With service release 2210, we can now deploy macOS software updates using Intune policies. The macOS devices are enrolled using Automated Device Enrollment (ADE) can be deployed. macOS 12 and later version will benefit with this feature. Critical, Firmware, Configuration file update & all other updates (OS, built-in apps) available and we can control downloads, installation and notifications behavior using this Intune policies. Update deployment schedule can be day & time during which the updates can install and schedule as simple as install update when the device check-in next time.
Devices check- in with Intune every 8 hours. If the update deployed using Intune policy, the device downloads the update and when the device check-in next time, it will install the update within schedule.
Configure the update policy
- Login to Microsoft Endpoint Admin center and select Devices -> Update policies for macOS -> Create profile.
- On the basics page, provide name of the policy and description information and click Next.
- On Update Policy settings page, configure update policy behavior settings and update policy schedule settings
Under Update policy behavior settings, please specify how the update should be downloaded and installed and we can configure the settings for Critical updates, Firmware updates, Configuration file updates and all other updates and each update type has the following options.
Download and install: Download or install the update, depending on the current state.
Download only: Download the software update without installing it.
Install immediately: Download the software update and trigger the restart countdown notification.
Notify only: Download the software update and notify the user through the App Store.
Install later: Download the software update and install it later.
Not configured: No action taken on the software update.
Under Update policy schedule settings, specify the schedule type. Update at next check-in: The update installs on the device the next time it checks in with Intune. This option is the simplest and has no extra configurations.
Update during scheduled time: You configure one or more windows of time during which the update will install upon check-in.
Update outside of scheduled time: You configure one or more windows of time during which the updates won’t install upon check-in.
If you choose Update during scheduled time & Update outside of scheduled time, you would need to specify Time zone, Time windows. Provide the start day & time, end Day & end time. When you choose update during scheduled time, the updates will begin to install with start time & end time and when you choose to update outside scheduled time, the updates will not install within start time & end time and if we don’t configure the options, updates can be installed at any time and Click Next.
On Scope tag page, select scope tags you want to apply and click next to continue with Assignment page.
On Assignment page, select groups to include & exclude and assign the policy to groups and click Next.
On Review + Create page, please review the configured settings and click Create to complete the configuration. The policy will be displayed in the update policies for macOS.
Delay visibility of updates
You can hide the visibility of updates for specific period of time for update policies for macOS and this can be achieved using restriction periods option in settings catalog. During restriction periods, the users will be able to see the updates and you can use to test the update and after restriction period end, it will be visible for users to install. Please make sure you specify the schedule install time after restriction period, or else the update will install as per schedule regardless of hidden of visible to the users. The below are the settings you can use to defer the update.
- Enforced Software Update Delay
- Enforced Software Update Major OS Deferred Install Delay
- Enforced Software Update Non-OS Deferred Install Delay
Additional macOS software update settings using the Settings Catalog
Restrictions: You can configure restriction to delay the visibility of update to users -> Devices > macOS > Device configuration > Settings catalog > Restrictions.
- Enforced Software Update Delay: Specify how many days to delay the update on the device and the user will not see the update on those days. It will be used for Force Delayed App Software Updates and Force Delayed Software Updates.
- Force Delayed App Software Updates: It delays the visibility of non-OS software updates, and the delay is 30 days unless you set another value.
- Enforced Software Update Non-OS Deferred Install Delay: It delays the visibility of app software update on the device.
- Force Delayed Major Software Updates: It delays the visibility of major upgrades to OS Software.
- Enforced Software Update Major OS Deferred Install Delay: It delays the major software upgrade on the device and during the restriction period, the user cannot see the major OS upgrade.
- Force Delayed Software Updates: Delay the user visibility of software updates. In macOS, seed build updates are allowed, without delay. The delay is 30 days unless Enforced Software Update Delay is set to another value.
- Enforced Software Update Minor OS Deferred Install Delay: This restriction to delay a minor OS software update on the device.
User experience for macOS software update options: The below settings can be configured under Devices > macOS > Device configuration > Settings catalog > System Updates > Software Update.
- Allow Pre-Release Installation: Pre-release software can be installed on this computer.
- Automatic Check Enabled: If false, deselects the “Check for updates” option and prevents the user from changing the option.
- Automatic Download: If false, deselects the “Download new updates when available from the App Store” option and prevents the user from changing the option.
- Automatically Install App Updates: If false, deselects the “Install app updates from the App Store” option and prevents the user from changing the option.
- Automatically Install macOS Updates: If false, restricts the “Install macOS Updates” option and prevents the user from changing the option.
- Config Data Install: If false, restricts the automatic installation of configuration data.
- Critical Update Install: If false, disables the automatic installation of critical updates and prevents the user from changing the “Install system data files and security updates” option.
- Restrict Software Update Require Admin to Install: If true, restrict app installations to admin users. This key has the same function as the Restrict Store Require Admin to Install setting in the App Store category.
Monitor for update installation
To monitor the installation on the macOS device, go to Devices > Monitor > Installation status for macOS devices and it shows the devices with update policy applied. macOS devices will return only installation failures and does not show the devices with up to date or healthy.
To learn more about Microsoft Intune 2210 October Update, please click here
To learn more about Managing macOS Devices in Microsoft Intune please click here