Use MDM to deploy software updates to Apple devices
Managing software updates and upgrades involves testing prerelease updates and upgrades, deploying them to user’s devices and enforcing policies that mandate users keep their devices up to date.
MDM software update and upgrade commands
The MDM software update and upgrade commands are listed here. These commands don’t allow for customised user-facing notifications.
Note: In macOS 13 or later, the Mac acknowledges and responds to the ScheduleOSUpdateScan
, ScheduleOSUpdate
, OSUpdateStatus
and AvailableOSUpdate
commands, even when the device is asleep or in PowerNap mode.
Command | Supported operating system | Supervised | Description | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Schedule an update scan | macOS | Yes | Requests that the device perform a background scan for operating system updates. For more information, see Schedule an OS Update Scan on the Apple Developer website. | ||||||||
List available updates | iOS iPadOS macOS tvOS | Yes (iOS, iPadOS, tvOS) No (macOS) | Queries the device for a list of available operating system updates. In macOS, the command For more information, see List the Available OS Updates on the Apple Developer website. | ||||||||
Schedule an update | iOS iPadOS macOS tvOS | Yes | Allows the server to schedule an operating system update and set the priority for updates. For more information, see Schedule an OS Update on the Apple Developer website. | ||||||||
Update status | iOS iPadOS macOS tvOS | Yes | Queries the device for the status of software updates. For more information, see Get the OS Update Status on the Apple Developer website. |
Apple Software Lookup Service
The Apple Software Lookup Service (available at https://gdmf.apple.com/v2/pmv) is the official resource to obtain a list of publicly available updates, upgrades and Rapid Security Responses. It allows an MDM solution to query releases as soon as they are published and calculate applicability for each hardware model in a timely and accurate manner.
The JSON response contains three lists of available software releases:
PublicAssetSets: This list contains the latest releases available to the general public if they try to update or upgrade.
AssetSets: This list is a subset of PublicAssetSets and contains all the releases available for MDM solutions to push to supervised devices.
PublicRapidSecurityResponses: This list contains Rapid Security Response releases currently available for Apple devices.
{
"AssetSets": {
"iOS": [
{
"ProductVersion": "17.5",
"Build": "21F6079",
"PostingDate": "2024-05-13",
"ExpirationDate": "2024-08-15",
"SupportedDevices": ["iPad11,1", "iPad11,2", "iPad11,3", "iPad11,4", "iPad11,6", "iPad11,7", "iPad12,1", "iPad12,2", "iPad13,1","iPad13,10", "iPad13,11", "iPad13,16", "iPad13,17", “iPad13,18", "iPad13,19", "iPad13,2", "iPad13,4", “iPad13,5", "iPad13,6", "iPad13,7", "iPad13,8", "iPad13,9", "iPad14,1", "iPad14,2", "iPad14,3", "iPad14,4", "iPad14,5", "iPad14,6", "iPad6,11", "iPad6,12", "iPad6,3", "iPad6,4", "iPad6,7", "iPad6,8", "iPad7,1", "iPad7,11", "iPad7,12", "iPad7,2", "iPad7,3", "iPad7,4", "iPad7,5", "iPad7,6", "iPad8,1", "iPad8,10", "iPad8,11", "iPad8,12", "iPad8,2", "iPad8,3", "iPad8,4", "iPad8,5", "iPad8,6", "iPad8,7", "iPad8,8", "iPad8,9", "iPhone10,1", "iPhone10,2", "iPhone10,3", "iPhone10,4", "iPhone10,5", "iPhone10,6", "iPhone11,2", "iPhone11,6", "iPhone11,8", "iPhone12,1", "iPhone12,3", "iPhone12,5", "iPhone12,8", "iPhone13,1", "iPhone13,2", "iPhone13,3", "iPhone13,4", "iPhone14,2", "iPhone14,3", "iPhone14,4", "iPhone14,5", "iPhone14,6", "iPhone14,7", "iPhone14,8", "iPhone15,2", "iPhone15,3"
]
},
Each element in the list contains the ProductVersion
number and Build
of the operating system, the PostingDate
when the release was published, the ExpirationDate
, and a list of SupportedDevices
for that release. The device list matches the ProductName
value from the device, which is returned in a DeviceInformation
response, the initial Authenticate
request, or in the MachineInfo
when the device tries to enrol.
The expiry date, typically set to 180 days after the posting date, defines the date the signing of the update expires. An expired update can’t be installed on devices anymore. When subsequent updates are made available, previous updates might have their expiry dates updated. If an expiry date isn’t provided, the update has yet to expire. An update has expired only when it has an expiry date in the past.
The assets are grouped by operating system platform using the following keys:
iOS
(which includes iPadOS, tvOS and watchOS)macOS
xrOS
(which is visionOS)
Use the product version list to determine which versions are greater than the deviceʼs current operating system version and are applicable to a specific device. Provide that list of versions to the MDM administrator as potential operating system update candidates.
Software release dates
The table below shows the date of release, the date when the release is visible to the user (a 90-day deferral) and the date when the download is no longer available from Apple.
macOS | iOS, iPadOS, tvOS | Available from Apple | Hidden by MDM until | No longer available as a download from Apple |
---|---|---|---|---|
14.3.1 | 17.3.1 (iOS, iPadOS) | 08/02/2024 | 08/05/2024 | 08/05/2024 |
17.4 (iOS, iPadOS) | 05/03/2024 | 03/06/2024 | 03/06/2024 | |
14.4 | 17.4 (tvOS) | 07/03/2024 | 05/06/2024 | 05/06/2024 |
14.5 | 17.5 | 13/05/2024 | 11/08/2024 | 11/08/2024 |
14.6 | 17.6 | 29/07/2024 | 27/10/2024 | 27/10/2024 |
Installing software updates and upgrades
To help ensure that only Apple-signed code is being installed, the Apple software update and upgrade process uses the same hardware-based root of trust used by secure boot. The Apple system software authorisation process ensures that only copies of operating system versions that are actively being signed by Apple can be installed on an iPhone, iPad and on a Mac with the Full Security setting configured as the secure boot policy in Startup Security Utility. This process allows Apple to stop signing older operating system versions with known vulnerabilities and thereby helps prevent downgrade attacks.
Note: All install actions in macOS 12.0.1 or later support the use of the bootstrap token for authentication on Mac computers with Apple silicon.
Update and upgrade install actions include the following:
Action | Minimum supported operating systems | Description | |||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
InstallASAP | iOS 9 iPadOS 13.1 macOS 10.11 tvOS 12 | In iOS, iPadOS and tvOS, install a previously downloaded software update or upgrade. In macOS, download the software update or upgrade and trigger the restart countdown notification. | |||||||||
Default | iOS 9 iPadOS 13.1 macOS 10.11 tvOS 12 | Download or install the update or upgrade, depending on the current state. MDM administrators can check the | |||||||||
InstallForce Restart | macOS 11 | Perform the default action and then force a restart if the update requires it. An upgrade always requires it. Important: | |||||||||
InstallLater | macOS 10.11 | Download the software update or upgrade and install it at a later time. | |||||||||
NotifyOnly | macOS 10.11 | Download the software update or upgrade and notify the user. | |||||||||
DownloadOnly | iOS 9 iPadOS 13.1 macOS 11 tvOS 12 | Download the software update or upgrade without installing it. |
Managing macOS software updates and upgrades
In macOS 11, many changes were introduced to make the update and upgrade process similar to that of iOS and iPadOS. When updates and upgrades occur, the updater makes changes to the operating system even before a restart. This approach significantly reduces Mac downtime during the process. Subsequent versions of macOS added more enhancements. Additional enhancements are listed in the table below.
Minimum operating system version | Enhancement | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
macOS 12.3 | Administrators can control the scheduling priority for downloading and preparing the requested update. Setting the Upgrades to macOS 13 or later benefit from the following enhancements:
| ||||||||||
macOS 13 | The Mac acknowledges and responds to the |
A configuration profile can be installed on Mac computers to enable the following automatic options:
Background check for macOS software updates and upgrades
Download and installation of XProtect and Gatekeeper updates
Download and installation of automatic security updates
Download of macOS software updates and upgrades
Installation of macOS updates and upgrades
Force macOS software updates or upgrades
To force apps to quit for a software update or upgrade, use the InstallForceRestart
action. All apps on the Mac quit, even if documents havenʼt been saved. The update or upgrade requires that the Mac either be connected to power or have a minimum battery percentage.