Use MDM to deploy software updates to Apple devices
Managing software updates and upgrades involves testing pre-release updates and upgrades, deploying them to a user’s devices, and enforcing policies that mandate users keep their devices up to date. For more information, see the WWDC21 video Manage software updates in your organisation and the WWDC23 video Explore advances in declarative device management.
MDM software update and upgrade commands
The MDM software update and upgrade commands are listed here. These commands don’t allow for customised user-facing notifications.
Note: In macOS 13 or later, the Mac acknowledges and responds to the ScheduleOSUpdateScan
, ScheduleOSUpdate
, OSUpdateStatus
and AvailableOSUpdate
commands, even when the device is asleep or in PowerNap mode.
Command | Supported operating system | Supervised | Description | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Schedule an update scan | macOS | Yes | Requests that the device perform a background scan for operating system updates. For more information, see Schedule an OS Update Scan on the Apple Developer website. | ||||||||
List available updates | iOS iPadOS macOS tvOS | Yes (iOS, iPadOS, tvOS) No (macOS) | Queries the device for a list of available operating system updates. In macOS, the command For more information, see List the Available OS Updates on the Apple Developer website. | ||||||||
Schedule an update | iOS iPadOS macOS tvOS | Yes | Allows the server to schedule an operating system update and set the priority for updates. For more information, see Schedule an OS Update on the Apple Developer website. | ||||||||
Update status | iOS iPadOS macOS tvOS | Yes | Queries the device for the status of software updates. For more information, see Get the OS Update Status on the Apple Developer website. |
Apple Software Lookup Service
You can use the Apple Software Lookup Service to obtain a list of available updates.
iOS 15, iPadOS 15 and macOS 12.0.1, or later, allow an MDM solution to calculate update applicability in a timely and accurate manner as soon as an update is published. The MDM solution looks at the service for an accurate list of available updates and then specifies a specific version when sending a ScheduleOSUpdate
command. Devices don’t need to run the AvailableOSUpdate
command to query for available updates for the update to be scheduled.
The JSON response contains three lists of available software releases:
PublicAssetSets: This list contains the latest releases available to the general public (non-supervised devices) if they try to update or upgrade.
AssetSets: This list (a subset of PublicAssetSets) contains all the releases available for MDM solutions to push to supervised devices.
PublicRapidSecurityResponses: This list contains Rapid Security Response releases currently available for Apple devices. For more information on Rapid Security Response releases, see Rapid Security Responses.
Each element in the list contains the product version number of the operating system, the posting date, the expiry date and a list of supported devices for that release. The device list matches the ProductName
values from the device, which is returned in the initial Authenticate request or the DeviceInformation
response.
The expiry date is typically set to 180 days after the posting date. When subsequent releases are made, previous releases might have their expiry dates updated. If an expiry date isn’t provided, the release has yet to expire. A release has expired only when it has an expiry date in the past.
The assets are grouped by operating system platform. Currently, all the assets are under iOS, including tvOS and watchOS. Use the product version list to determine which versions are greater than the deviceʼs current operating system version. Provide that list of versions to the administrator as potential operating system update candidates.
These are sample responses:
{ "PublicAssetSets": {
"iOS": [
{
"ProductVersion": "16.4.1",
"PostingDate": "2023-04-17",
"ExpirationDate": "2023-07-31",
"SupportedDevices": ["iPad11,1", "iPad11,2", "iPad11,3", "iPad11,4", "iPad11,6", "iPad11,7", "iPad12,1", "iPad12,2", "iPad13,1","iPad13,10", "iPad13,11", "iPad13,16", "iPad13,17", “iPad13,18", "iPad13,19", "iPad13,2", "iPad13,4", “iPad13,5", "iPad13,6", "iPad13,7", "iPad13,8", "iPad13,9", "iPad14,1", "iPad14,2", "iPad14,3", "iPad14,4", "iPad14,5", "iPad14,6", "iPad6,11", "iPad6,12", "iPad6,3", "iPad6,4", "iPad6,7", "iPad6,8", "iPad7,1", "iPad7,11", "iPad7,12", "iPad7,2", "iPad7,3", "iPad7,4", "iPad7,5", "iPad7,6", "iPad8,1", "iPad8,10", "iPad8,11", "iPad8,12", "iPad8,2", "iPad8,3", "iPad8,4", "iPad8,5", "iPad8,6", "iPad8,7", "iPad8,8", "iPad8,9", "iPhone10,1", "iPhone10,2", "iPhone10,3", "iPhone10,4", "iPhone10,5", "iPhone10,6", "iPhone11,2", "iPhone11,6", "iPhone11,8", "iPhone12,1", "iPhone12,3", "iPhone12,5", "iPhone12,8", "iPhone13,1", "iPhone13,2", "iPhone13,3", "iPhone13,4", "iPhone14,2", "iPhone14,3", "iPhone14,4", "iPhone14,5", "iPhone14,6", "iPhone14,7", "iPhone14,8", "iPhone15,2", "iPhone15,3"
]
}
},
{
"AssetSets": {
"iOS": [
{
"ProductVersion": "16.4.1",
"PostingDate": "2023-04-07",
"ExpirationDate": "2023-07-31",
"SupportedDevices": ["iPad11,1", "iPad11,2", "iPad11,3", "iPad11,4", "iPad11,6", "iPad11,7", "iPad12,1", "iPad12,2", "iPad13,1","iPad13,10", "iPad13,11", "iPad13,16", "iPad13,17", “iPad13,18", "iPad13,19", "iPad13,2", "iPad13,4", “iPad13,5", "iPad13,6", "iPad13,7", "iPad13,8", "iPad13,9", "iPad14,1", "iPad14,2", "iPad14,3", "iPad14,4", "iPad14,5", "iPad14,6", "iPad6,11", "iPad6,12", "iPad6,3", "iPad6,4", "iPad6,7", "iPad6,8", "iPad7,1", "iPad7,11", "iPad7,12", "iPad7,2", "iPad7,3", "iPad7,4", "iPad7,5", "iPad7,6", "iPad8,1", "iPad8,10", "iPad8,11", "iPad8,12", "iPad8,2", "iPad8,3", "iPad8,4", "iPad8,5", "iPad8,6", "iPad8,7", "iPad8,8", "iPad8,9", "iPhone10,1", "iPhone10,2", "iPhone10,3", "iPhone10,4", "iPhone10,5", "iPhone10,6", "iPhone11,2", "iPhone11,6", "iPhone11,8", "iPhone12,1", "iPhone12,3", "iPhone12,5", "iPhone12,8", "iPhone13,1", "iPhone13,2", "iPhone13,3", "iPhone13,4", "iPhone14,2", "iPhone14,3", "iPhone14,4", "iPhone14,5", "iPhone14,6", "iPhone14,7", "iPhone14,8", "iPhone15,2", "iPhone15,3"
]
},
Software release dates
The table below shows the date of release, the date when the release is visible to the user (a 90-day deferral) and the date when the download is no longer available from Apple.
macOS | iOS, iPadOS, tvOS | Available from Apple | Hidden by MDM until | No longer available as a download from Apple |
---|---|---|---|---|
17 | 18/09/2023 | 17/12/2023 | 17/12/2023 | |
13.6 | 17.0.1 (iOS, iPadOS) | 21/09/2023 | 20/12/2023 | 20/12/2023 |
17.0.2 iPhone 15 (all models) | 21/09/2023 | 20/12/2023 | 20/12/2023 | |
14 | 17.0.2 (iOS, iPadOS) | 26/09/2023 | 25/12/2023 | 25/12/2023 |
17.0.2 (iOS, iPadOS) | 04/10/2023 | 02/01/2024 | 02/01/2024 | |
14.1 | 17.1 | 25/10/2023 | 23/01/2024 | 23/01/2024 |
14.1.1 | 17.1.1 | 07/11/2023 | 11/02/2024 | 11/02/2024 |
14.1.2 | 17.1.2 (iOS, iPadOS) | 30/11/2023 | 28/02/2024 | 28/02/2024 |
14.2 | 17.2 | 11/12/2023 | 10/03/2024 | 10/03/2024 |
14.2.1 | 17.2.1 (iOS, iPadOS) | 19/12/2023 | 18/03/2024 | 18/03/2024 |
14.3 | 17.3 | 22/01/2024 | 21/04/2024 | 21/04/2024 |
14.3.1 | 17.3.1 (iOS, iPadOS) | 08/02/2024 | 08/05/2024 | 08/05/2024 |
17.4 (iOS, iPadOS) | 05/03/2024 | 03/06/2024 | 03/06/2024 | |
14.4 | 17.4 (tvOS) | 07/03/2024 | 05/06/2024 | 05/06/2024 |
14.5 | 17.5 | 13/05/2024 | 11/08/2024 | 11/08/2024 |
Installing software updates and upgrades
To help ensure that only Apple-signed code is being installed, the Apple software update and upgrade process uses the same hardware-based root of trust used by secure boot. The Apple system software authorisation process ensures that only copies of operating system versions that are actively being signed by Apple can be installed on an iPhone, iPad, and on a Mac with the Full Security setting configured as the secure boot policy in Startup Security Utility. This process allows Apple to stop signing older operating system versions with known vulnerabilities and thereby helps prevent downgrade attacks.
Note: All install actions in macOS 12.0.1 or later support the use of the bootstrap token for authentication on Mac computers with Apple silicon.
Update and upgrade install actions include the following:
Action | Minimum supported operating systems | Description | |||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
InstallASAP | iOS 9 iPadOS 13.1 macOS 10.11 tvOS 12 | In iOS, iPadOS and tvOS, install a previously downloaded software update or upgrade. In macOS, download the software update or upgrade and trigger the restart countdown notification. | |||||||||
Default | iOS 9 iPadOS 13.1 macOS 10.11 tvOS 12 | Download or install the update or upgrade, depending on the current state. MDM administrators can check the | |||||||||
InstallForce Restart | macOS 11 | Perform the default action, and then force a restart if the update requires it. An upgrade always requires it. Important: | |||||||||
InstallLater | macOS 10.11 | Download the software update or upgrade and install it at a later time. | |||||||||
NotifyOnly | macOS 10.11 | Download the software update or upgrade and notify the user. | |||||||||
DownloadOnly | iOS 9 iPadOS 13.1 macOS 11 tvOS 12 | Download the software update or upgrade without installing it. |
Managing iOS and iPadOS software updates and upgrades
In iOS and iPadOS, updates and upgrades are offered to users as part of the standard notification process and in the Settings app. To initiate the update or upgrade, users may need to agree to updated terms and conditions. If there is no passcode on the device, you can complete the installation remotely using your MDM solution.
If the device has a passcode, after MDM sends the update or upgrade to the device, the device queues the update or upgrade and the user is prompted to enter their passcode in order to start the installation immediately or defer for an overnight installation.
When you send an install software update command, the device prompts the user with the update or upgrade and describes it as required by your organisation. All updates or upgrades sent by MDM are treated as required and can be delayed up to three times only by the user. After the third time the user delays, the device requires the user to schedule the update or upgrade for that evening in order to continue to use the device (with the exception of emergency calling).
Recommended cadence
You can either upgrade to iOS 17 or iPadOS 17 (the new major operating system). Or you can continue to update to newer, minor versions of iOS 16 and iPadOS 16.1, even though iOS 16 and iPadOS 16.1 are released.
For example, on an iPhone using iOS 16.6.1, you can choose one of two options:
Continue to allow users to stay on iOS 16.6.1 (the previous major operating system) and still get updates (for example, iOS 16.7).
Allow users to upgrade to iOS 17 (the new major operating system).
This allows users to still benefit from important security updates while you work to approve the latest major release for production in your environment.
MDM vendors can manage this feature for devices enrolled in MDM. A new Settings
command with a SoftwareUpdateSettings
dictionary contains a key (RecommendationCadence
) with three values:
0: Shows both options (the default).
1: Shows the software update with the lower version number, if available.
2: Shows the update path for the operating system upgrade that has a later major version number.
This choice can be enforced using MDM, allowing you to stay on the previous update (for example, iOS 16.7). This is offered for a period of time after an upgrade.
Update and upgrade Shared iPad
To minimise downtime, updates and upgrades to iPadOS and apps should occur during off hours to minimise impact to your users and the network. For more information, see Updates and upgrades to iPadOS for Shared iPad.
Updates and upgrades using mobile data
MDM can install updates and upgrades using a mobile data connection after the software update is automatically displayed in Settings.
Managing macOS software updates and upgrades
In macOS 11, many changes were introduced to make the update and upgrade process similar to that of iOS and iPadOS. When updates and upgrades occur, the updater makes changes to the operating system even before a restart. This approach significantly reduces Mac downtime during the process. Subsequent versions of macOS added more enhancements. Additional enhancements are listed in the table below.
Note: On Apple silicon, users must be a volume owner to perform software upgrades.
Minimum operating system version | Enhancement | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
macOS 12.3 | Administrators can control the scheduling priority for downloading and preparing the requested update. Setting the Upgrades to macOS 13 or later benefit from the following enhancements:
| ||||||||||
macOS 13 | The Mac acknowledges and responds to the |
A configuration profile can be installed on Mac computers to enable the following automatic options:
Background check for macOS software updates and upgrades
Download and installation of XProtect and Gatekeeper updates
Download and installation of automatic security updates
Download of macOS software updates and upgrades
Installation of macOS updates and upgrades
The Mac checks for updates and upgrades about every 6 hours, and the update or upgrade is scheduled for an automatic installation if the Mac meets the criteria — for example, if it has only a limited number of processes running and either be connected to power or have a minimum battery percentage (listed below), even if the Mac laptop’s lid is closed. Only after the update or upgrade has been downloaded and prepared does a notification prompt the user for installation.
Enforce software updates or upgrades
To provide your organisation's administrators more control over the update process, use declarative device management. This process gives users a more informative experience and also ensures that updates happen in a timely fashion for iOS, iPadOS and macOS. The enforced operating system version is visible in the TargetOSVersion
key. The optional TargetBuildVersion
key targets specific seed builds or Rapid Security Responses.
When you declare a software update, your users are informed about its deadline in a notification. They’re also informed in Settings (iOS and iPadOS) and in System Settings (macOS). You can provide more information about the update in the “More information” link.
The notification provides the option to install at that time or to install later that night. If the user doesn’t immediately trigger the update, then the operating system posts an “Updates Available” notification every day until the deadline; 24 hours before the deadline, this notification appears hourly and ignores Do Not Disturb. One hour before the deadline, the notification appears every 30 minutes, then every 10 minutes. This allows users to select the most appropriate time to perform the update.
In case the user hasn’t installed the update before the local enforcement date:
iOS and iPadOS force the user to enter their passcode if one is set (unless it was provided earlier).
macOS force quits open apps and performs a restart if necessary.
If the deadline was missed because the device was off or offline, when the device is back online, the operating system posts another notification telling them an update is past due and the update will be tried within the next hour.
Using declarative status reports, MDM solutions can also get increased transparency about the status of the update — for example, waiting for, downloading and preparing or installing the update. Meaningful error codes have been added in case an update couldn’t be performed or was unable to be completed. Some examples are if the device was offline, if the battery charge was too low or if not enough free space was available.
Note: Software update declarations and MDM commands and profiles can coexist; however, software updates enforced by declarations will always take precedence over MDM commands and profiles.
Force macOS software updates or upgrades
To force apps to quit for a software update or upgrade, use the InstallForceRestart
action. All apps on the Mac quit, even if documents havenʼt been saved. The update or upgrade requires that the Mac either be connected to power or have a minimum battery percentage.