Learn how to configure Managed OS for supervised iPhone, iPad, and Apple TV
This Library Item requires supervision.
Keeping the operating systems of a fleet of Apple devices up to date can be a lot of work if done interactively. Managed OS allows you to automate this work on your supervised devices without the need to send multiple MDM commands and prompts to users manually. Enable Managed OS for iOS, iPadOS, and tvOS, and Kandji will take care of the rest.
Enabling Managed OS in your Library
Deploying and enforcing an OS version is as easy as adding a Managed OS item to your library and assigning it to a Blueprint. Follow the steps below.
- Navigate to Library in the left-hand navigation bar.
- Select Add New in the upper right-hand corner.
- Scroll down to the Operating Systems section and select your desired OS.
Kandji supports adding the same Managed OS to your Library multiple times. This is useful when it's desired to configure differing settings for different Blueprints. For example, you can have Managed OS update devices automatically 1 week after Apple releases an update in one Blueprint, while having it do the same up to 3 months after the release in another. Labels are used to differentiate multiple copies of the same Managed OS. See below for additional information.
Configuring Managed OS
- Enter a Label to help differentiate this instance of Managed OS from others in your Library. These labels are not visible to end users, but are displayed throughout the Kandji admin interface.
- Assign the Managed OS to a Blueprint.
- On the configuration page, select an option for Version enforcement.
Available options include:
- Do Not Manage: This option will not manage OS updates.
- Automatically Enforce New Updates: This option allows you to pick a default time frame in which new updates will be enforced. This time frame is calculated based on the date Apple released the update.
- Manually Enforce Minimum Version: This option allows you to specify a minimum version of the OS that devices must be running, as well as the date by which users must update. Note: This minimum version determines whether Kandji should update the device. When updating, Kandji always installs the latest available version.
- If you select Manually Enforce Minimum Version—which we recommend if it's the first time you're managing OS updates for your devices—you will see the Minimum Version option to select an OS version to check for before Kandji enforces an update.
- Select an Enforcement deadline. This is the date by which the minimum OS version must be met or else an update will be enforced. Updates will be cached on user devices as soon as they are made available in Kandji.
- Select an Enforcement Time, which will be the exact time of day that the update is enforced; that enforcement time will be determined server-side based on the selected Enforcement Time Zone.
- Select an Enforcement Time Zone to determine when to enforce the update.
Under Rapid Security Response (RSR) Enforcement, select an option for RSR Enforcement. RSR is only supported on iOS and iPad OS. Available options include the following:
- None: RSR updates will not be enforced.
- Automatically enforce new RSR updates: If Automatically enforce is selected, the admin will need to choose the enforcement timeframe and local time for enforcement.
Select an Enforcement timeframe for Rapid Security Response updates.
- Select an Enforcement Time, which will be the exact time of day that the RSR update is enforced; the enforcement will be determined server-side based on the previously selected Enforcement Time Zone.
- Click Save.
Because Rapid Security Responses are only applicable for the latest OS, users will be required to first update to the latest OS version before an RSR can be enforced. RSR uses Declarative Device Management for enforcement.
Tip: If you want to enforce an update immediately, set the enforcement deadline to a date and time in the past.
Initial configuration recommendation
When you transition to using a Managed OS Library item, there’s a danger of immediately causing an interruption for devices that aren’t already up to date.
If this is the first time you are enforcing an OS version on your fleet, we recommend using the Manually enforce a minimum version option and setting the Enforcement deadline to at least 5 days later.
Imagine you apply a common configuration: Automatically Enforce New Updates with a 2-week enforcement deadline, and Apple released its last OS update more than 2 weeks ago. An iPhone that hasn’t applied that update will immediately require the user to update and restart.
Instead, if you applied a transitionary configuration (Manually Enforce Minimum Version with an enforcement deadline 5 days in the future), that iPhone will still be out of compliance, but the user will have 5 days to get in compliance.
After that 5-day transition period, you can configure the Managed OS library item to use Automatically Enforce New Updates with a 2-week enforcement deadline and your are set!
A Note About Passcodes
At the enforcement deadline, on iOS and iPadOS devices with a passcode, the security architecture of iOS and iPadOS requires users to be prompted for the update and to enter their passcodes.
On tvOS, and on iOS and iPadOS devices without passcodes, updates will be cached by Kandji and the update will be applied without user intervention at the enforcement deadline. For more details see User Experience with Managed OS for iOS and iPadOS.
To learn more about Managed OS for iOS, iPadOS and tvOS, please see our other support articles:
User Experience with Managed OS for iOS and iPadOS
OS update strategies: OS deferral Restriction and Managed OS