Configuring iOS and macOS software updates

The software update policy specifies what kind of system updates iOS or macOS devices should receive and when they should receive them. This policy allows you to keep the system software consistent on all your Apple iOS and macOS devices.

Only one software update policy is allowed per device. You can define multiple policies and assign a priority level to each, such that Ivanti EPMM can determine which policy it sends to iOS and macOS devices.

Once enrolled in the device enrollment program, devices are automatically supervised. Device users would have to use the Apple Configurator to make their devices supervised. If the device is not registered with the device enrollment program, macOS software updates are limited to only checking if a new version is available.

When a device checks in, Ivanti EPMM checks:

  • If a software update policy is applied to the device
  • The time window of the policy
  • If an update is available for that device
  • If the available update is applicable for the device's hardware

After MDM sends the update to the device, the device queues the update and the user is prompted to enter their passcode in order to start the software update.

In order to utilize the iOS Software Update policy, the device users with iOS versions 11.2 and older will be required to upgrade to iOS 11.3 or supported newer versions.

Procedure 

  1. Select Policies & Configs > Policies.
  2. Depending upon the device, select one:
    1. For iOS devices, select Add New > iOS and macOS > iOS Only > iOS Software Update.
    2. For macOS devices, select Add New > iOS and macOS > macOS Only > macOS Software Update.
  3. Use the guidelines in the Software Update settings table below to complete the new Add Updates dialog box.
  4. Select Save.
  5. Apply the policy to a iOS or macOS label.
Table 22.  Software Update settings

Item

Description

Name

Enter a name for the policy.

Status

Select the relevant radio button to indicate whether the policy is Active or Inactive.

Only one active policy can be applied to a device.

Priority

Specifies the priority of this policy relative to other custom policies of the same type. This priority determines which policy is applied if more than one policy is available.

Select Higher than or Lower than, then select an existing policy from the drop-down list.

For example, to give Policy A a higher priority than Policy B, you would select “Higher than” and “Policy B”.

Description

Enter an explanation of the purpose of this policy.

Set device update to

(iOS only)

Select one:

Update to the latest version - applicable to any iOS device prior to iOS 11.3.

Update to a specific version- a field displays for you to enter the iOS version you want to update (for iOS 11.3 or supported newer versions.) This field allows you to push the policy for updating a specific version of iOS to supervised devices.

Critical Updates

(macOS only)

Select All critical updates if updates requiring a device restart are acceptable.

Otherwise, select Only critical updates that do not require restart.

Configuration Data Updates

(macOS only)

Select All configuration data updates if updates requiring a device restart are acceptable.

Otherwise, select Only configuration data updates that do not require restart

Firmware Updates

(macOS only)

Select All firmware updates if updates requiring a device restart are acceptable.

Otherwise, select Only firmware updates that do not require restart

Scheduling Priority

(macOS only)

Sets the priority for installing an operating system update. When set to Low (default), the device end user will have the option to defer the update. When set to High, the update will be pushed to the device and deferrals by the device user will not be allowed.

Sending the command with the value High is equivalent to the device user requesting the update themselves in Settings.

This key is supported only for minor operating system updates.

Before using this property, you must set Install Action > InstallLater.For more information, see

Install Action

(macOS only)

Select an option:

  • Default - Download or install the update, depending on the current state. You can check the UpdateResults dictionary to review scheduled updates. This value is available in macOS 10.11+.

  • DownloadOnly - Download the software update without installing it. This value is available in macOS 11+.

  • InstallASAP - Download the software update and trigger the restart countdown notification. This value is available in macOS 10.11+.

  • NotifyOnly - Download the software update and notify the device user through the App Store. This value is available in macOS 10.11+.

  • InstallLater - Download the software update and install it at a later time. This value is available in macOS 10.11+. When selecte, the Max User Deferrals field displays below.

  • InstallForceRestart - Perform the Default action, and then force a restart if the update requires it. This value is available in macOS 11+.

Warning: InstallForceRestart may result in data loss.

Max User Deferrals

(macOS only)

When Install Action > InstallLater is selected, the Max User Deferrals field displays.

Select to designate the maximum number of times the system allows the device user to postpone an update before installing it. The system prompts the device user once per day. After the maximum number of times, the update occurs automatically.

This key is supported only for minor operating system updates. For more information see, Updates tab

Update Hours

Select the timezone for the update times you select in the fields that follow.

For each day of the week, select the time of day and duration to apply the update. The duration indicates the time period in the local time zone specified by the policy. The update is initiated on each device when it checks in during the selected time period.

If you do not select any days of the week, no updates are initiated for a device, even if updates are available for the device.

If you select at least one day, but a device has no network access during that time period, no update is initiated for the device.

If a device does not have a iOS/macOS software update policy applied to it, updates are not initiated for the device.

Updating the OS on supervised iOS devices

Software update recommendation cadence

You can set a user’s device to allow all available, the highest available, or the lowest available OS software updates.

Applicable to:

  • iOS 14.5 or later

  • iPadOS 14.5 or later

Procedure 

  1. Select Policies & Configs > Policies.
  2. Select Add New > iOS Only > Recommendation Cadence.

    The Recommendation Cadence Command Policy dialog box opens.

  3. Use the guidelines in the Recommendation Cadence Command Policy settings table below to make your settings.

  4. Select Save.
  5. Apply the policy to a iOS or iPadOS label.
Table 23.  Recommendation Cadence Command Policy settings

Item

Description

Name

Enter a name for the policy.

Status

Select the relevant radio button to indicate whether the policy is Active or Inactive.

Only one active policy can be applied to a device.

Priority

Specifies the priority of this policy relative to other custom policies of the same type. This priority determines which policy is applied if more than one policy is available.

Select Higher than or Lower than, then select an existing policy from the drop-down list.

For example, to give Policy A a higher priority than Policy B, you would select “Higher than” and “Policy B”.

Description

Enter an explanation of the purpose of this policy.

Show all available OS Software Updates, if available

(Default) Displays all available OS software updates for the device.

Show only the highest available OS Software Update, if available

Displays the highest available OS software update for the device.

Show only the lowest available OS Software Update, if available

Displays the lowest available OS software update for the device.

Disable OS updates

By default, Ivanti EPMM uses the Available OS Updates command to poll Apple devices. You can disable this feature, thus stopping the Available OS Updates commands to iOS devices. To continue to have this feature disabled, for every Ivanti EPMM upgrade, you will need to de-select the Enable Available OS Updates calls field.

Procedure 

  1. Go to Settings > System Settings.
  2. Select on iOS > MDM. The MDM page opens.
  3. De-select the Enable Available OS Updates calls field.
  4. Select Save.

Updates tab

  1. Select Devices & Users > Devices.

  2. Click Update. You can view the following details in the Updates tab:
    You can also use the MacOS Update Response Fields filters in the Advanced search, to view all software update relevant details including the MacOS software name.

Label Name Description
PRODUCT KEY Displays the current update.

UPDATE NAME

Displays a human readable name of the update.

STATUS Displays the upgrade status. One of the following status is displayed:
  • Idle
  • Downloading
  • Installing
DOWNLOAD PROGRESS Displays completion percentage
DEFERRAL TIME REMAINING Displays the number of remaining number of times the update can be deferred by the user
MAXIMUM DEFERRAL TIME Displays the maximum number of times the user can defer an update. This is configured by the administrator.

NEXT SCHEDULE INSTALL DATE

Displays when the next software update is available.

These filters are available in:

  • Labels

  • Spaces

  • Compliance Policy Rules

What the device user sees during software upgrade

After a new iOS is released, the iOS device checks and becomes aware that a new version of iOS software is available. If the device is locked with a passcode, the next time the device is unlocked, the device is able to begin to download the new iOS in the background without device user notification. After the download, on the Software Update screen, there is an indication that new version of iOS has been downloaded and the device user has the option to “Install Now”. If the device user taps "Later", the Software Update will keep requesting to install the update. After 3-4 attempts to install the new iOS software upgrade, no more deferring of the software update will be allowed. The user is required to input their passcode and that passcode is saved and used to update the device.