Configuring iOS and macOS software updates

The software update policy specifies what kind of system updates iOS or macOS devices should receive and when they should receive them. This policy allows you to keep the system software consistent on all your Apple iOS and macOS devices.

Only one software update policy is allowed per device. You can define multiple policies and assign a priority level to each, such that Ivanti EPMM can determine which policy it sends to iOS and macOS devices.

Once enrolled in the device enrollment program, devices are automatically supervised. Device users would have to use the Apple Configurator to make their devices supervised. If the device is not registered with the device enrollment program, macOS software updates are limited to only checking if a new version is available.

When a device checks in, Ivanti EPMM checks:

  • If a software update policy is applied to the device
  • The time window of the policy
  • If an update is available for that device
  • If the available update is applicable for the device's hardware

After MDM sends the update to the device, the device queues the update and the user is prompted to enter their passcode in order to start the software update.

In order to utilize the iOS Software Update policy, the device users with iOS versions 11.2 and older will be required to upgrade to iOS 11.3 or supported newer versions.

Procedure 

  1. Select Policies & Configs > Policies.
  2. Depending upon the device, select one:
    1. For iOS devices, select Add New > iOS and macOS > iOS Only > iOS Software Update.
    2. For macOS devices, select Add New > iOS and macOS > macOS Only > macOS Software Update.
  3. Use the guidelines in the Software Update settings table below to complete the new Add Updates dialog box.
  4. Select Save.
  5. Apply the policy to a iOS or macOS label.
Table 20.  Software Update settings

Item

Description

Name

Enter a name for the policy.

Status

Select the relevant radio button to indicate whether the policy is Active or Inactive.

Only one active policy can be applied to a device.

Priority

Specifies the priority of this policy relative to other custom policies of the same type. This priority determines which policy is applied if more than one policy is available.

Select Higher than or Lower than, then select an existing policy from the drop-down list.

For example, to give Policy A a higher priority than Policy B, you would select “Higher than” and “Policy B”.

Description

Enter an explanation of the purpose of this policy.

Set device update to

(iOS only)

Select one:

Update to the latest version - applicable to any iOS device prior to iOS 11.3.

Update to a specific version- a field displays for you to enter the iOS version you want to update (for iOS 11.3 or supported newer versions.) This field allows you to push the policy for updating a specific version of iOS to supervised devices.

Critical Updates

(macOS only)

Select All critical updates if updates requiring a device restart are acceptable.

Otherwise, select Only critical updates that do not require restart.

Configuration Data Updates

(macOS only)

Select All configuration data updates if updates requiring a device restart are acceptable.

Otherwise, select Only configuration data updates that do not require restart

Firmware Updates

(macOS only)

Select All firmware updates if updates requiring a device restart are acceptable.

Otherwise, select Only firmware updates that do not require restart

Update Hours

Select the timezone for the update times you select in the fields that follow.

For each day of the week, select the time of day and duration to apply the update. The duration indicates the time period in the local time zone specified by the policy. The update is initiated on each device when it checks in during the selected time period.

If you do not select any days of the week, no updates are initiated for a device, even if updates are available for the device.

If you select at least one day, but a device has no network access during that time period, no update is initiated for the device.

If a device does not have a iOS/macOS software update policy applied to it, updates are not initiated for the device.

Updating the OS on supervised iOS devices

Software update recommendation cadence

You can set a user’s device to allow all available, the highest available, or the lowest available OS software updates.

Applicable to:

  • iOS 14.5 or later

  • iPadOS 14.5 or later

Procedure 

  1. Select Policies & Configs > Policies.
  2. Select Add New > iOS Only > Recommendation Cadence.

    The Recommendation Cadence Command Policy dialog box opens.

  3. Use the guidelines in the Recommendation Cadence Command Policy settings table below to make your settings.

  4. Select Save.
  5. Apply the policy to a iOS or iPadOS label.
Table 21.  Recommendation Cadence Command Policy settings

Item

Description

Name

Enter a name for the policy.

Status

Select the relevant radio button to indicate whether the policy is Active or Inactive.

Only one active policy can be applied to a device.

Priority

Specifies the priority of this policy relative to other custom policies of the same type. This priority determines which policy is applied if more than one policy is available.

Select Higher than or Lower than, then select an existing policy from the drop-down list.

For example, to give Policy A a higher priority than Policy B, you would select “Higher than” and “Policy B”.

Description

Enter an explanation of the purpose of this policy.

Show all available OS Software Updates, if available

(Default) Displays all available OS software updates for the device.

Show only the highest available OS Software Update, if available

Displays the highest available OS software update for the device.

Show only the lowest available OS Software Update, if available

Displays the lowest available OS software update for the device.

Disable OS updates

By default, Ivanti EPMM uses the Available OS Updates command to poll Apple devices. You can disable this feature, thus stopping the Available OS Updates commands to iOS devices. To continue to have this feature disabled, for every Ivanti EPMM upgrade, you will need to de-select the Enable Available OS Updates calls field.

Procedure 

  1. Go to Settings > System Settings.
  2. Select on iOS > MDM. The MDM page opens.
  3. De-select the Enable Available OS Updates calls field.
  4. Select Save.

What the device user sees during software upgrade

After a new iOS is released, the iOS device checks and becomes aware that a new version of iOS software is available. If the device is locked with a passcode, the next time the device is unlocked, the device is able to begin to download the new iOS in the background without device user notification. After the download, on the Software Update screen, there is an indication that new version of iOS has been downloaded and the device user has the option to “Install Now”. If the device user taps "Later", the Software Update will keep requesting to install the update. After 3-4 attempts to install the new iOS software upgrade, no more deferring of the software update will be allowed. The user is required to input their passcode and that passcode is saved and used to update the device.