Managed software updates with the settings catalog

You can use the Intune settings catalog to configure managed software updates for iOS/iPadOS and macOS devices. With managed software updates in Intune, you can:

  • Choose an update to install using its OS version or build version.
  • Enforce a deadline for the device to automatically install an update.
  • Specify a URL that users can visit to learn more about updates.

This feature applies to:

  • iOS/iPadOS 17.0 and later
  • macOS 14.0 and later

Apple's declarative device management (DDM) allows you to install a specific update by an enforced deadline. The autonomous nature of DDM provides an improved user experience as the device handles the entire software update lifecycle. It prompts users that an update is available and also downloads, prepares the device for the installation, & installs the update.

Tip

To learn more about declarative software updates from Apple, go to:

Managed software updates vs software update policies

On Apple devices in Intune, you can create software update policies or managed software update policies. Both policy types can manage the install of software updates on devices. However, there are some differences between the two policy types.

Use the following information to help you decide which policy type to use.

Feature Managed software update policy Software update policy
Configure a specific update to install    
iOS/iPadOS
macOS
     
Enforces an update deadline    
iOS/iPadOS
macOS
     
Enter a help URL    
iOS/iPadOS
macOS
     
Auto deploy latest update    
iOS/iPadOS
macOS
     
Downgrade versions    
iOS/iPadOS
macOS
     
Intune admin center policy type    
iOS/iPadOS Settings catalog Update policies for iOS/iPadOS
macOS Settings catalog Update policies for macOS
     
Minimum supported version    
iOS/iPadOS 17.0 and later - iOS 10.3 (supervised)
- iPadOS 13.0 (supervised)
macOS 14.0 and later macOS 12.0

Precedence

Managed software updates have precedence over other policies that configure software updates. If you configure managed software updates and also have other software update policies assigned, then it's possible the other update policies have no effect.

iOS/iPadOS precedence order:

  1. Managed software updates (Settings catalog > Declarative Device Management > Software Update)
  2. Update policies (Devices > Update policies for iOS/iPadOS)

macOS precedence order:

  1. Managed software updates (Settings catalog > Declarative Device Management > Software Update)
  2. Update policies (Devices > Update policies for macOS)
  3. Software updates (Settings catalog > System Updates > Software Update)

Configure the managed software updates policy

  1. Sign in to the Intune admin center.

  2. Select Devices > Manage devices > Configuration > Create.

  3. Enter the following properties and select Create:

    • Platform: Select iOS/iPadOS or macOS.
    • Profile: Select Settings catalog.
  4. In the Basics tab, enter the following information, and select Next:

    • Name: Enter a descriptive name for the policy. Name your policies so you can easily identify them later.
    • Description: Enter a description for the policy. This setting is optional, but recommended.
  5. In Configuration settings, select Add settings > expand Declarative Device Management > Software Update.

  6. Choose Select all these settings and then close the settings picker.

    Screenshot that shows the settings catalog software update settings for Apple devices in Microsoft Intune.

  7. Configure the settings:

    • Details URL: Enter a web page URL that has more information on the update. Typically, this URL is a web page hosted by your organization that users can select if they need organization-specific help with the update.

    • Target Build Version: Enter the target build version to update the device to, like 20A242. The build version can include a supplemental version identifier, like 20A242a.

      If the build version you enter isn't consistent with the Target OS Version value you enter, then the Target OS Version value takes precedence.

    • Target Date Time: Select or manually enter the date and the time that specifies when to force the installation of the software update.

      Note

      In a future release, the UTC text is being removed from the Target Date Time setting in the settings catalog UI.

      The Target Date Time setting schedules the update using the local timezone of the device. For example, an admin configures an update to install at 2PM. The policy schedules the update to happen at 2PM in the local timezone of devices that receive the policy.

      • If the user doesn't trigger the software update before this time, then a one-minute countdown prompt is shown to the user. When the countdown ends, the device force installs the update and forces a restart.
      • If the device is powered off when the deadline is met, when the device powers back on, there's a one hour grace period. When the grace period ends, the device force installs the update and forces a restart.

      Important

      If you create a policy using this setting before the January 2024 release, then this setting shows Invalid Date for the value. The updates are still scheduled correctly and use the values you originally configured, even though it shows Invalid Date.

      To configure a new date and time, you can delete the Invalid Date values, and select a new date and time. Or, you can create a new policy. If you create a new policy, to help avoid future confusion, remove the values in the original policy.

    • Target OS Version: Select or manually enter the target OS version to update the device to. This value is the OS version number, like 16.1. You can also include a supplemental version identifier, like 16.1.1.

  8. Select Next.

  9. In the Scope tags tab (optional), assign a tag to filter the profile to specific IT groups. For more information about scope tags, go to Use role-based access control and scope tags for distributed IT.

  10. Select Next.

  11. In the Assignments tab, select the users or groups that will receive your profile. For more information on assigning profiles, go to Assign user and device profiles.

    Important

    Assignment filters are not supported for DDM-based policies.

  12. Select Next.

  13. In the Review + create tab, review the settings. When you select Create, your changes are saved, and the profile is assigned. The policy is also shown in the profiles list.

Monitoring managed software updates

Managed software updates use the same reporting as device configuration policies. For more information, go to Monitor device configuration policies.

Important

A policy that reports Success only means that the configuration successfully installed on the device. Monitor the OS version of targeted devices to ensure that they update. After devices have updated to a later OS version than configured in the policy, the policy will report error as the device sees this as an attempt to downgrade. It's recommended to remove the older OS version policy from devices in this state.

Using the Software Update Settings declarative configuration

When you configure managed software updates, you might want to manage aspects of the software update process leading up to the enforcement of an update. Using this configuration, you can:

  • Require that an admin or standard user can perform updates on the device

  • Control how users can manually interact with software update settings like automatic download and install or the behavior of Rapid Security Responses

  • Hide updates from users for a specified time period

  • Suppress update notifications up to one hour before the enforcement deadline

  • Control whether users are allowed to update to the latest major update, latest minor update, or are offered both.

Previously in MDM, these settings were spread across multiple payloads such as Restrictions, Managed Settings, and Software Update. As of August 2024, it's recommended to use the DDM-based Software Update Settings configuration to manage updates. To create a Software Update Settings policy, go to the Settings catalog > Declarative Device Management (DDM) > Software Update Settings. More information on these settings is available in the documentation section for the Software Update Settings declarative configuration.

Delay visibility of updates using MDM

Note

As of August 2024, it's recommended to use the DDM-based Software Update Settings configuration to manage update settings such as deferrals.

When you configure managed software updates, you might want to hide updates from users for a specified time period. To hide the updates, use a settings catalog policy that configures an update restriction.

A restriction period gives you time to test an update before it's available to users. After the restriction period ends, users can see the update. If your update policies don't install it first, then users can choose to install the update.

To create a restrictions policy, go to the Settings catalog > Restrictions. Some settings you can use to defer an update include:

  • Enforced Software Update Delay
  • Enforced Software Update Major OS Deferred Install Delay (macOS)
  • Enforced Software Update Minor OS Deferred Install Delay (macOS)
  • Enforced Software Update Non OS Deferred Install Delay (macOS)

Screenshot that shows the settings catalog restrictions policy settings to delay or defer software updates in Microsoft Intune.