timing (MDM Updates)
• The MDM Update Workflow from Start to Finish
• Ways Update Scans can be Initiated
• Available Updates and Update Status
• System Update History and Reports
• DDM vs. MDM install and enforcements

Requirements

System Updates via MDM require the below for your devices:

• Device is Supervised via ADE or MDM Manual Device Enrollment
• If the device is a Mac and has an Apple Silicon processor, device must be enrolled using any of these methods:
  
  • ADE 
  • Reduced Security Mode with a MDM Manual Device Enrollment (only below Monterey)
    • For OS Updates Major & Minor updates. Safari, XProtect and other non reboot updates can run in regular mode
• Bootstrap token escrowed to Addigy (Apple documentation). The bootstrap token should automatically escrow upon MDM enrollment.
• macOS 12 and newer
• iOS 9 and newer
• iPadOS 13 and newer
• tvOS 12 and newer

Configuring the Version to Enforce

There are three options for rules inside the Policies > [policy name] > Updates > System Updates section. 

• Maximum version allowed (Addigy recommended for change control)
  • This setting will only determine what update is sent by Addigy and will not serve as a device-wide restriction. To control what updates users can install, please refer to this article.
• Keep devices updated to the latest OS (including major versions) (Apple recommended for latest OS)
• Re-send update command if the status is older than (default is 24 hours)
  
  • For example, if an update was sent to a device on Monday at 6 PM, the update command will re-send on Tuesday at 6 PM.

In the example above, setting the maximum version number to 15.99.99 allows for devices in this policy to get all of the minor and supplemental versions of macOS Sequoia (15) while not deploying a future version of macOS past 15.  This field follows the major.minor.patch versioning standard. These same rules apply to the iOS, iPadOS, and tvOS options.

After setting up your versions, click Save Settings to apply these settings to your policy. These settings will be inherited down through any child policies you have underneath this policy.

Update Method/Restart Options

System Updates via MDM follow the restart options listed in Apple's documentation. iOS, iPadOS, and tvOS only have the Default restart option available.

macOS has the below options available:

• MDM Updates

  • Default
    • Download or install the update or upgrade, depending on the current state.
      • The end user will get a 60-second countdown in the Notification Center if the update requires a reboot.
      • Users are able to click on the prompt and it will pause the restart action. The next time the device restarts, it will apply the update.
        
  • InstallForceRestart
    • Perform the default action, and then force a restart if the update requires it. An upgrade always requires it. Important: InstallForceRestart may result in data loss.
  • InstallLater (this option supports end user deferrals)
    • Download the software update and install it at a later time.
    • With Deferrals allowed set, the system will prompt the user once a day, up to the maximum amount of times, before showing the reboot pending (in the Notification Center just like the Default option) and having the device to continue with the minor update.
      
    • If "Allow user to defer minor updates" is not selected, the user will be able to infinitely defer updates and instead see the below prompt.
      

Deployment Scheduling and Timing (MDM Updates)

There are three timing options by which MDM System Updates will run.

• Nightly at 2 AM UTC (default, automatic)
  • This process will automatically run at the time listed above and send the appropriate commands to all devices.  If the devices are offline, the commands will be queued and then executed when the device comes back online.
• On-Demand by Administrators (manual)
  • This process can be started by administrators and will start the System Update process immediately.  This supersedes any schedule that you have set.  This can be done device by device or by an entire policy.
• Schedule
  • If enabled, the Schedule disables the "Nightly at 2 AM UTC" default process.
  • The process now will start based on the schedule settings created.
  • macOS 12+, iOS 14+, iPadOS 14+, tvOS 14+ will have this process run based on the device's time and time zone.
    • iOS 13-, iPadOS 13-, tvOS 13- will continue to run on UTC time as MDM does not report device time zone in iOS 13 and lower.
  • A time window can be set in 2 hour increments.
  • Moreover, you can have Addigy stop sending commands 30, 45, or 60 minutes from the end of the time window so that devices in your fleet can finish up prior to the end of the time window set for your System Updates.

If a device has more than 1 minor update, System Updates will always select the latest version to deploy skipping all lower versions.

Example: I have a macOS device that's on Monterey 12.3.1.  The policy that the device is in has a System Updates setting that states the maximum version allowed is macOS 12.5. When checking the Available Updates for the device, it shows that it has macOS 12.4, macOS 12.5, macOS 12.5.1, macOS 12.6, and Safari 16 available. When the System Update process runs for this device, it will be updated to macOS 12.5 and will also install Safari 16 (skipping macOS 12.4 and not installing macOS 12.5.1 or 12.6).

When update commands are deployed, the following will be included (if applicable):

• 1 update that requires a restart
• Any other updates that do not require a restart

The On-Demand updates via MDM option, Start System Updates, can be found in the following locations within Addigy:

• Policy-wide: Policies > [policy name] > Updates > System Updates

• Per Device: Policies > [policy name] > Devices

The MDM Update Workflow from Start to Finish

1. If macOS, the System Updates process is started by sending the ScheduleOSUpdateScan command. If non-macOS, the process will start with the AvailableOSUpdate command
2. Addigy waits until we receive the response from the device that the command was executed, then, we go ahead and queue the AvailableOSUpdate command to check if any OS updates are available
3. Once we receive a response from the device via the AvailableOSUpdate command, we go through the list of available updates and validate what needs to be installed on the device depending on the version requirements configured in the Policy. If the Available Updates match the criteria, we will then send the ScheduleOSUpdate command to queue applicable updates
4. We use the OsUpdateStatus command to track the progress of the update. This command is sent to devices as part of our audits that occur automatically, approximately every hour
5. When we receive a list of statuses that are missing a previous status, we will try to use a combination of ScheduleOSUpdateScan and AvailableOSUpdate to determine if the update was installed or interrupted. If the update was installed, we will mark it as complete and move it into the history of installed updates.

Ways Update Scans can be Initiated

1. If using the "Default" scheduling, the devices will scan at 2 AM UTC
2. Overriding the recurring schedule via the Schedule Updates section in System Updates via MDM
3. By individual device by clicking on “Fetch updates from device” via GoLive > Updates (individual device)
4. By APIv2 via System Updates Scan endpoint to kick off the scan, and then the System Updates Available endpoints to narrow down what is available on the device(s)

Available Updates and Update Status

GoLive and the Policies > [policy name] > Devices section provide ways to know which updates are available for a device as well as the status of an update that is currently in progress.

• Viewing from GoLive, simply select the blue OS version number
  
• From the Policies page, you can navigate to Policies > [policy name] > Devices: Click the Actions menu and select System Updates

Either of the above options will bring up a window showing what updates are available for the device and the status of an update if it is currently in progress.
MDM Updates in progress:

Available updates:

System Update History and Reports

GoLive and the Policies > [policy name] > Devices section provide ways to know which updates have been installed on the device. The System Updates Status modal has a History tab that will show the last 90 days worth of historical data.

Moreover, you can request a report containing historical data for System Updates in a policy and its devices. Simply head over to Policies > [policy name] > Updates > System Updates and click "Send Report" (found on the top right) to have a report sent to your email with this data.

DDM vs. MDM Install and Enforcements

This chart explains the update priority and interactions when you also have DDM enabled in your environment. MDM Updates are responsible for deploying software updates like XProtect and Safari.