Kandji offers powerful tools to manage operating system (OS) updates on your supervised Apple devices. By combining software update deferral and Managed OS, you can ensure devices stay secure and compliant while minimizing disruptions.
Think of these features as working together:
Managed OS Sets the minimum OS version your devices should be running.
Software Update Deferral: Sets the maximum OS version offered to users.
Understanding Software Update Deferral
Software update deferral gives you control over which OS updates are offered to users when they update their devices manually or through automatic updates. By setting a deferral period (between 1 and 90 days), you prevent users from immediately installing the latest OS releases. This "ceiling" allows you to test new OS versions in your environment before they're widely deployed, ensuring compatibility and stability. Users will only see updates that fall within your defined deferral policy.
Example: If you set a 30-day deferral, users won't see an update until 30 days after its release.
Learn about the importance of testing OS releases in our blog post: How and Why You Should Be Testing Apple's Next Operating Systems Now
The Role of Managed OS
While software update deferral relies on users to update their devices, Managed OS ensures compliance by enforcing a minimum OS version. Managed OS proactively monitors your fleet, identifies devices running outdated software, caches updates locally, prompts users to update, and can even automatically execute the update process. This acts as a "floor," guaranteeing that all devices meet your specified OS requirements.
Combining Software Update Deferral and Managed OS
Let's say you implement the following strategy:
Software Update Deferral: Set to 30 days. This gives you a one-month window to test new Apple releases.
Managed OS: Configured to automatically apply new updates three months (90 days) after Apple releases them.
In this scenario, your OS update "ceiling" is 30 days, and your "floor" is 90 days.
Users can update their devices independently, knowing they're getting vetted releases.
You have a month to validate and approve OS updates for production.
If users neglect updates for more than 90 days, Managed OS automatically brings them into compliance.
This strategy balances user autonomy with organizational security, providing a secure and productive environment. Users benefit from compliant devices without impacting their workflow, while administrators gain peace of mind knowing the organization's needs are met.
Understanding Software Update Declarations and MDM
It's important to understand how software update declarations interact with traditional MDM commands and profiles. While both can coexist, software updates enforced by declarations will always take precedence over MDM commands and profiles. Keep this in mind when designing your overall OS update strategy to avoid unexpected behavior.
Important Considerations When Using Managed OS
When using Managed OS for macOS, iOS, or iPadOS, be aware that any deferral settings configured via a Software Update Library Item or Restrictions Library Item will be ignored by updates deployed through Managed OS.