Managed software updates for macOS, iOS and iPadOS: In managed environments, admins may need to control the software update process for their managed devices. - Testing software updates - Deploying software updates - Enforcing that software updates are installed Testing software updates: AppleSeed for IT helps you access and test pre-release and beta software - Any non-student Managed Apple ID from Apple School Manager (ASM) or Apple Business Manager (ABM) can participate in the AppleSeed for IT program - AppleSeed for IT includes access to detailed test plans and a way to provide feedback When Apple releases new updates and you haven't completed testing, Apple provides a deferral mechanism. Deferral prevents supervised devices from offering software updates to users until a specified period of time has passed since the updates were published by Apple. - The deferral mechanism uses date information from the update's metadata. - Default deferral delay is 30 days since the update was published to the software update feed - Custom value between 1 and 90 days can be set. - If a particular software update is republished, new date information is added to the update's metadata and the deferral will use the new date metadata to determine when to make the update available - When the deferral period has expired, the update will appear as available in Software Update on your Apple device Even with restrictions set, this only affects Software Update and does not restrict MDM commands' ability to send specific updates to devices. OS support for deferral - iOS 11.3 and later - iPadOS 13.1 and later - tvOS 12.2 and later - macOS 10.13 and later In macOS 11.3 and later, deferral can now be applied to the following updates: - Major (new OS version) - Minor (update to Mac's existing OS) - Non-OS (update for Apple software which is not the operating system.) Major OS upgrades may be delayed longer than minor OS updates, allowing security updates to be applied while support for the new major OS upgrade is developed. Deferral keys to use can be seen at 3:58 in the session video. - Defer major OS upgrades - forceDelayedMajorSoftwareUpdates - Defer minor OS updates - forceDelayedSoftwareUpdates - Defer non-OS updates - forceDelayedAppSoftwareUpdates If a deferral type is enabled but there is no corresponding deferral period set, the OS falls back to using the old key: ManagedDeferralInstallDelay To see how the Software Update preference pane appears in System Preferences when deferral settings are in place, please see 4:40 in the session video. Demonstration of how a deferral workflow may work can be seen at 4:48 in the session video. Deploying updates First step in deploying updates: - Check for updates - Confirm device eligibility Demonstration of how this worked prior to macOS Monterey can be seen at 5:25 in the session video. On macOS Monterey, the process works like this: - Unified workflow for both macOS and iOS - MDM solution uses the Apple Software Update Lookup Service to be aware of available updates - MDM server gets a list of available updates from the Apple Software Update Lookup Service - When ready to deploy and update, the MDM server will send the update version to the device - The Apple device will reach the software update server to verify that the update is eligible for that device. - If the update is eligible, the device will download and install the update For macOS Monterey, a new DeviceInformation query key has been added - New query key is SoftwareUpdateModelID - SoftwareUpdateModelID returns the hardware model string for iOS and macOS to the MDM server - The Apple Software Update Lookup Service will include the appropriate hardware identifier for macOS - The MDM server will be able to determine update applicability by comparing the result from a DeviceInformation query to the device IDs. - macOS Monterey no longer ignores the ProductVersion key, allowing update targeting using the ProductVersion key. - On macOS Big Sur and earlier, macOS used the ProductKey key. - If both ProductVersion key and ProductKey key are specified, then ProductKey is used on macOS Monterey. - If the device can't find an update eligible for the specified version, it will send a response. - This response mechanism will remove the previous round trip path used when scanning for updates as long as the supported device ID of the device has been previously collected. MDM admins can automatically install and authorize software updates for supervised macOS, iOS, and iPadOS devices. - As of macOS 11, all Macs enrolled in MDM using Device Enrollment or Automated Device Enrollment are supervised Apple Silicon Macs introduced the concept of "ownership" - Ownership can be loosely defined as the user who first uses a Mac for configuring it for their own use - This concept is not tied to true legal ownership or chain of custody - Ownership defines who is authorized to make changes to the startup security policy for a specific install of macOS On Apple Silicon Macs, the startup security policy defines the restrictions around: - Which versions of macOS can boot - Permission to use the bootstrap token for MDM management of automated software updates macOS requires authentication to perform software updates. For Apple Silicon Macs, authentication can be provided by: - User password - Bootstrap token User password is required for user-initiated interactive updates via Software Update in System Preferences. MDM bootstrap token is used for automated non-interactive updates run via MDM commands - Automated non-interactive updates require macOS 11.2 or later - Update being installed must be signed by Apple New in macOS Monterey Bootstrap token support for authenticating MDM-initiated install-later workflows - Allows Apple Silicon devices to schedule and perform updates at a later time when the device is not in use - Helps avoid disrupting users while they're working - If already using bootstrap tokens, this will work for you when using the InstallLater action in the ScheduleOSUpdate MDM command Once the MDM knows which updates go with which devices, the ScheduleOSUpdate MDM command is used to deploy updates to macOS, iOS and iPadOS devices. Note: An MDM command can be used to install the update during the deferral window or after (i.e. if you need to, you can install the update even if you had previously set a deferral windows.) There are several options available when using the ScheduleOSUpdate MDM command: - A required option is the install action - Value of the install action affects the behavior of the update - InstallASAP install action is the primary update mechanism for user-less macOS devices - Uses the bootstrap token to authenticate the software update for Apple Silicon Macs - InstallASAP install action runs updates immediately with an option for the user to cancel the update - By default, does not automatically close applications which are actively in use - To force close applications, use the InstallForceRestart option with the InstallASAP install action - DownloadOnly is useful for both users and user-less devices - Downloads the update in the background before the installation is installed - NotifyOnly is used to alert users that there an action for installation. - Neither DownloadOnly or NotifyOnly will start the installation process - InstallLater allows you to schedule an Install Tonight update - The device will choose a window of time, usually between 2:00 AM - 4:00 AM in the device's timezone. - Machine learning is used to figure out when the device is most likely to be least used - Device will try to install the update at that least-used time - Device must be plugged into power at that time or the install process will not run Demonstration of install notifications can be seen at 11:40 in the session video. Install updates for iOS and iPadOS devices ScheduleOSUpdate MDM command to install update - Default - DownloadOnly Default is the primary update mechanism, while DownloadOnly is useful for both users and user-less devices to download the update in the background before installation time. Demonstration of iOS software update management and installation can be seen at 12:24 in the session video. Demonstration of enforcing install for iOS or iPadOS devices can be seen at 13:35 in the session video. Enforce software updates New feature introduced for macOS Monterey If you're setting a deferral period, you want to ensure that updates are installed quickly once the deferral period has expired. - You don't want to offer the option of continuing to defer or cancel the update - Enforcement mechanism is needed - More control is now possible over the InstallLater policy to make sure updates get installed - Specify the number of times that the device can defer a software update before installing the update is enforced - This number is defined by the MaxUserDeferrals key - Implies that, after the defined number of deferrals has taken place, an InstallForceRestart occurs - Notification informs users of how many deferrals they have left before a forced update occurs - TO change the maximum number of user deferrals, issue a new InstallLater MDM command Demonstration of enforcing install for macOS devices can be seen at 14:58 in the session video. iOS now offers two update options - You can update to the next major OS version once it is released. This gives you new features and all of the available security updates - You can also choose to stay on the iOS version you're running now. There will not be new features but the device will still receive security updates for that iOS version In Settings, you can control what OS update is being presented to the user - This is set by providing a SoftwareUpdateSettings dictionary, which includes a RecommendationCadence key - RecommendationCadence can have three values - Numeric value of zero (0) - Default view - What you would get with no MDM restrictions in place - Both major and minor updates are available - Numeric value of one (1) - If two updates are available, the update with the lower version number will be shown - Numeric value of two (2) - If two updates are available, the update with the higher version number will be shown - Deferral restrictions still apply with RecommendationCadence set - Device will apply deferral setting, then filter by the RecommendationCadence setting Demonstration of RecommendationCadence settings for iOS or iPadOS devices can be seen at 16:40 in the session video.