In this guide, I will show you how to manage macOS software updates using Intune. You can use Microsoft Intune to manage software updates for macOS devices that are enrolled as supervised devices.
Do you have supervised macOS 12 and later devices in your setup? If this is the case, you can use Intune to manage software updates. MacOS users who enroll using one of the Automated Device Enrollment (ADE) methods (Apple Business Manager or Apple School Manager) are considered supervised.
You can now use Intune policies to manage macOS software updates for devices that were enrolled using Automated Device Enrollment as of Intune Service release 2210. Microsoft keeps adding additional features with every release, making it easier to deploy the updates for macOS devices.
In most organisations, allowing users to self-install updates on their macOS devices is strictly forbidden. Especially if you want all of your macOS devices to run the same version. Like Windows devices, Intune allows you to configure software update policies for macOS devices and manage update deployment. After you deploy the macOS software update policy, you can monitor update installation failures on devices.
Prerequisites
Listed below are some prerequisites required to manage macOS software updates using Intune.
- To manage macOS updates using Intune, you’ll need macOS 12 and later (supervised). Before the macOS 12.5 release, devices may download and install additional updates before installing the latest update.
- You must enroll your macOS devices into Intune before managing the updates.
- According to Microsoft, by default, devices check in with Intune about every 8 hours. If an update is available through an update policy, the device downloads the update. The device then installs the update upon next check-in within your schedule configuration.
Support for macOS Software Updates in Intune
With policies for Intune software updates, you can manage and configure the following update types for macOS devices:
- Remotely manage how downloads, installations, and notifications should occur when the following types of updates are available for macOS:
- Critical update
- Firmware update
- Configuration file update
- All other updates (OS, built-in apps)
- Set a schedule for when the update should be installed. Schedules can be as simple as installing updates the next time the device checks in, or as complex as creating day-time ranges during which updates can or cannot be installed.
Manage macOS Software Updates using Intune
Let’s go through the steps to manage macOS software updates using Intune. We will first create a new software update policy in Intune to manage the updates for macOS. These settings determine how and when software updates deploy. This profile doesn’t prevent users from updating the OS manually. Please note that updates will only apply to supervised devices.
Use the following steps to create the macOS software update policy:
- Sign in to Microsoft Intune Admin Center.
- Navigate to Devices > Update Policies for macOS and select Create Profile.
Enter a name for the profile in the Basics tab of the Create profile pane. Add a brief description of the profile. Click Next.
For instance, you can enter the following information:
- Name: macOS Software Updates Policy
- Description: Manage software updates for macOS devices. Applies to macOS 12 and later (supervised).
The Update Policy Settings tab allows you to control how and when software updates are installed on macOS devices. This is a critical step that must be configured based on your needs. In other words, the configuration differs from organisation to organisation.
Update Policy Behavior Settings
The update policy behavior settings allow you to select how downloads, installations, and notifications should occur for each type of update. For Critical, Firmware, Configuration file, and All other updates (OS, built-in apps), the following installation actions can be configured for each update:
- Download and install: Download or install the update, depending on the current state.
- Download only: Download the software update without installing it.
- Install immediately: Download the software update and trigger the restart countdown notification.
- Notify only: Download the software update and notify the user through the App Store.
- Install later: Download the software update and install it later.
- Not configured: No action taken on the software update.
In the below example, the following update policy behavior settings are configured within our macOS software update policy.
- Critical Updates: Set it to Install Immediately
- Firmware Updates: Notify only
- Configuration File Updates: Notify only
- All other updates (OS, built-in apps): Install immediately
Update Policy Schedule Settings
When an update policy is assigned to a device, Intune automatically deploys the most recent updates at device check-in. Instead, you can make a weekly schedule with custom start and end times. If you update outside of the scheduled time, Intune will not deploy updates until the scheduled time has expired.
- Update at next check-in: The update installs on the device the next time it checks in with Intune. This option is the simplest and has no extra configurations.
- Update during scheduled time: You configure one or more windows of time during which the update will install upon check-in.
- Update outside of scheduled time: You configure one or more windows of time during which the updates won’t install upon check-in.
Note: You can deploy a settings catalog policy to hide an update from device users for a period of time on your supervised macOS devices. I will go into detail about this in a separate guide.
In the below example, the following update policy schedule settings are configured within our macOS software update policy.
- Schedule Type: Update at next check-in
Note: If you don’t configure times to start or end, the configuration results in no restriction, and updates can be installed at any time.
Once you have configured the update policy settings, click Next.
On the Assignments tab, add the Azure AD groups to which you want to deploy the macOS software update policy. It is recommended that you create a pilot group consisting of a few macOS devices that can be used for testing the deployment of updates. Click Next.
On the Review + Create tab, review the macOS Software Update policy settings, and then select Create when ready to save your macOS update policy.
Your new policy is displayed in the list of updated policies for macOS. You must wait for the policy to apply to the targeted groups, and once the devices check in with the Intune service, they will receive the settings. You can also run Check Status in company portal on your Mac devices to retrieve the latest policies from Intune.
Monitor macOS Update Installation failures in Intune
If the software updates are failing on macOS devices, you can monitor them in the Intune portal. To accomplish that, in the Microsoft Intune admin center, go to Devices > Monitor > Software Updates > Installation Status for macOS devices. Here, you can view the software update installation status for macOS devices.
Intune displays a list of supervised macOS devices that have an update policy applied to them. Because macOS devices only return information about installation failures, the list excludes devices that are up-to-date and in good health.
The installation status for each device on the list displays the error that the device returned. On the Installation status for macOS devices page, select Filters, and then expand the drop-down list for Installation Status to see a list of potential installation status values.
Conclusion
When it comes to deploying software updates for macOS devices, Microsoft Intune streamlines admins’ tasks. On your macOS-supervised devices, you can specify how and when you want the updates to be applied. The Intune Settings Catalog allows administrators to set up additional macOS software update settings in addition to the macOS software update policies. Using the information covered in this article, you should now be able to manage macOS software updates using Intune. Please ask any questions you may have in the comments section.
Hi. Can you please help me with one task?
I need to configure macOS updates with option to postpone upgrade from macOS13 Ventura to new coming macOS14 Sonoma. But still I want to install automatically during scheduled time other updates (specially security updates to Ventura). And also I want to hide for users option to upgrade to Sonoma.
I set “critical updates”: download and install
“All other updates (OS, built-in apps)”: Notify only
Schedule type i set like my organization preferetions
Also I created configuration profile:
Profile type: Device restrictions (from templates in Intune)
In “General” pane I set “Delay visibility of major OS software update” to 90 days
Is that configuration will be ok? And Sonoma will not Install automatic by Intune or manual by user?