Manage macOS updates with Mobile Device Management (MDM)

If you're the system administrator for your organization, you can manage updates for your Mac deployment.

macOS Big Sur and later include new ways to manage macOS updates with MDM, replacing options in earlier macOS versions and offering new options to provide more control for administrators.

In macOS Catalina and earlier, you can configure a custom software update server URL to control which updates are offered to clients. You can also use the softwareupdate command to ignore specific updates. In macOS Big Sur and later, these methods are replaced by MDM restrictions that allow you to delay updates for up to 90 days.

You can still use softwareupdate --ignore on macOS Catalina 10.15.7 or macOS Mojave 10.14.6 clients to prevent installation of macOS Big Sur or macOS Monterey, but the --ignore option is no longer available in macOS Big Sur and later.

Manage when updates are available

To configure delayed software updates for macOS with MDM, use the Restrictions payload. In macOS Big Sur and later, you can also delay updates to apps like Safari. By default, updates are delayed for 30 days when these options are enabled, and you can delay the update for up to 90 days. Your macOS clients will receive updates automatically when the delay expires. More information about delay expirations for Apple updates is available in the manage software updates documentation in Apple Device Deployment.

Install updates on demand

If you need to deploy updates while a delay is active, MDM commands allow you to download and install specific updates on demand without changing delay settings. macOS Big Sur adds new options to give you even more control over install actions.

You can use MDM commands to tell macOS clients to download updates in the background, to install previously downloaded updates, or to send a default instruction that allows the client to take appropriate action based on its current state.

MDM commands can tell clients on macOS Big Sur or later to download an update and notify the user in the App Store when the update is ready to install, or simply download the update and install it at a later time. If an update requires a restart, you can use a command to force a macOS restart with no user interaction. macOS Monterey adds an option to specify the number of times a device should prompt to install before the update is enforced.

If you force a restart, data loss may occur.

Manage client settings

You can manage additional macOS client settings using the Software Update payload, which allows you to control whether macOS clients check for and install updates automatically, whether a client can install prerelease software, and more. This payload also lets you set client options and prevent end users from making changes to your settings.

For details on using any of the payload settings or commands described, consult your MDM provider documentation.

Published Date: