Many MSPs have been using a third-party tool like JAMF or Addigy to manage macOS devices in customer environments because of the limitations of Intune. Over the years, Microsoft has been adding a good amount of management functionality specifically for macOS devices. One of the latest releases is giving you the ability to manage the update policies for macOS devices (currently in preview).
We were personally excited about this so in this article, I wanted to detail out this new feature along with other policies within Endpoint Manager that allow you to manage the updates on these devices.
Prerequisites
Prerequisites
- macOS devices have to enrolled through Apple’s Automated Device Enrollment (ABM)
- OS: 12 or later
Overview
Within Endpoint Manager admin center, you can now see an “Update policies for macOS” under the Devices section
When you go to create a profile, you are presented with the following options
Each update type allows you to select how the update is applied. The following options are currently available:
- Download and Install: Download or install the update, depending on the current state.
- Download only: Download the software update without installing it.
- Install immediately: Download the software update and trigger the restart countdown notification.
- Notify only: Download the software update and notify the user through the App Store.
- Install later: Download the software update and install it at a later time.
- Not configured: No action was taken on the software update.
Additionally, you get to configure the schedule in which the updates are applied.
If you are familiar with Windows update rings, this setting is very similar if you chose to “update during scheduled time”. This allows you to select the window of time for the updates to occur. Ex:
Couple of key things to note here:
- Intune will “check in” with the macOS device about once every 8 hours so if you choose the “Update at next check-in” option this will be the interval you are looking at
- The Install Immediately option for the policy behaviors will be the most disruptive to the end user as it reboots the machine on a triggered countdown. Ex:
- Notify Only may be a great option for many of the updates since you can pair it with schedule settings so that the machine updates in the after hours of business while also giving the user a prop. To me, this is a better option than Download Only.
Deferral Period
Many of us like to set a deferral period for updates, especially when it comes to Windows devices because of the bugs that may be released in the first iteration. The same can be done with macOS devices by creating a Configuration Profile in Endpoint Manager.
Go to Devices>Configuration Profiles>Select macOS>Select Settings catalog for profile type:
Here with the settings picker, you can select deferral install delays for a few settings:
This allows you to defer the installs for Major/Minor OS updates as well as non-OS updates. One of the sections in this settings picker you can modify the updates is under the Software Update section. This allows you to turn off automatic updates by toggling the setting to false. By doing so, you are also preventing the user from changing the setting as well:
Combining Compliance Policies and Conditional Access
With these update policies in place, you can also leverage the compliance policy settings to enforce a minimum OS version across the org
The only downside is that you would have to update these versions periodically across all of your customers but I do think it is good to review your compliance policies on a periodic basis (i.e. quarterly, semiannually) as a best practice. With the compliance policies in place, you could also better enforce conditional access on non-compliant devices.
Monitor Updates
Lastly, you can go to Devices>Monitor>Software Updates to see the stats for updates being pushed out to macOS devices after the policy is configured
