How to best use Managed OS in combination with software update deferral
Kandji's Managed OS Library Item, which automates operating software updates, and software update deferral, which controls the OS updates that are offered to users, can be used together to great effect on your supervised devices.
A good way to understand this interaction is to see Managed OS as setting the minimum OS version and software update deferral as setting the maximum for your fleet.
Software update deferral controls what users can see when updating their device themselves or through automatic updates. If the OS version is not X days old (X being a value between 1 and 90), the user will not see it. Setting this ceiling helps to ensure that your users' devices are not running an OS version you've not had time to test in your environment. They will only be offered the latest OS updates that comply with the deferral policy that you set.
To learn more about testing OS releases, please see our blog post:
How and Why You Should Be Testing Apple's Next Operating Systems Now
Software update deferral relies on the user to update their device on time, but it cannot force them to do so; this is where Managed OS becomes useful.
Managed OS monitors your fleet and will catch any devices that are not being kept up to date. It caches updates locally, prompts users to update, and executes the update. As an admin, you can set a minimum version (or floor) that your devices must respect.
- You set software update deferral to 30 days, giving you a month to test new Apple releases.
- You also set Managed OS to apply new updates automatically 3 months after Apple releases them.
So your OS update "ceiling" is 30 days, and your floor is 90 days.
With such a strategy, your users can update their devices independently while you have a month to validate and approve OS updates for production. If users let their devices drift for 90 days, Managed OS will take care of bringing them into compliance. This strategy balances the needs of all stakeholders and provides your organization with a secure deployment.
Your users can be confident their devices are staying compliant without impacting their productivity, while you can be comfortable knowing that you are balancing the needs of the organization and your users.
When using Managed OS for macOS/iOS/iPadOS, if there is a deferral set via a Software Update Library Item or a Restrictions Library Item, it will not be recognized by updates deployed through Managed OS.
To learn more about deferring updates and Managed OS, please see our other support articles:
Delay and Enforce OS Updates
Configuring Managed OS for iOS, iPadOS and tvOS
Configuring Managed OS for macOS