Configuring Managed OS for macOS

By Corey Willis

Learn how to configure Managed OS for macOS for your supervised device fleet

Enabling Managed OS for macOS in your Library

Deploying and enforcing an OS version is as easy as adding an OS to your library and assigning it to a Blueprint. Follow the steps below.

  1. Navigate to Library in the left-hand navigation bar.
  2. Select Add New in the upper right-hand corner.
  3. Scroll down to the Operating Systems section and select your desired OS.
Kandji supports adding the same Managed OS to your Library multiple times. This is useful when it's desired to configure differing settings for different Blueprints. For example, you can make a Managed OS automatically upgrade devices in one Blueprint while having it be available in Self Service in another. Labels are used to differentiate multiple copies of the same Managed OS. See below for additional information.

Configuring Managed OS for macOS

Note: Managed OS for macOS is not compatible with blocking the Software Update System Preferences pane via any method, and doing so can produce unexpected behavior.
  1. Enter a Label to help differentiate this instance of Managed OS for macOS from others in your Library. These labels are not visible to end users, but are displayed throughout the Kandji admin interface.
  2. Assign the Managed OS to a Blueprint.
  3. Configure how upgrade installations of this major version of macOS should be enforced. Continuously Enforce will automatically initiate an upgrade on older versions of macOS, or users can upgrade on their own if you choose Install on-demand from Self Service. This is an option that can easily be differentiated between Blueprints by making additional copies of the same Managed OS for macOS. (Add unique and descriptive labels to help you identify them.)
  4. Under Updates, select an option for Version Enforcement. Available options include the following:

    • Do Not Manage: This option will not manage OS updates. Note: This cannot be selected if you've chosen to Continuously Enforce upgrades, as it determines the schedule and conditions for upgrading as well.
    • Automatically Enforce New Updates: You will also select a Time frame in which new updates will be enforced.
    • Manually Enforce Minimum Version: Specify the minimum version a device should be running and the Enforcement Deadline date by which users must update. If a device is already running an OS version greater than the minimum that you specify, no updates will be enforced.

      Automatically Enforce New Updates and Manually Enforce a Minimum Version set a minimum OS version, or "floor," for which to compare a device's OS version to determine if it should update. The floor is automatically calculated based on the date Apple releases an update. When updating, Kandji always installs the latest available version of macOS that is approved by Kandji (which is displayed in the upper-right-hand corner of the Library Item).

      When a new update is released in Kandji, it will be automatically cached on your users’ devices as soon as it is available. Users will be notified of the pending installation after the macOS installer is successfully cached. They will continue to be notified each day leading up to enforcement. The Kandji menu app displays rounded days (so if an update will be enforced in 7.6 days, 8 days is displayed).

  5. Select an Enforcement Deadline.

  6. Select an Enforcement Time, which will be the exact time of day that the update is enforced; the enforcement will be determined server-side based on the selected Enforcement Time Zone.

  7. Select an Enforcement Time Zone to determine when to enforce the update. This is only for upgrades from macOS 13 and earlier.

  8. Under Rapid Security Response (RSR) Enforcement, select an option for RSR Enforcement. Available options include the following:

    • None: RSR updates will not be enforced.
    • Automatically enforce new RSR updates: If Automatically enforce is selected, the admin will need to choose the enforcement timeframe and local time for enforcement.
  9. Select an Enforcement timeframe for Rapid Security Response updates.

  10. Select an Enforcement Time, which will be the exact time of day that the RSR update is enforced; the enforcement will be determined server-side based on the previously selected Enforcement Time Zone.
  11. Click Save.

Because Rapid Security Responses are only applicable for the latest OS, users will be required to first update to the latest OS version before an RSR can be enforced. RSR uses Declarative Device Management for enforcement.

If this is your first time enforcing an OS version on your fleet, we recommend using the Manually Enforce Minimum Version option and setting the enforcement deadline to at least 5 days later. Otherwise, if you select the Automatically Enforce New Updates option and set it to 2 weeks (as an example), and Apple hasn’t released an update in the last two weeks, all of your devices will immediately require users to update and restart.

As of Nov 29, 2023, Kandji uses DDM for Managed OS for macOS Sonoma, iOS 17, and iPadOS 17 and later.

To learn more about Managed OS for macOS, please see our other support articles:

Managed OS for macOS Compatibility and Installation Mechanisms
User Experience with Managed OS for macOS