EN 
 
www.SAMURAJ-cz.com 
06.12.2025 Mikuláš WELCOME IN MY WORLD
 
 
Petr Bouška
SAMURAJ-cz.com
IT Manager OKsystem
Veeam Vanguard
View profile

This website is originally written in the Czech language. Most content is machine (AI) translated into English. The translation may not be exact and may contain errors.

Tento článek si můžete zobrazit v originální české verzi. You can view this article in the original Czech version.
Microsoft Intune - aktualizace zařízení s macOS

Microsoft Intune - update macOS devices

| Petr Bouška - Samuraj |
With Intune, we can control the installation of updates on macOS devices (but in a much more limited way than on Windows). We can create profiles for update policies that deploy updates to devices and/or configure operating system update settings. These can be major and minor operating system updates, application updates, configuration files or firmware updates.
displayed: 4 905x (2 320 CZ, 2 585 EN) | Comments [0]

Update Policy vs. Configuration Profiles (Software Update)

The description in the documentation is not exactly exhaustive, and many things are not clear to me. I was unable to find more information on the internet. Practical testing is difficult because macOS updates cannot be uninstalled, so it's hard to try different settings.

We have two general options (as also mentioned in the documentation), which are completely independent:

  • Update policy – update policies that allow the MDM (Intune) to deploy software updates to Apple devices, we set how the downloading, installation, and notifications work for different types of updates, and also determine the schedule when the updates occur
  • Configuration profile category Software Update and Restrictions - configuration of software update settings on the device, how users can manually (automatically) work with updates using the system interface
Intune - Microsoft Endpoint Manager admin center - Devices

My conclusion is that using the configuration profile, we can set how the system performs updates or allows users to manually perform them. We can thus prevent users from performing updates or enable automatic updates.

Using the update policy, we perform managed updates from Intune. It doesn't matter how the system is configured, even if searching for and installing updates is disabled (or delayed), the installation will be done through the policy.

With the configuration profile, we can also set a delay in the visibility of updates for devices. So the user doesn't see the new updates in the system, even when searching for updates. Microsoft states that we can test the updates and later deploy them using the policy. It's important to set the policy so that it doesn't perform the installation too early. I don't know how to achieve this, as there are no Workflows available for macOS updates, as there are for Windows updates.

Device Update Policies for macOS

  • Microsoft Endpoint Manager admin center - Devices - Update policies for macOS

Intune allows managing software updates on macOS devices registered in Intune (supervised devices). A minimum of macOS 12 is required. The entire topic is summarized on a single documentation page by Microsoft.

Microsoft notes (this information is also available from Apple) an important point that Apple Silicon devices (i.e., the M1 and M2 processors now) must have an Bootstrap Token from the MDM for automated installation of updates. In the Intune documentation, the description of Bootstrap tokens states that the token is automatically generated and stored in Intune. We can view this information using the command line in macOS or in the device details in Intune under Hardware - Bootstrap token escrowed.

Creating a Profile

We configure the settings by creating a profile that defines the update policies and assigning it to a group of users or devices.

We set the behavior for different update categories:

  • Critical updates
  • Firmware updates
  • Configuration file updates
  • All other updates (OS, built-in apps)

We can set various installation actions (the Apple action names are in parentheses):

  • Download and install - download or install based on current status (Default)
  • Download only - download only (DownloadOnly)
  • Notify only - download and notify the user, so they can perform the installation (NotifyOnly)
  • Install later - download and install later (InstallLater)
  • Install immediately - download and activate the 60-second countdown to restart, the user can postpone the restart during that time (InstallASAP)
  • Not configured - not set

At the same time, we set the update schedule. By default, Intune deploys the latest updates when the device checks in (connects to Intune), which is typically every 8 hours. But we can create a weekly schedule with start and end times on a specified day.

The available schedule options are:

  • Update at next check-in
  • Update during scheduled time
  • Update outside of scheduled time
Intune - Update policies for macOS

How Updates Are Installed

How the installation actually works in practice with different settings is (somewhat) of a mystery. The description of the installation actions by Microsoft and Apple is absolutely insufficient. Microsoft notes in one comment that the Apple MDM does not allow forcing devices to install updates by a certain time or date. With the Update at next check-in setting, the installation action should be performed at each device check-in (which is perhaps the same as device sync, which we can manually trigger).

In practice, the installation always takes longer (several syncs, and perhaps some background actions take longer). Even though the update appears in the Intune monitoring as Available, the installation does not happen immediately. In my initial tests, I tried the Download and install action (MacBook with version 13.2.1, the images are in the monitoring section below).

I tried a schedule to have the updates only at night. And even though the MacBook was turned on (update status Available), after two nights the update still did not occur (then I switched to update on check-in). Maybe a manual restart (it seemed that the installation started after a restart several times) is necessary to move to the next state.

I also tried Notify only (MacBook with version 12.6.4). In the monitoring, updates appeared with an Error status, Command failed state.

Intune - Monitor - Software updates - Command failed

I switched to Install immediately. After some (longer) time, the macOS installation was performed, showing a Success status, and another one was in the Installing state. After a few more hours, the Safari update was also reported as completed.

Intune - Monitor - Software updates - aktualizace Success

Another practical test came soon when version macOS 13.3.1 appeared, with the Install immediately action still set. This update went very quickly this time, Intune didn't even show that a new version was available. On the MacBook's updates, it was visible that a new version was being downloaded. After a few minutes, a notification popped up that a restart would be performed in 60 seconds. Clicking on it interrupted the countdown, and a manual restart was possible.

macOS - průběh aktualizace OS

Perhaps a possible solution is to create multiple profiles. The first profile would download the update and possibly notify the user to perform the installation manually. The second profile would be limited to a specific day and time and perform the installation/restart.

I tried to find information on the internet, but there's not much, not even from Apple. I came across a mention that for major macOS updates, the only compatible (full installer) action is InstallASAP, while other actions may cause an error when sending the command (this could correspond to my test, but I also got an error for other types of updates). Other mentions were about InstallLater. For example, that the installation will be performed when the device is not in use. Or that the MaxUserDeferrals value (which Intune probably doesn't support) is used together, which determines the number of times the user can postpone the installation.

Monitoring Updates

  • Microsoft Endpoint Manager admin center - Devices - Monitor - Installation status for macOS devices

Here we find a list of devices (we can click to get more details) to which the Update policy profile is applied. Microsoft states in the documentation that only devices where the installation failed are displayed here, as macOS only returns information about the error. In practice, it's fortunately better, and all devices are shown here.

The data can also be found in the individual device details under Software updates (which we can also navigate to from the monitoring list).

Intune - Monitor - Installation status for macOS devices Intune - Monitor - Software updates pro zařízení Intune - Monitor - Software updates - stav průběhu aktualizace

Configuring Software Update Settings - Configuration Profiles

  • Microsoft Endpoint Manager admin center - Devices - Configuration profiles

We can set the update behavior in the system using a configuration profile from the Settings catalog. We create a profile for the macOS platform, of the Settings catalog type.

There are two categories available:

  • Software Update - allows setting automatic updates and preventing users from changing them
    • Allow Pre Release Installation
    • Automatic Check Enabled
    • Automatic Download
    • Automatically Install App Updates
    • Automatically Install macOS Updates
    • Config Data Install
    • Critical Update Install
    • Restrict Software Update Require Admin To Install
  • Restrictions - allows delaying the visibility of updates for devices, by turning on (Force) for 30 days, or we can set the number of days (Enforced)
    • Enforced Software Update Delay
    • Enforced Software Update Major OS Deferred Install Delay
    • Enforced Software Update Non OS Deferred Install Delay
    • Enforced Software Update Minor OS Deferred Install Delay
    • Force Delayed App Software Updates
    • Force Delayed Major Software Updates
    • Force Delayed Software Updates
Intune - Configuration profiles - Software Update

Settings in the Operating System

Update settings and performing the update on macOS is done in System Settings - General - Software Update.

macOS - System Settings - General - Software Update

If we create a configuration for the Software Update category, information will be displayed that the updates are managed by the company. The settings will be applied according to the configuration, and it will not be possible to change them.

macOS - System Settings - General - Software Update spravováno Intune
Author:

Related articles:

Microsoft Intune

Cloud solution for managing corporate and private devices with different operating systems. It supports Mobile Device Management (MDM) and Mobile Application Management (MAM). Allows management (access) of users, devices and applications.

Azure, Microsoft 365, Office 365, Cloud

Various popular topics regarding the public cloud. More focused on Microsoft services, i.e. IaaS, PaaS, SaaS Azure, Entra ID directory services (formerly Azure AD) and hosted Microsoft 365 / Office 365 services.

If you want write something about this article use comments.

Comments

There are no comments yet.

Add comment

Insert tag: strong em link

Help:
  • maximum length of comment is 2000 characters
  • HTML tags are not allowed (they will be removed), you can use only the special tags listed above the input field
  • new line (ENTER) ends paragraph and start new one
  • when you respond to a comment, put the original comment number in squar brackets at the beginning of the paragraph (line)