OS Update Strategies: OS Deferral Restriction and Managed OS

By Andrew Merrick

How to best use Managed OS in combination with software update deferral

Kandji's Managed OS Library Item, which automates operating software updates, and software update deferral, which controls the OS updates that are offered to users, can be used together to great effect on your supervised devices.

A good way to understand this interaction is to see Managed OS as setting the minimum OS version and software update deferral as setting the maximum for your fleet.

Software update deferral controls what a user can see when updating their device themselves or through automatic updates. If the OS version is not X days old (X being a value between 1 and 90), the user will not see it. Setting this ceiling helps to ensure that your users' devices are not running an OS version you've not had time to test in your environment. They will only be offered the latest OS updates that comply with the deferral policy that you set.

To learn more about testing OS releases, please see our blog post:
How and Why You Should Be Testing Apple's Next Operating Systems Now

Software update deferral relies on the user to update their device in a timely fashion, but it cannot force them to do so; this is where Managed OS becomes useful.

Managed OS monitors your fleet and will catch any devices that are not being kept up to date. It will cache updates locally, prompt users to update, and execute the update. So as an admin, you can set a minimum version (or floor) that your devices must respect.

  • You set software update deferral to 30 days, giving you a month to test new Apple releases.
  • You also set Managed OS to apply new updates automatically 3 months after Apple releases them.

So your OS update "ceiling" is 30 days old and your floor 90 days old.

With such a strategy, your users are given the opportunity to update their devices by themselves while at the same time giving you a month to validate and approve OS updates for production. And if users let their devices drift all the way to 90 days, Managed OS will take care of bringing them into compliance. This strategy balances the needs of all stakeholders and provides your organization with a secure deployment.

Your users can be confident their devices are staying compliant without impacting their productivity, while you can be comfortable in the knowledge that you are balancing the needs of the organization and of your users.

When using Managed OS for macOS/iOS/iPadOS, if there is a deferral set via a Software Update Library Item or a Restrictions Library Item, it will not be recognized by updates deployed through Managed OS.
To learn more about deferring updates and Managed OS, please see our other support articles:
Delay and Enforce OS Updates
Configuring Managed OS for iOS, iPadOS and tvOS
Configuring Managed OS for macOS