Managed software updates with the settings catalog
You can use the Intune settings catalog to configure managed software updates for iOS/iPadOS and macOS devices. With managed software updates in Intune, you can:
- Choose an update to install using its OS version or build version.
- Enforce a deadline for the device to automatically install an update.
- Specify a URL that users can visit to learn more about updates.
This feature applies to:
- iOS/iPadOS 17.0 and later
- macOS 14.0 and later
Apple's declarative device management (DDM) allows you to install a specific update by an enforced deadline. The autonomous nature of DDM provides an improved user experience as the device handles the entire software update lifecycle. It prompts users that an update is available and also downloads, prepares the device for the installation, & installs the update.
Tip
To learn more about declarative software updates from Apple, go to:
- Apple Platform Deployment (opens Apple's website)
- Apple's session on exploring advances in declarative device management (opens Apple's website)
- The software update configuration in Apple's developer documentation (opens Apple's website)
Managed software updates vs software update policies
On Apple devices in Intune, you can create software update policies or managed software update policies. Both policy types can manage the install of software updates on devices. However, there are some differences between the two policy types.
Use the following information to help you decide which policy type to use.
| Feature | Managed software update policy | Software update policy |
|---|---|---|
| Configure a specific update to install | ||
| iOS/iPadOS | ✔️ | ✔️ |
| macOS | ✔️ | ❌ |
| Enforces an update deadline | ||
| iOS/iPadOS | ✔️ | ❌ |
| macOS | ✔️ | ❌ |
| Enter a help URL | ||
| iOS/iPadOS | ✔️ | ❌ |
| macOS | ✔️ | ❌ |
| Auto deploy latest update | ||
| iOS/iPadOS | ❌ | ✔️ |
| macOS | ❌ | ✔️ |
| Downgrade versions | ||
| iOS/iPadOS | ❌ | ❌ |
| macOS | ❌ | ❌ |
| Intune admin center policy type | ||
| iOS/iPadOS | Settings catalog | Update policies for iOS/iPadOS |
| macOS | Settings catalog | Update policies for macOS |
| Minimum supported version | ||
| iOS/iPadOS | 17.0 and later | - iOS 10.3 (supervised) - iPadOS 13.0 (supervised) |
| macOS | 14.0 and later | macOS 12.0 |
Precedence
Managed software updates have precedence over other policies that configure software updates. If you configure managed software updates and also have other software update policies assigned, then it's possible the other update policies have no effect.
iOS/iPadOS precedence order:
- Managed software updates (Settings catalog > Declarative Device Management > Software Update)
- Update policies (Devices > Update policies for iOS/iPadOS)
macOS precedence order:
- Managed software updates (Settings catalog > Declarative Device Management > Software Update)
- Update policies (Devices > Update policies for macOS)
- Software updates (Settings catalog > System Updates > Software Update)
Configure the managed software updates policy
Sign in to the Intune admin center.
Select Devices > Configuration > Create.
Enter the following properties and select Create:
- Platform: Select iOS/iPadOS or macOS.
- Profile: Select Settings catalog.
In the Basics tab, enter the following information, and select Next:
- Name: Enter a descriptive name for the policy. Name your policies so you can easily identify them later.
- Description: Enter a description for the policy. This setting is optional, but recommended.
In Configuration settings, select Add settings > expand Declarative Device Management > Software Update.
Configure the following settings:
Details URL: Enter a web page URL that has more information on the update. Typically, this URL is a web page hosted by your organization that users can select if they need organization-specific help with the update.
Target Build Version: Enter the target build version to update the device to, like
20A242. The build version can include a supplemental version identifier, like20A242a.If the build version you enter isn't consistent with the Target OS Version value you enter, then the Target OS Version value takes precedence.
Target Local Date Time: Select the local date time value that specifies when to force the installation of the software update.
The Target Local Date Time setting schedules the update using the UTC timezone. For example, an Admin located in Eastern US configures an update to install at 2PM UTC. Due to time conversion, the deadline for the update is actually for 7PM EST.
If the user doesn't trigger the software update before this time, then a one minute countdown prompt is shown to the user. When the countdown ends, the device force installs the update and forces a restart.
If the device is powered off when the deadline is met, then there's a one hour grace period when the device is powered back on. When the grace period ends, the device force installs the update and forces a restart.
Important
If you create a policy using this setting before the January 2024 release, then this setting shows
Invalid Datefor the value. The updates are still scheduled correctly and use the values you originally configured, even though it showsInvalid Date. To configure a new date and time, you can delete theInvalid Datevalues, and select a new date and time using the date time picker. Or, you can create a new policy. If you create a new policy, to help avoid future confusion, remove the values in the original policy.
Target OS Version: Enter the target OS version to update the device to. This value is the OS version number, like
16.1. You can also include a supplemental version identifier, like16.1.1.
Select Next.
In the Scope tags tab (optional), assign a tag to filter the profile to specific IT groups. For more information about scope tags, go to Use role-based access control and scope tags for distributed IT.
Select Next.
In the Assignments tab, select the users or groups that will receive your profile. For more information on assigning profiles, go to Assign user and device profiles.
Important
Assignment filters are not supported for DDM-based policies.
Select Next.
In the Review + create tab, review the settings. When you select Create, your changes are saved, and the profile is assigned. The policy is also shown in the profiles list.
Monitoring managed software updates
Managed software updates use the same reporting as device configuration policies. For more information, go to Monitor device configuration policies..
Important
A policy that reports Success only means that the configuration successfully installed on the device. Monitor the OS version of targeted devices to ensure that they update. After devices have updated to a later OS version than configured in the policy, the policy will report error as the device sees this as an attempt to downgrade. It's recommended to remove the older OS version policy from devices in this state.
Delay visibility of updates
When you configure managed software updates, you might want to hide updates from users for a specified time period. To hide the updates, use a settings catalog policy that configures an update restriction.
A restriction period gives you time to test an update before it's available to users. After the restriction period ends, users can see the update. If your update policies don't install it first, then users can choose to install the update.
To create a restrictions policy, go to the Settings catalog > Restrictions. Some settings you can use to defer an update include:
- Enforced Software Update Delay
- Enforced Software Update Major OS Deferred Install Delay (macOS)
- Enforced Software Update Minor OS Deferred Install Delay (macOS)
- Enforced Software Update Non OS Deferred Install Delay (macOS)
Related articles
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for