Learn what versions of macOS are compatible with Managed OS for macOS and how each works.
TABLE OF CONTENTS
- What Is Managed OS for macOS?
- Managed OS for macOS Compatibility and Installation Mechanisms
- Mac computers with Apple Silicon
- Mac computers with Intel
- Mac computers upgrading to macOS Monterey
- All Mac computers, macOS 11.4 or later
- Mac computers with Apple silicon, macOS earlier than 11.4
- Mac computers with Intel processors, macOS 11.2 through 11.3.1
- Mac computers with Intel processors, macOS 11 through 11.1
- Mac computers with Intel, macOS 10.14 through 10.15.7
- What Kind of macOS Updates Can I Manage?
- Deployment Consideration
What Is Managed OS for macOS?
Managed OS is a feature in Kandji that allows an admin to specify a minimum OS version a Mac must be running, and can enforce updating to the latest version if that minimum version is not met. This is all done with a simplicity similar to our Auto Apps feature.
Managed OS for macOS Compatibility and Installation Mechanisms
Managed OS for macOS compatibility varies by Mac computer architectures and macOS versions, and different installation mechanisms are used.
Mac computers with Apple Silicon
|Enforced macOS Managed OS Version|
|Current macOS Version||macOS Big Sur (11)||macOS Monterey (12)|
|Minor Updates for 11.X.X||Major Upgrades to 11.X.X||Minor Updates for 12.X.X||Major Upgrades to 12.X.X|
|11.0-11.3.1||Not Possible||Not Possible|
|11.4||MDM Commands||Not Possible|
|11.5-11.6.1||MDM Commands||MDM Commands|
Mac computers with Intel
|Enforced macOS Managed OS Version|
|Current macOS Version||macOS Mojave (10.14)||macOS Catalina (10.15)||macOS Big Sur (11)||macOS Monterey (12)|
|Minor Updates for 10.14.x||Major Upgrades to 10.14.x||Minor Updates for 10.15.X||Major Upgrades to 10.15.X||Minor Updates for 11.X.X||Major Upgrades to 11.X.X||Minor Updates for 12.X.X||Major Upgrades to 12.X.X|
|10.13-10.13.6||Startosinstall CLI||Startosinstall CLI||Startosinstall CLI||Startosinstall CLI|
|10.14-10.16||Combo Updater||Startosinstall CLI||Startosinstall CLI||Startosinstall CLI|
|10.15-10.15.7||Combo Updater||Startosinstall CLI||Startosinstall CLI|
|11.0-11.1||Not Possible||Startosinstall CLI|
|11.2-11.3.1||Softwareupdate CLI||Startosinstall CLI|
|11.4-11.6.1||MDM Commands||Startosinstall CLI|
Mac computers upgrading to macOS Monterey
Mac computers can have the macOS Monterey upgrade enforced. In these cases, the Kandji Agent will leverage MDM commands to install the macOS upgrade on Mac computers with Apple silicon running at least macOS 11.5 or later. Intel-based Mac computers will have the upgrade enforced by locally caching the full installer and executing the startosinstall binary.
Apple does not currently provide the ability for MDM to pre-cache a major macOS upgrade such as macOS Monterey using the DownloadOnly install action. This means that the Kandji agent is not able to cache the full installer prior to offering or enforcing the upgrade. Instead, the Kandji agent will leverage MDM commands to ensure the update is available and then issue the InstallASAP action once the user starts the upgrade or the enforcement timer reaches zero. This will download and install the upgrade in the same action, with can potentially result in long delays and user wait times.
All Mac computers, macOS 11.4 or later
Every Mac computer running a macOS version of 11.4 or later uses MDM commands to download and install macOS updates.
If a Mac computer already has an update cached (either by the user caching the update via System Preferences, the softwareupdate CLI, or automatic downloads being enabled via the Software Update Library Item), macOS may not accurately report this state to Kandji. As a result, we interpret multiple non-progressing downloads or failures as an indicator that the update is already cached. This process currently takes three hours, after which the Kandji Agent will move to enforce the update under that assumption.
Mac computers with Apple silicon, macOS earlier than 11.4
Mac computers with Apple silicon running a macOS version earlier than 11.4 will report as incompatible because the MDM commands to install software updates from MDM were broken in these versions of macOS. Additionally, the softwareupdate CLI tool cannot be leveraged to silently update macOS on Apple silicon devices.
Mac computers with Intel processors, macOS 11.2 through 11.3.1
Intel-based Mac computers running a version of macOS later than 11.2 but earlier than 11.4 can have minor macOS updates enforced. In these cases, the Kandji Agent leverages the softwareupdate CLI tool to download and install the updates. Note that the softwareupdate CLI the Kandji Agent leverages on these versions of macOS can have reliability issues and may require two or three attempts to download an update successfully.
Mac computers with Intel processors, macOS 11 through 11.1
Intel-based Mac computers running these versions contain a bug in macOS that prevents the softwareupdate CLI and MDM software update commands from silently installing macOS updates correctly. Managed OS for macOS will report Intel-based Mac computers running these versions of macOS as incompatible.
Mac computers with Intel, macOS 10.14 through 10.15.7
Intel-based Mac computers running macOS 10.14 through 10.15.7 can have minor OS updates (such as 10.15.0 to 10.15.7) enforced by the Kandji Agent installing Apple combo updater packages. Intel-based Mac computers running these versions of macOS can be upgraded to macOS 12 (Monterey) by the Kandji Agent leveraging the startosinstall binary within a macOS full installer. The latest available installer within Kandji is always used.
What Kind of macOS Updates Can I Manage?
With Managed OS for macOS, Kandji allows you to enforce a minimum OS version. This provides support for upgrading for both minor updates (such as 10.15.1 to 10.15.4) and major macOS upgrades (such as macOS Catalina 10.15.4 to macOS Monterey 12.3).
This feature does not support downgrading macOS versions, and does not support supplemental updates offered to macOS versions prior to macOS Big Sur.
If this is your first time enforcing a minimum macOS version on your fleet, we very strongly recommend using the Manually Enforce Minimum Version option and setting the enforcement deadline to at least 5 days away. Users will start receiving update notifications 5 days prior to the enforcement deadline.
If you choose to use the Automatically Enforce New Updates option and set it to 2 weeks (as an example), and Apple hasn't released an update in the last 2 weeks, at the next check-in, all of your macOS devices will show the 30-minute countdown immediately, requiring users to update and restart. To learn more about configuring Managed OS, follow our configuration guide.
To avoid potential conflicts with the pre-downloading and caching of an update in Kandji before enforcement, if you're using Managed OS, Kandji strongly recommends that you disable the automatic download of updates in any Software Update Library Items used in any Blueprint where Managed OS is also used.