Learn about Managed OS compatibility with macOS versions
- What is Managed OS for macOS?
- Managed OS for macOS Compatibility and Installation Mechanisms
- Mac computers with Apple Silicon
- Mac computers with Intel
- Mac computers upgrading to macOS Monterey or later
- All Mac computers, macOS 11.4 or later
- Mac computers with Apple silicon, macOS earlier than 11.4
- Mac computers with Intel processors, macOS 11.2 through 11.3.1
- Mac computers with Intel processors, macOS 11 through 11.1
- What Kind of macOS Updates Can I Manage?
- Deployment Considerations
What is Managed OS for macOS?
Managed OS is a feature in Kandji that allows an admin to specify a minimum OS version a supervised Mac must be running, and can enforce updating to the latest version if that minimum version is not met. This is all done with a simplicity similar to our Auto Apps feature.
Managed OS for macOS Compatibility and Installation Mechanisms
Managed OS for macOS compatibility varies by Mac computer architecture and macOS version, and different installation mechanisms are used.
Mac computers with Apple Silicon
| Enforced macOS Version | ||||||||
| Current macOS Version | macOS Big Sur (11) | macOS Monterey (12) | macOS Ventura (13) | macOS Sonoma (14) | ||||
| Minor Updates for 11.X.X | Major Upgrades to 11.X.X | Minor Updates for 12.X.X | Major Upgrades to 12.X.X | Minor Updates for 13.X.X | Major Upgrades to 13.X.X | Minor Updates for 14.X.X | Major Upgrades to 14.X.X | |
| 11.0-11.3.1 | Not Possible | Not Possible | Not Possible | Not Possible | ||||
| 11.4 | MDM Commands | Not Possible | Not Possible | Not Possible | ||||
| 11.5+ | MDM Commands | MDM Commands | MDM Commands | MDM Commands | ||||
| 12.0.1+ | MDM Commands | MDM Commands | MDM Commands | |||||
| 13.0+ | MDM Commands | MDM Commands | ||||||
| 14.0+ | DDM | |||||||
Mac computers with Intel
| Enforced macOS Version | ||||
| Current macOS Version | macOS Big Sur (11) | macOS Monterey (12), macOS Ventura (13), and macOS Sonoma (14) | ||
| Minor Updates for 11.X.X | Major Upgrades to 11.X.X | Minor Updates | Major Upgrades | |
| 11.0-11.1 | Not Possible | startosinstall CLI | ||
| 11.2-11.3.1 | softwareupdate CLI | startosinstall CLI | ||
| 11.4+ | MDM Commands | startosinstall CLI | ||
| 12.0.1+ | MDM Commands | startosinstall CLI | ||
| 13.0+ | MDM Commands | MDM Commands | ||
| 14.0+ | DDM | |||
Mac computers upgrading to macOS Monterey or later
Mac computers can have a macOS Monterey or macOS Ventura upgrade enforced with Kandji. Mac computers with Apple silicon will be upgraded using MDM commands if they run macOS 11.5 or later. Intel-based Mac computers enforce the upgrade by locally caching the full installer and executing the startosinstall binary.
For Mac computers with Apple silicon, Kandji uses the ScheduleOSUpdate MDM command with the InstallASAP install action once the user starts the upgrade or the enforcement timer reaches zero. Because macOS handles the download and install of the upgrade in the same action, there can potentially be long delays and user wait times. Note that macOS also does not provide user-visible progress during the process -- the Mac will simply restart when ready.
All Mac computers, macOS 11.4 or later
Every Mac computer running a macOS version of 11.4 or later uses MDM commands or DDM (Declarative Device Management) to download and install macOS updates. For more information on DDM, please see our Declarative Device Management and Managed OS support article.
Caching Considerations
Mac computers with Apple silicon, macOS earlier than 11.4
Mac computers with Apple silicon running a macOS version earlier than 11.4 will report as incompatible because the MDM commands to install software updates from MDM were nonfunctional in these versions of macOS. Additionally, the softwareupdate CLI tool cannot be leveraged to silently update macOS on Apple silicon devices.
Mac computers with Intel processors, macOS 11.2 through 11.3.1
Intel-based Mac computers running a version of macOS later than 11.2 but earlier than 11.4 can have minor macOS updates enforced. In these cases, the Kandji Agent leverages the softwareupdate CLI tool to download and install the updates. Note that the softwareupdate CLI the Kandji Agent leverages on these versions of macOS can have reliability issues and may require two or three attempts to download an update successfully.
Mac computers with Intel processors, macOS 11 through 11.1
Intel-based Mac computers running these versions contain an issue in macOS that prevents the softwareupdate CLI and MDM software update commands from silently installing macOS updates correctly. Managed OS for macOS will report Intel-based Mac computers running these versions of macOS as incompatible.
What Kind of macOS Updates Can I Manage?
With Managed OS for macOS, Kandji allows you to enforce a minimum OS version. This supports updates (such as 14.2.1 to 14.3) and macOS upgrades (such as macOS Ventura to macOS Sonoma).
This feature does not support downgrading macOS versions, and does not support supplemental updates offered to macOS versions prior to macOS Big Sur.
Deployment Considerations
Managed OS for macOS is not compatible with blocking the Software Update System Preferences pane via any method, and can produce unexpected behavior.
If you choose to use the Automatically Enforce New Updates option, the enforcement schedule is based on the release date of an update from Apple. For example, if you set the timeline to 2 weeks, but Apple hasn't released a new update in the last 2 weeks, at the next check-in, the Kandji agent would begin enforcing the latest available update because it's more than 2 weeks old. As a result, all of your out-of-date Mac computers would show the 30-minute countdown and require users to update and restart.
For that reason, if this is your first time enforcing a minimum macOS version on your fleet, Kandji strongly recommends using the Manually Enforce Minimum Version option and setting the enforcement deadline to at least 5 days away. That way, users with out-of-date Mac computers will start receiving update notifications 5 days before the enforcement deadline versus right away.
To learn more about configuring Managed OS, follow our configuration guide.
To avoid potential conflicts with the pre-downloading and caching of an update in Kandji before enforcement, if you're using Managed OS, we strongly recommend that you disable the automatic download of updates in any Software Update Library Items used in a Blueprint where Managed OS is also used.
To learn more about Managed OS, please see our other support articles:
Configuring Managed OS for macOS
User Experience with Managed OS for macOS