At this year’s Worldwide Developers Conference (WWDC 2021), Apple announced a slew of exciting new tools for IT admins. Several of them are specifically aimed at giving those admins more control over software updates in the upcoming macOS Monterey and iOS and iPadOS 15. Here's what they are and how they'll help:
- Separating Updates for iOS, iPadOS
- Managing macOS Releases
- Deferring Software Updates
- Deploying Software Updates
- Enforcing Software Updates
Separating Updates for iOS, iPadOS
One of the biggest device management announcements at WWDC 2021 was Apple’s decision to split security updates from new versions of iOS and iPadOS. This will give admins the option of letting devices currently using iOS or iPadOS 14 get the latest security improvements without committing to iOS or iPadOS 15.
Thanks to a new RecommendationCadence key (which will be deployable in configuration profiles), those admins will have two options. The first will be to let a device update to the latest version of iOS as soon as it’s released. This will ensure that those users have all the latest features and security settings as soon as they become available.
But in managed environments, you may want to test the new releases before letting them propagate widely. That’s where the second option comes in. This fall, you’ll instead be able to choose to let devices continue using iOS or iPadOS 14 but still update them with essential security settings. If you need more time to transition your users’ devices to iOS or iPadOS 15 yet still want to make sure that they get the latest security updates in the interim, this will be a good choice.
Managing macOS Releases
At WWDC 2021, Apple also introduced some new features that will let IT admins control when and how new operating systems and software updates deploy on Mac. Together, these new tools will let admins test updates for compatibility with existing apps and workflows and only then deploy them more widely.
Deferring Software Updates
If you aren’t ready to upgrade all your Mac computers to macOS Monterey upon release, you’ll be able to use some new deferral restrictions. These will prevent managed devices from receiving OS updates even after macOS Monterey ships. Similar to the way that you’ll have more granular control over iOS and iPadOS updates, you’ll be able to delay major macOS updates for longer than minor releases. That means you can update your managed Mac computers to the latest security settings even if you aren’t ready to upgrade to the new OS.
To accomplish this, Apple is implementing three new keys that can be added to configuration profiles:
- forceDelayedMajorSoftwareUpdate delays major updates (you can still receive minor OS and security updates);
- forceDelayedSoftwareUpdate defers minor releases; and
- forceDelayedAppSoftwareUpdate postpones supplemental updates.
Deferral periods will be 30 days by default, but you’ll be able to extend each up to 90 days. Upon expiration, managed devices will receive a notification about the available update. Note that this deferral restriction will change only the Software Update interface; it will not affect MDM commands. In other words, you’ll still be able to use your MDM solution to push OS updates to managed devices, even when they are in a deferral period.
Deploying Software Updates
At WWDC, Apple also announced changes to the ways devices check for updates.
With macOS Monterey, the process will be similar to the one already used for iOS, in which the MDM server requests available updates directly from the Apple Software Lookup Service. When IT is ready to deploy an update, the appropriate MDM command will be sent to the device. The device will then send information about itself to Apple’s update service, which will then verify that the device is eligible for the update. The eligible device will then download and install the update. This will cut down on back-and-forth communications between the MDM server, the Apple Software Lookup Service, and the device.
These streamlined communications will be made possible by new SoftwareUpdateModelID and ProductVersion keys, which return device information directly to the MDM server. That information will in turn help IT admins configure and deploy updates for supervised macOS, iOS, and iPadOS devices.
For Mac computers with Apple silicon, OS updates will require authorization. User-initiated updates will be authorized by entering a user password; non-interactive automated updates will require a Bootstrap token.
With macOS Monterey, that token will be used in conjunction with an InstallLater action to postpone updates on Mac computers with Apple silicon. InstallLater will use machine learning to determine when the computer is most often idle. It will then schedule the update, notify users when the update will occur, and remind them to connect their computer to power.
InstallLater will be one of four options available in the ScheduleOSUpdate command. The others are:
- InstallASAP: Installs the update as soon as possible. The Mac won’t close any applications being used and will still display the option to cancel the restart countdown.
- DownloadOnly and NotifyOnly: The DownloadOnly action will automatically download the update in the background without installing it. NotifyOnly will let users know when an update is available so they can initiate it.
Enforcing Software Updates
In previous iterations of macOS, even if an IT admin sent devices a command to install an update, users could still defer it. In macOS Monterey, you’ll be able to specify a maximum number of times a user can defer an update, by defining a value for the MaxUserDeferrals key in the InstallLater action. Once users have completed the maximum number of deferrals, InstallForceRestart will kick in. Users will be informed of their remaining deferral count before a forced install occurs.
These are just some of the changes to device management coming to Mac, iPhone, and iPad that Apple announced at WWDC 2021. Kandji is excited to explore these new features and see how we can add support for them in our MDM solution, so you can get the most out of your Apple fleet. With powerful features like zero-touch deployment, one-click compliance, and offline remediation, Kandji has everything you need to enroll, configure, and secure your devices.