Notes from Discover AppleSeed for IT and Managed Software Updates (Friday, June 25th, 2020)

Testing pre-release software

Public beta - available to all users who sign up at beta dot apple dot com.
  • Geared towards reporting livability and/or general use issues.

  • Updates in this program can be less frequent than other beta seed releases.

  • Public beta seeds released for the following platforms:

  • iOS

  • iPad OS

  • macOS

  • tvOS

  • watchOS (new this year)

Developer beta - seeding program geared towards app developers

Appleseed for IT beta - seeding program geared towards IT professionals in enterprise and education.

AppleSeed for IT testers provide feedback to Apple on how Apple's pre-release tools and frameworks act in the testers' environments. Apple is particularly interested in identifying deployment blockers, as those would prevent deployment of the latest OS when Apple releases.

To enroll into AppleSeed for IT:

Create a managed Apple ID (MAID)
Associate your work email with the MAID, so you can receive communications from AppleSeed.
Log into appleseed.apple.com with your MAID.

To enable devices to test pre-release software, Apple has made the following tools available:
  • iOS / iPad OS: configuration profile available from appleseed.apple.com

  • macOS: macOS beta access utility

Report any issues discovered in testing via the Feedback Assistant app.

Collaboration
  • Other Appleseed for IT participants and teammates

  • Field engineering

  • AppleCare

With an AppleCare for Enterprise or AppleCare OS support agreement, customers can request testing assistance from an AppleCare account manager or an Apple systems engineer.

Filing feedback for your organization:
  • File immediately after the issue occurs with the device it occurs on.

- This helps ensure the relevant logs are gathered.
  • Gather logs and note the time.

  • Include the steps to reproduce the problem.

  • If possible, include screenshots and/or screen recordings showing the issue.

New features in Feedback Assistant

Feedback Assistant is available on the following:
  • iOS

  • iPad OS

  • macOS

  • Website

Teams for Feedback Assistant:

Teams allows members of an organization to work together on feedback with Apple.
Teams are configured by Apple Business Manager or Apple School Manager, for AppleSeed for IT and in App Store Connect.

Members of the team can:
  • See feedback submitted by others in the team

  • See responses from Apple

  • Participate in the feedback conversation.

  • Reassign feedback to other team members

Multi-device diagnostics

Initiate feedback from an iPhone or iPad
Collect logs from multiple devices
All devices must be signed into iCloud.

When feedback is submitted, the diagnostics upload from each device directly to Apple.

Managing software updates:

Control over updating Apple devices
Update compatibility with your company, school or institution
Consistent deployment across devices
Contain critical improvements for stability, performance and security.

Organizations should do their best to deploy updates as swiftly as possible.

MDM command to update devices to the latest OS version
  • Choose to download only, or download and install.

Only updates which are still being signed by Apple are permitted for installation.
In order to use MDM to remotely update the OS on the device, supervision is required.

For iOS / iPad OS:
  • Passcode will need to be entered before OS update takes place.

Deferring software updates:

iPad OS, iOS and tvOS

MDM restriction available which defers over-the-air software updates
Default delay is 30 days
Delay can be overridden and specified as being a value between 1 day and 90 days.
Once the delay expires, the next update in the deferral window is evaluated.
  • Next update will either be deferred itself or presented immediately for installation.

No downgrades or rollbacks
  • Reverting to an older OS involves wiping the device

  • Apple only supports updating devices to newer version of the OS.

Apple signs its software for production use and older releases may have their signing revoked to ensure that customers are not susceptible to downgrade attacks.

On macOS, automatic checking for updates, download and installation of updates is controlled via the settings in the Software Update preference pane in System Preferences. These settings are manageable via MDM.

For macOS, the deferral process is similar to the process used on iOS/iPad OS/tvOS. A profile may be deployed to defer updates up to 90 days.

Unique features in macOS:
  • Deferred updates are transparent to the user in System Preferences

  • Once an update is past the deferral window, the user receives a notification and the update will be visible in System Preferences.

  • Deferring software updates does not require being supervised

Updates are deferred by date, not version number. This allows the deferral of multiple software updates in succession rather than deferring only one update at a time.

Changes to managed software updates
  • Support for deferring software updates during beta seeding in macOS Big Sur

8 Support for deferring major releases was introduced in macOS Catalina 10.15.4

Securing software updates
  • Unification of installation technologies across iOS and macOS

  • Snapshot-based updates

- Snapshot of the system volume is taken and the snapshot is updated while the user is using their Mac.
  • Snapshots are cryptographically sealed using authenticated APFS. This allows verification on boot that the user system matches what was delivered to the Mac by Apple.
    • Cryptographically sealed system volume

    • Remotely driven updates

    Removals

Custom catalog support has been removed
  • The installation catalog will be managed by Apple
No longer possible to ignore updates indefinitely
  • Ignore is supported in these releases if the device is supervised
- macOS Catalina 10.15.6
  • macOS Mojave 10.14.6 (following installation of the Mojave security updates released along with 10.15.6)

Replies

Hi Rich,

Does this mean there is absolutely no way to prevent macOS from installing the newest major version (not just deferring up to 90 days) once my fleet is on Big Sur?

I manage machines in a Higher-Ed environment and we usually wait until the summer each year to upgrade to the newest macOS. So it sounds like as of Big Sur, Apple will be forcing me to upgrade my clients around December-January each year (assuming 90 day deferral) to the newest major OS release. If this is the case, it would likely require updating third-party software for compatibility with the new OS or risk the software no longer working in our environment.

Thanks in advance