Streamlining macOS Patch Management with Update Rings via Intune DDM policies

Windows Update for Business uses update rings to test and gradually roll-out updates, supporting an automated patching process aligned with the Evergreen IT approach. Historically, patching macOS devices has been more challenging. However, with the introduction of Declarative Device Management, macOS and Microsoft Intune offer new capabilities for scheduling update installations. The goal is to segment users into "Insider/Beta", "Pilot" and "Broad" groups for a controlled roll-out.

Declarative Device Management (DDM)

DDM is a modern approach to manage devices where the desired state of a device is defined and communicated to it. Consequently, the device itself is responsible for achieving and maintaining that state. In short: This reduces the communication load between Intune and macOS via giving the device more "intelligence". Intune offers several settings via this modern way:

Software Update policies

For managing Software Updates, we will use the new DDM policies. So, old profiles/settings like the following are not needed any more:

• Intune > Devices > macOS > macOS updates

• Intune > Settings catalog > Software Update

• Intune > Templates > Software updates

The new settings are offered via Settings catalog under category "Declarative Device Management (DDM):

• Software Update Settings

  • General settings like allowing Beta program enrolment, enablement of Notifications, Deferrals and Rapid Security Response settings.

• Enforce Latest Software Update Version

  • Updates devices to the latest version with a defined installation deadline.

• Software Update

  • Pin devices to a specific OS version with a defined installation deadline.

In addition, DDM policies take precedence over legacy update configurations.

Update rings

For implementing different "rings", we will split our users into three groups:

• Insider/Beta: can opt-in and test Beta releases

• Pilot: receive the current version directly after release

• Broad: receive the current version after testing with pilot group

Intune Configuration

General update settings

Our first policy will contain general update settings like allowing standard users to install updates, activation of automatic update downloads and enablement of Rapid Security Responses:

• macOS - Default - Software Update - Settings

  • assigned to: All devices

  • Software Update Settings

    • Allow Standard User OS Updates: Allowed

    • Automatic Actions:

      • Download: AlwaysOn

      • Install OS Updates: Allowed

      • Install Security Update: Allowed

    • Rapid Security Response:

      • Enable: Enabled

      • Enable Rollback: Disabled

    • Notifications: Enabled

  • Automatically Install App Updates: True

Beta policy

For allowing our "Insider/Beta" group of users the enrolment to Beta channel, we exclude them from the following policy (while simultaneously restricting access for all other users). Since the default is "allowing" the Beta program, we are good to go:

• macOS - Default - Software Update - Beta

  • assigned to: All users, exclude: Beta users group

  • Software Update Settings

    • Beta:

      • Program Enrollment: AlwaysOff

If desired, you could also consider creating an additional policy (scoped to the Beta users group) that sets "AlwaysOn" to enforce enrollment in the Beta program. In addition, you will need a token from Apple Business/School Manager.

Pilot policy

Out pilot users group should receive the latest version released by Apple directly:

• macOS - Default - Software Update - OS Version - Latest

  • assigned to: Pilot users group

  • Software Update Enforce Latest

    • Enforce Latest Software Update Version: True

      • Delay In Days: 3

      • Install Time: e.g.: 17:00

So, once an update has been release by Apple, they will get it pushed with a installation deadline of 3 days.

Broad policy

You might think about using "Deferrals"... Wouldn't those settings be great for deferring updates for our broad users group?

What about just using "Deferrals" for our broad ring? The downside is that we'd lose the ability to set an installation deadline

So, our broad users group will receive the desired OS version via this policy:

• macOS - Default - Software Update - OS Version - Broad

  • assigned to: All users, exclude: Pilot users group

  • Software Update

    • Target OS Version: e.g. 15.5

    • Target Date Time: e.g.: xx/xx/xxxx, 17:00

Hopefully, Microsoft will introduce a deferral option for "Software Update Enforce Latest" policy in future. This would enable a fully automated process without touching the OS version manually (e.g.: pilot policy with 0 days deferral, broad policy with 5 days deferral).

If desired, the broad ring can even be divided into multiple ones to achieve a more gradual rollout: Split this policy into multiple policies with different broad groups and adjust the target OS version step-by-step.

Update release flow

Admin

• group your users into:

  • Beta users group

  • Pilot users group

  • all other users will automatically be in the broad ring

• inform Beta users to opt-in for Beta program and test those versions

• pilot users will automatically get the current version on the release day with enforcement after 3 days

  • if no issues occur: update the broad policy to the latest version after, for example, a 5-day delay

  • if issues occur: leave broad policy untouched until issues are resolved

End user experience

Users will automatically be informed via notifications. First one will appear once the update policy has been applied and an update is scheduled (displaying the deadline):

If the update installation reaches the deadline, users will see a countdown before the enforced restart:

If the deadline has been exceeded (e.g.: device turned off), it will try again on regular basis.

Policy download

Download the described policies as JSON to easily import them into Intune: