Managed software updates with the settings catalog
You can use the Intune settings catalog to configure managed software updates for iOS/iPadOS and macOS devices. With managed software updates in Intune, you can:
- Choose an update to install using its OS version or build version.
- Enforce a deadline for the device to automatically install an update.
- Specify a URL that users can visit to learn more about updates.
This feature applies to:
- iOS/iPadOS 17.0 and later
- macOS 14.0 and later
Apple's declarative device management (DDM) allows you to install a specific update by an enforced deadline. The autonomous nature of DDM provides an improved user experience as the device handles the entire software update lifecycle. It prompts users that an update is available and also downloads, prepares the device for the installation, & installs the update.
Tip
To learn more about declarative software updates from Apple, go to:
- Apple Platform Deployment (opens Apple's website)
- Apple's session on exploring advances in declarative device management (opens Apple's website)
- The software update configuration in Apple's developer documentation (opens Apple's website)
On Apple devices in Intune, you can create software update policies or managed software update policies. Both policy types can manage the install of software updates on devices. However, there are some differences between the two policy types.
Use the following information to help you decide which policy type to use.
Feature | Managed software update policy | Software update policy |
---|---|---|
Configure a specific update to install | ||
iOS/iPadOS | ✅ | ✅ |
macOS | ✅ | ❌ |
Enforces an update deadline | ||
iOS/iPadOS | ✅ | ❌ |
macOS | ✅ | ❌ |
Enter a help URL | ||
iOS/iPadOS | ✅ | ❌ |
macOS | ✅ | ❌ |
Auto deploy latest update | ||
iOS/iPadOS | ❌ | ✅ |
macOS | ❌ | ✅ |
Downgrade versions | ||
iOS/iPadOS | ❌ | ❌ |
macOS | ❌ | ❌ |
Intune admin center policy type | ||
iOS/iPadOS | Settings catalog | Update policies for iOS/iPadOS |
macOS | Settings catalog | Update policies for macOS |
Minimum supported version | ||
iOS/iPadOS | 17.0 and later | - iOS 10.3 (supervised) - iPadOS 13.0 (supervised) |
macOS | 14.0 and later | macOS 12.0 |
Managed software updates have precedence over other policies that configure software updates. If you configure managed software updates and also have other software update policies assigned, then it's possible the other update policies have no effect.
iOS/iPadOS precedence order:
- Managed software updates (Settings catalog > Declarative Device Management > Software Update)
- Update policies (Devices > Update policies for iOS/iPadOS)
macOS precedence order:
- Managed software updates (Settings catalog > Declarative Device Management > Software Update)
- Update policies (Devices > Update policies for macOS)
- Software updates (Settings catalog > System Updates > Software Update)
Sign in to the Intune admin center.
Select Devices > Manage devices > Configuration > Create.
Enter the following properties and select Create:
- Platform: Select iOS/iPadOS or macOS.
- Profile: Select Settings catalog.
In the Basics tab, enter the following information, and select Next:
- Name: Enter a descriptive name for the policy. Name your policies so you can easily identify them later.
- Description: Enter a description for the policy. This setting is optional, but recommended.
In Configuration settings, select Add settings > expand Declarative Device Management > Software Update.
Choose Select all these settings and then close the settings picker.
Configure the settings:
Details URL: Enter a web page URL that has more information on the update. Typically, this URL is a web page hosted by your organization that users can select if they need organization-specific help with the update.
Target Build Version: Enter the target build version to update the device to, like
20A242
. The build version can include a supplemental version identifier, like20A242a
.If the build version you enter isn't consistent with the Target OS Version value you enter, then the Target OS Version value takes precedence.
Target Date Time: Select or manually enter the date and the time that specifies when to force the installation of the software update.
Note
In a future release, the UTC text is being removed from the Target Date Time setting in the settings catalog UI.
The Target Date Time setting schedules the update using the local timezone of the device. For example, an admin configures an update to install at 2PM. The policy schedules the update to happen at 2PM in the local timezone of devices that receive the policy.
- If the user doesn't trigger the software update before this time, then a one-minute countdown prompt is shown to the user. When the countdown ends, the device force installs the update and forces a restart.
- If the device is powered off when the deadline is met, when the device powers back on, there's a one hour grace period. When the grace period ends, the device force installs the update and forces a restart.
Important
If you create a policy using this setting before the January 2024 release, then this setting shows Invalid Date for the value. The updates are still scheduled correctly and use the values you originally configured, even though it shows Invalid Date.
To configure a new date and time, you can delete the Invalid Date values, and select a new date and time. Or, you can create a new policy. If you create a new policy, to help avoid future confusion, remove the values in the original policy.
Target OS Version: Select or manually enter the target OS version to update the device to. This value is the OS version number, like
16.1
. You can also include a supplemental version identifier, like16.1.1
.
Select Next.
In the Scope tags tab (optional), assign a tag to filter the profile to specific IT groups. For more information about scope tags, go to Use role-based access control and scope tags for distributed IT.
Select Next.
In the Assignments tab, select the users or groups that will receive your profile. For more information on assigning profiles, go to Assign user and device profiles.
Important
Assignment filters are not supported for DDM-based policies.
Select Next.
In the Review + create tab, review the settings. When you select Create, your changes are saved, and the profile is assigned. The policy is also shown in the profiles list.
Managed software updates use the same reporting as device configuration policies. For more information, go to Monitor device configuration policies.
Important
A policy that reports Success only means that the configuration successfully installed on the device. Monitor the OS version of targeted devices to ensure that they update. After devices have updated to a later OS version than configured in the policy, the policy will report error as the device sees this as an attempt to downgrade. It's recommended to remove the older OS version policy from devices in this state.
When you configure managed software updates, you might want to manage aspects of the software update process leading up to the enforcement of an update. Using this configuration, you can:
Require that an admin or standard user can perform updates on the device
Control how users can manually interact with software update settings like automatic download and install or the behavior of Rapid Security Responses
Hide updates from users for a specified time period
Suppress update notifications up to one hour before the enforcement deadline
Control whether users are allowed to update to the latest major update, latest minor update, or are offered both.
Previously in MDM, these settings were spread across multiple payloads such as Restrictions, Managed Settings, and Software Update. As of August 2024, it's recommended to use the DDM-based Software Update Settings configuration to manage updates. To create a Software Update Settings policy, go to the Settings catalog > Declarative Device Management (DDM) > Software Update Settings. More information on these settings is available in the documentation section for the Software Update Settings declarative configuration.
Note
As of August 2024, it's recommended to use the DDM-based Software Update Settings configuration to manage update settings such as deferrals.
When you configure managed software updates, you might want to hide updates from users for a specified time period. To hide the updates, use a settings catalog policy that configures an update restriction.
A restriction period gives you time to test an update before it's available to users. After the restriction period ends, users can see the update. If your update policies don't install it first, then users can choose to install the update.
To create a restrictions policy, go to the Settings catalog > Restrictions. Some settings you can use to defer an update include:
- Enforced Software Update Delay
- Enforced Software Update Major OS Deferred Install Delay (macOS)
- Enforced Software Update Minor OS Deferred Install Delay (macOS)
- Enforced Software Update Non OS Deferred Install Delay (macOS)