Managed OS Compatibility and Installation Mechanisms

Learn what versions of macOS are compatible with Managed OS, and how each one works.

What Is Managed OS? 

Managed OS is a feature in Kandji that allows an admin to specify and enforce a specific (or latest) version of macOS with a simplicity similar to our Auto Apps feature. 

Managed OS Compatibility and Installation Mechanisms

Managed OS compatibility varies by Mac computer architectures and macOS versions, and different installation mechanisms are used. 


Mac computers with Apple Silicon 

Screen Shot 2022-01-10 at 13.37.47

Mac computers with Intel 

Screen Shot 2022-01-10 at 13.35.56

Mac computers upgrading to macOS Monterey

Mac computers can have the macOS Monterey upgrade enforced. In these cases, the Kandji Agent will leverage MDM commands to install the macOS upgrade on Mac computers with Apple silicon running at least macOS 11.5 or later. Mac computers with Intel will have the upgrade enforced by locally caching the full installer and executing the startosinstall binary. 

The MDM commands leveraged for Mac computers with Apple silicon are not able to pre-cache macOS Monterey. The only available install action is the InstallASAP action. This means that the Kandji agent is not able to cache the full installer prior to offering or enforcing the upgrade. Instead, the Kandji agent will leverage MDM commands to ensure the update candidate is available, and then issue the InstallASAP action once the user starts the upgrade or the enforcement timer reaches zero. This will download and install the upgrade in the same action, potentially resulting in long delays and user wait times.

All Mac computers, macOS 11.4 or later

Every Mac computer running a macOS version of 11.4 or later will have minor macOS updates enforced. In these cases, the Kandji Agent will leverage MDM commands to download and install macOS updates. 

Please Note:

In macOS Big Sur 11.4 through 11.6, the reliability of the DownloadOnly and OSUpdateStatus commands is still questionable. You will see intermittent failures during the download phase of the update process. You may see slow download times as the task is not run in the foreground. These things are out of Kandji's immediate control and we encourage administrators to continue to file feedback with Apple on this. 

Additionally, if a Mac computer already has an update cached (either by the user caching the update via System Preferences, the softwareupdate CLI, or automatic downloads being confirmed), the MDM protocol does not accurately report this state to the server. Thus, we feel it best to interpret multiple non-progressing downloads or failures for a DownloadOnly progress disappearing from OSUpdateStatus as an indicator that the update is already cached. In this case, the Kandji Agent will move to enforce the update under that assumption. 

Mac computers with Apple silicon, macOS earlier than 11.4

Mac computers with Apple silicon running a macOS version earlier than 11.4 will report as incompatible because the MDM commands that leverage bootstrap token authentication to authorize software updates from an MDM service were broken in these versions of macOS. Additionally, the softwareupdate CLI tool is not bootstrap token–aware and cannot be leveraged to silently update macOS on Apple silicon devices.   

Mac computers with Intel processors, macOS 11.2 through 11.3.1

Intel-based Mac computers running a version of macOS later than 11.2 but earlier than 11.4 can have minor macOS updates enforced. In these cases, the Kandji Agent leverages the softwareupdate CLI tool to download and install the updates. The MDM protocol is not used yet on these versions of macOS due to the unreliability of the software update MDM commands. Note that the softwareupdate CLI the Kandji Agent leverages on these versions of macOS can have reliability issues, and may require two or three attempts to successfully download an update. 

Mac computers with Intel processors, macOS 11 through 11.1

Intel-based Mac computers running these versions of macOS contain a bug that prevents the softwareupdate CLI and MDM software update commands from silently installing macOS updates correctly. Managed OS will report Intel-based Mac computers running these versions of macOS as incompatible.

Mac computers with Intel, macOS 10.14 through 10.15.7

Intel-based Mac computers running macOS 10.14 through 10.15.7 can have minor OS updates (such as 10.15.0 to 10.15.7) enforced by the Kandji Agent installing Apple combo updater packages. Intel-based Mac computers running these versions of macOS can be upgraded to macOS 12 (Monterey) by the Kandji Agent leveraging the startosinstall binary within a macOS full installer. The latest available installer within Kandji is always used. 

What Kind of macOS Updates Can I Manage? 

With managed OS, Kandji allows you to fully enforce a minimum OS version. This provides support for upgrading for both minor updates (such as 10.15.1 to 10.15.4) and major macOS upgrades (such as macOS Catalina 10.15.4 to macOS Monterey 12.3).

This feature does not support downgrading macOS versions.
This feature does not currently support supplemental updates.

Deployment Consideration

If this is your first time enforcing a minimum macOS version on your fleet, we very strongly recommend using the Manually Enforce Minimum Version option and setting the enforcement deadline to at least 5 days away. Users will start receiving update notifications 5 days prior to the enforcement deadline. 

If you choose to use the Automatically Enforce New Updates option and set it to 2 weeks (as an example), and Apple hasn't released an update in the last 2 weeks, at the next check-in all of your macOS devices will show the 30-minute countdown immediately, requiring users to update and restart.  To learn more about configuring Managed OS, follow our configuration guide.


To learn more about Managed OS, please see our other support articles:
Configuring Managed OS
User Experience with Managed OS