Managing OS Updates

Overview

Mosyle encourages administrators to update devices to the latest OS version available when possible. Both major and minor, or incremental, updates can be managed, downloaded, installed, and/or deferred using Mosyle. The OS update process is a two-step process:

The OS update is first downloaded on the device
The OS update is then installed on the device

Devices must be online, supervised, charged, meet the minimum OS requirement, have sufficient storage available, and a battery percentage of at least 50 percent when receiving the OS update command.

Devices cannot downgrade to an older version than their existing version and must be compatible with the version selected. If incompatible, the command will not be sent. Only copies of operating system versions that are actively being signed by Apple can be installed on devices.

Software Delay

The MDM is unable to block or prevent OS updates, however the Software Delay profile allows Administrators to defer OS updates and upgrades. Using the Software Delay profile, Administrators can configure devices so that OS updates are not visible to end users up to 90 days from the release date. Delaying software updates provides time to test the latest release and ensure all apps and systems work as expected before updating the fleet.

The Software Delay settings will not prevent the MDM from pushing OS updates to devices or querying available OS updates.

To create a Software Delay profile, go to Management > Click the Software Delay profile. Choose from the options available.

Delaying iOS/iPadOS Updates

On iOS/iPadOS devices, you can delay the software updates from being visible to end users for up to 90 days.

Delaying macOS Updates

On macOS devices, you can delay major or minor software updates, and/or App updates, from being visible to end users for up to 90 days.

The options available when delaying macOS software updates include:

Delay Updates for both the Operating System and Apps (macOS 11+): This will delay visibility for any and all OS updates and non-OS updates for end users.
Delay Updates for Apps (macOS 11+): This will delay visibility for any and all non-OS updates, such as Safari updates, for end users.
Delay Updates for the Operating System (macOS 10.13.4+): This will delay visibility for any and all OS updates, including both major and minor updates.
Only delay incremental updates for the Operating System (macOS 11.3+): This will delay visibility for only minor OS updates, for example, an update from macOS 12.0.1 to macOS 12.1.
Only delay major updates for the Operating System (macOS 11.3+): This will delay visibility for only major OS updates, for example, an update from macOS 11.6.2 to macOS 12.

Software Update Settings

Software Update settings include which OS will show available to end users on iOS and iPadOS devices when more than one is available, automatic security updates (iOS/iPadOS 16+), and background OS update behavior on Mac computers.

To create a Software Update profile, go to Management > Click the Software Update profile. Choose from the options available.

The Software Update profile does not push OS updates. To send commands to update the OS on devices, use Devices Overview or Single Shot.

iOS/iPadOS Software Update Settings

Recommendation Cadence (iOS/iPadOS 14.5+ and tvOS 15+): The software updates that will be visible when more than one is available.

Automatic Security Updates (iOS/iPadOS 16+): Configure the automatic security update settings on the device.

macOS Software Update Settings

The Software Update profile configures the advanced options on macOS devices in System Settings > General > Software Update > . If the profile is installed, the options will be grayed out for users.

Once configured, native OS protocols will control when the macOS device is updated. This is similar to configuring these settings natively on the device but without allowing the end-user to change it afterwards.

Available options for macOS devices:

Specify the software update server (macOS 10.15 or earlier)
Allow installations of beta or pre-released macOS releases
Automatically install app updates from the App Store (macOS 10.15+)
Automatically install macOS updates (macOS 10.15+)
Automatically check for updates (macOS 10.15+)
Download newly available updates in the background (macOS 10.15+)
Install system data files (macOS 10.15+)
Install security updates (macOS 10.15+)
Restrict app installations to admin users only (macOS 10.15+): This option will prompt Admin credentials in order to install OS updates, including when the OS update is pushed from the MDM.

More information about each of the options above can be found in Apple's Change Software Update preferences on Mac documentation.

Deploying iOS & iPadOS Updates

Devices will report the latest available OS updates to the MDM via the AvailableOSUpdate query. Any additional OS updates available are identified using Apple Software Update Servers and the software update ID for the device. Updates that have expired, or are no longer signed by Apple, cannot be pushed from the MDM.

Devices running iOS 10.2 or earlier, must be supervised and enrolled through Automated Device Enrollment in order for the MDM to push OS updates to the device. Devices running iOS 10.3 or later just need to be supervised.

If an iOS/iPadOS device has a passcode, the user will need to authorize the update by entering their passcode, allowing them to defer the update a limited number of times. After the user reaches the limit, the system will prompt to update every time the device returns to the home screen.

Update through Devices Overview

Update the operating system (OS) on iOS, iPadOS and tvOS devices in Management > Devices Overview. The toolbar shows the command based on the platform selected, such as Update iOS or Update tvOS, and offers multiple options for updates:

Download or install the software update, depending on the current device state (Default behavior): This will either download the software update if it hasn't already been downloaded, or install the software update if one has been downloaded.
Download the software update without installing it
Install an already downloaded software update

After selecting the command, select the OS version to install. Check the status of the update in Management > Devices Overview > Click on the device's name to bring up Device Info > Operating System Version.

Update through Single Shot Profile

Update the operating system (OS) on iOS, iPadOS and tvOS devices in Management > Management Profiles > + Activate New Profile > Single Shot. The Single Shot profile provides the ability to send the commands to update the OS at a time that is convenient for users, such as outside of school hours. Since the OS update is performed in two steps, it's recommended to configure two Single Shot profiles:

The first to download the OS update: Choose the action 'Update iOS' and the option 'Download the software update without installing'. Choose the OS version to download.
The second to install the OS update: Choose the action 'Update iOS' and the option 'Install an already downloaded software update'. Choose the OS version to install.

Choose when the commands will be sent - when saving the profile and based on a schedule, only when saving the profile, or based on schedule only. The option “when saving the profile” includes when the profile is saved and when the device is enrolled or assigned to the profile. When scheduling the commands, it\’s recommended to schedule at a time that will not impact device use.

Deploying macOS Updates

Devices will report the latest available OS updates to the MDM via the AvailableOSUpdate query. Updates that have expired, or are no longer signed by Apple, cannot be pushed from the MDM.

Devices running earlier versions than macOS 11 must be supervised and enrolled through Automated Device Enrollment. Devices running macOS 11 or later, only supervision is required. Mac computers with Apple silicon must have a bootstrap token to allow the MDM to push and install software updates.

Update through Devices Overview

Update macOS on devices in Management > Devices Overview > More dropdown menu > Update macOS. The command downloads and/or installs the version available to devices.

The list of available macOS versions across the fleet will be displayed in the pop-up window, where administrators select the version to update the devices. If the device is not compatible with the version selected, or the version selected is lower than the macOS version running on the Mac, the command is not generated. Administrators can send or schedule the command. If scheduled, the command will be available for users to run from the Self-Service application after the days-long delay expires.

Available Commands

Download and/or install the software update, depending on the current device state
Download the software update without installing (macOS 11 or later)
Download the software update and trigger restart countdown: This option is available to install the OS update immediately (InstallASAP). The command will immediately trigger the installation of an already downloaded software update, however if a software update is not already downloaded, the macOS will download the OS update and then immediately install after showing the restart countdown notification to the end user.
Download the software update and notify the user via the App Store
Download the software update and install it at a later time
Download and/or install the software update, but will force a restart (with potential data loss; macOS 11 or later)

The Priority dictates the priority of the OS update. If set as “Low” the standard behavior will occur. If set as “High”, the macOS will interpret the command as if the user requested it manually on the Mac.

Update through Single Shot Profile

Update macOS on devices in Management > Single Shot. The Single Shot profile provides the ability to send the commands to update the OS at a time that is convenient for users, such as outside of school hours. Since the OS update is performed in two steps, it's recommended to configure two Single Shot profiles similar to the iOS/iPadOS updates.

Choose when the commands will be sent - when saving the profile and based on a schedule, only when saving the profile, or based on schedule only.

Automating OS Updates

Automate OS updates for devices in your school or district using a combination of Device Groups and two Single Shot profiles. Doing this will ensure the devices download and install any updates as soon as they are available. To do this, follow the steps below.

Create a Dynamic Device Group to identify devices that have available updates using the criteria: "OS Update" is "Available".

The Device Group will update daily and automatically add any devices that are reporting a software update is available. As soon as the devices are updated, they will no longer meet the criteria for the Device Group and will be removed from the group and no longer receive the commands to download/install software updates until a new software update is available.
Create a Single Shot profile to Download the OS Update on devices that are identified as having a software update available. Using the dropdown menu for Action choose "Update iOS/ tvOS/macOS" and select the option "Download the software update without installing" along with the "Latest version available".

Execute the command based on the schedule only and choose a day/time outside of school hours to avoid any interruption in use. You can schedule to run as often as you'd like or as needed. Assign the Single Shot profile to the Dynamic Device Group created earlier. As devices are added to the Device Group, the command to download the OS update will be sent based on the defined schedule.
Create a Single Shot profile to Install the OS Update on devices that have been identified as having a software update available and received the command to download the OS update. Using the dropdown menu for Action choose "Update iOS/tvOS/macOS" and select the option "Install an already downloaded software update" and the "Latest version available".

Execute the command based on the schedule only and choose a day/time outside of school hours to avoid any interruption in use. Be sure to schedule for days/times after the command to download the OS update was sent. You can schedule to run as often as you'd like or as needed. Assign the profile to the Dynamic Device Group created earlier. As devices are added to the Device Group, the command to install the OS update will be sent based on the defined schedule.

Additional Options

Considering OS updates can take some time, additional notifications and configurations can be used to alert users that the OS update is required. Some examples are included below:

Wallpaper profile: Create a Wallpaper profile under the Management tab and assign it to the Dynamic Device Group with an OS update available. The wallpaper can be an image indicating the user has an OS update available and needs to update the device as soon as possible.
Single Shot profile with Custom Pop-Up message (macOS): Create a Single Shot profile under the Management tab with the Action "Custom Pop-Up Message". Choose to “Send a new Custom Pop-Up Message”, enter a title for the pop-up notification, and choose to show a custom message. Enter the message the end-users will see in the pop-up notification that will be displayed on their Mac. Execute the command based on what will work best in your school or district and how frequently you want the users to be prompted about the available OS update. Assign to the Device Group with an OS update available.

A combination of these additional options along with the Single Shot profile to enforce the OS update has proven successful to keep devices up to date.

What's needed before you get started

Network Requirements

Hardware and Software Requirements

Navigating the Interface

Account organization and profile assignments

Supported features and Apple integrations

Mosyle Manager app & Self-Service

Configuring Account Preferences

Subscription Models

Introduction

Enrollment Methods

Authentication & Assignment Options

Integrations

Management Profiles and Configurations

Apple Integrations

Other Integrations

What is MDM enrollment

Mosyle MDM Enrollment options

Automated Device Enrollment

Device Enrollment

User Enrollment

Users & Hierarchy

Device Assignment & User Authentication

Devices Overview

Shared Device Groups

Dynamic Device Groups

Basic Inventory Reports

Alerts

App Installation w/ Apple Apps and Books

Enterprise App Installation

Mosyle Catalog App Installation

Install PKG

App Center

Management profiles

Commands Activity Log

Managing OS Updates

Device Restrictions & Passcode Policies

Managing WiFi Connectivity

Kernel Extensions, System Extensions, Privacy Preferences

Securing Devices

Erasing Devices

Configuring Class Manager

Class Manager Features

Apple Classroom app

Mosyle Auth 2

Mosyle CDN

Device Scout

Detection & Removal

Admin On-Demand

DNS Filtering

Managing OS Updates

Overview

Software Delay

Software Update Settings

Deploying iOS & iPadOS Updates

Deploying macOS Updates

Automating OS Updates

No Comments