Learn how to configure Managed OS.
What Is Managed OS?
Managed OS is a feature in Kandji that allows an admin to specify and enforce a specific (or latest) version of macOS with a simplicity similar to our Auto Apps feature.
Managed OS Compatibility and Installation Mechanisms
Managed OS compatibility varies by Mac computer architectures and macOS versions, and different installation mechanisms are used.
Mac computers upgrading to macOS Monterey
Mac computers can have the macOS Monterey upgrade enforced. In these cases, the Kandji Agent will leverage MDM commands to install the macOS upgrade on Mac computers with Apple silicon running at least macOS 11.5 or later. Mac computers with Intel will have the upgrade enforced by locally caching the full installer and executing the startosinstall binary.
The MDM commands leveraged for Mac computers with Apple silicon are not able to pre-cache macOS Monterey. The only available install action is the InstallASAP action. This means that the Kandji agent is not able to cache the full installer prior to offering or enforcing the upgrade. Instead, the Kandji agent will leverage MDM commands to ensure the update candidate is available, and then issue the InstallASAP action once the user starts the upgrade or the enforcement timer reaches zero. This will download and install the upgrade in the same action, potentially resulting in long delays and user wait times.
All Mac computers, macOS 11.4 or later
Every Mac computer running a macOS version of 11.4 or later will have minor macOS updates enforced. In these cases, the Kandji Agent will leverage MDM commands to download and install macOS updates.
In macOS Big Sur 11.4 through 11.6, the reliability of the DownloadOnly and OSUpdateStatus commands is still questionable. You will see intermittent failures during the download phase of the update process. You may see slow download times as the task is not run in the foreground. These things are out of Kandji's immediate control and we encourage administrators to continue to file feedback with Apple on this.
Additionally, if a Mac computer already has an update cached (either by the user caching the update via System Preferences, the softwareupdate CLI, or automatic downloads being confirmed), the MDM protocol does not accurately report this state to the server. Thus, we feel it best to interpret multiple non-progressing downloads or failures for a DownloadOnly progress disappearing from OSUpdateStatus as an indicator that the update is already cached. In this case, the Kandji Agent will move to enforce the update under that assumption.
Mac computers with Apple silicon, macOS earlier than 11.4
Mac computers with Apple silicon running a macOS version earlier than 11.4 will report as incompatible because the MDM commands that leverage bootstrap token authentication to authorize software updates from an MDM service were broken in these versions of macOS. Additionally, the softwareupdate CLI tool is not bootstrap token–aware and cannot be leveraged to silently update macOS on Apple silicon devices.
Mac computers with Intel processors, macOS 11.2 through 11.3.1
Intel-based Mac computers running a version of macOS later than 11.2 but earlier than 11.4 can have minor macOS updates enforced. In these cases, the Kandji Agent leverages the softwareupdate CLI tool to download and install the updates. The MDM protocol is not used yet on these versions of macOS due to the unreliability of the software update MDM commands. Note that the softwareupdate CLI the Kandji Agent leverages on these versions of macOS can have reliability issues, and may require two or three attempts to successfully download an update.
Mac computers with Intel processors, macOS 11 through 11.1
Intel-based Mac computers running these versions of macOS contain a bug that prevents the softwareupdate CLI and MDM software update commands from silently installing macOS updates correctly. Managed OS will report Intel-based Mac computers running these versions of macOS as incompatible.
Mac computers with Intel, macOS 10.13 through 10.15.7
Intel-based Mac computers running macOS 10.13 through 10.15.7 can have minor OS updates (such as 10.15.0 to 10.15.7) enforced by the Kandji Agent installing Apple combo updater packages. Intel-based Mac computers running these versions of macOS can be upgraded to macOS 11 (Big Sur) by the Kandji Agent leveraging the startosinstall binary within a macOS full installer. The latest available installer within Kandji is always used.
What Kind of macOS Updates Can I Manage?
With managed OS, Kandji allows you to fully enforce a minimum OS version. This provides support for upgrading for both minor updates (such as 10.15.1 to 10.15.4) and major macOS upgrades (such as macOS Mojave 10.14 to macOS Catalina 10.15.4).
This feature does not support downgrading macOS versions.
This feature does not currently support supplemental updates.
If this is your first time enforcing a minimum macOS version on your fleet, we very strongly recommend using the Manually Enforce Minimum Version option and setting the enforcement deadline to at least 5 days away. Users will start receiving update notifications 5 days prior to the enforcement deadline.
If you choose to use the Automatically Enforce New Updates option and set it to 2 weeks (as an example), and Apple hasn't released an update in the last 2 weeks, at the next check-in all of your macOS devices will show the 30-minute countdown immediately, requiring users to update and restart.
Configure Managed OS
Deploying and enforcing an OS version is as easy as adding an OS to your library and assigning it to a Blueprint. Follow the steps below.
- Navigate to Library in the left-hand navigation bar.
- Select Add New in the upper right-hand corner.
- Scroll down to the Operating Systems section and select your desired OS.
Configuring Managed OS
- Assign the Managed OS to a Blueprint.
- In the configuration page, select an option for Version Enforcement.
Available options include:
- Do Not Manage: This option will not manage OS updates.
- Automatically Enforce New Updates: This option will allow you to pick a default time frame in which new releases will be enforced. This time frame is calculated based on the date Apple released the update.
- Manually Enforce Minimum Version: This option allows you to specify a version of macOS, as well as the date by which users must upgrade.
- If you select Manually Enforce Minimum Version—which we recommend if it's the first time you're managing OS updates for your Mac devices—you will see the Minimum Version option to select a macOS version to enforce.
- Select an Enforcement Deadline. This is the date by which the minimum macOS version must be met or else the update will be enforced. Updates will cache and your users will begin to be prompted to update 5 days prior to the enforcement deadline.
- Select an Enforcement Time Zone to determine when to enforce the update.
- Select an Enforcement Time, which will be the exact time of day that the update is enforced; the enforcement will be determined server-side based on the previously selected Enforcement Time Zone.
- Click Save.
User Experience with Managed OS
Since deploying a managed OS has the potential to notify users of available macOS updates and upgrades (as well as to forcibly restart their computers), it is important to understand what your users may experience.
Users will receive a banner notification starting 5 days before the enforcement deadline.
The banner notification has these available actions:
- Learn More: The Kandji menu bar app will open to the Update Info page.
- Remind in 1 hour: The user will receive the banner notification again in 1 hour.
- Remind Tomorrow: The banner notification will be hidden for 1 day before the user is prompted again.
Updating macOS Inside the Kandji Menu Bar App
Users will notice the Kandji menu bar app has a red dot indicating that an action is required. This indicator will begin to appear 5 days prior to the enforcement deadline.
When clicking on the Kandji menu bar app dropdown, users will see the available macOS update and its version.
The update will be visible in the Kandji menu bar app starting 5 days prior to the enforcement deadline.
Update Info: Once a user clicks the Learn More option from the banner action menu,
or clicks the available update in the menu bar app, they will be presented with the update information and the option to start the update immediately. Once the user clicks Start Now, all open apps will be forcibly closed and kept closed until the update is finished.
Install in Progress: After a user starts an update via the Kandji menu bar app, they will be shown the following Install in Progress window. The Mac will automatically reboot to complete the update installation.
Enforcement Deadline Reached
Once the enforcement deadline has been reached, the Kandji menu bar app will open, displaying a 30-minute countdown, giving the user time to close all programs and save their work.
If the user does not click Start Now by the end of the countdown, Kandji will forcibly close all apps and begin the upgrade.
5-Minute Warnings: After the 30-minute countdown starts, if the user closes the Kandji menu bar app, they will receive a banner notification every 5 minutes notifying them that their Mac will restart soon, with the option to open the timer.