Streamlining macOS Patch Management with Update Rings via Intune DDM policies
- Steffen Schwerdtfeger
- Aug 1
- 4 min read
Windows Update for Business uses update rings to test and gradually roll-out updates, supporting an automated patching process aligned with the Evergreen IT approach. Historically, patching macOS devices has been more challenging. However, with the introduction of Declarative Device Management, macOS and Microsoft Intune offer new capabilities for scheduling update installations. The goal is to segment users into "Insider/Beta", "Pilot" and "Broad" groups for a controlled roll-out.
Declarative Device Management (DDM)
DDM is a modern approach to manage devices where the desired state of a device is defined and communicated to it. Consequently, the device itself is responsible for achieving and maintaining that state. In short: This reduces the communication load between Intune and macOS via giving the device more "intelligence". Intune offers several settings via this modern way:

Software Update policies
For managing Software Updates, we will use the new DDM policies. So, old profiles/settings like the following are not needed any more:
Intune > Devices > macOS > macOS updates
Intune > Settings catalog > Software Update
Intune > Templates > Software updates
The new settings are offered via Settings catalog under category "Declarative Device Management (DDM):
Software Update Settings
General settings like allowing Beta program enrolment, enablement of Notifications, Deferrals and Rapid Security Response settings.
Enforce Latest Software Update Version
Updates devices to the latest version with a defined installation deadline.
Software Update
Pin devices to a specific OS version with a defined installation deadline.
In addition, DDM policies take precedence over legacy update configurations.
Update rings
For implementing different "rings", we will split our users into three groups:
Insider/Beta: can opt-in and test Beta releases
Pilot: receive the current version directly after release
Broad: receive the current version after testing with pilot group

Intune Configuration
General update settings
Our first policy will contain general update settings like allowing standard users to install updates, activation of automatic update downloads and enablement of Rapid Security Responses:
macOS - Default - Software Update - Settings
assigned to: All devices
Software Update Settings
Allow Standard User OS Updates: Allowed
Automatic Actions:
Download: AlwaysOn
Install OS Updates: Allowed
Install Security Update: Allowed
Rapid Security Response:
Enable: Enabled
Enable Rollback: Disabled
Notifications: Enabled
Automatically Install App Updates: True
Beta policy
For allowing our "Insider/Beta" group of users the enrolment to Beta channel, we exclude them from the following policy (while simultaneously restricting access for all other users). Since the default is "allowing" the Beta program, we are good to go:
macOS - Default - Software Update - Beta
assigned to: All users, exclude: Beta users group
Software Update Settings
Beta:
Program Enrollment: AlwaysOff
If desired, you could also consider creating an additional policy (scoped to the Beta users group) that sets "AlwaysOn" to enforce enrollment in the Beta program. In addition, you will need a token from Apple Business/School Manager.
Pilot policy
Out pilot users group should receive the latest version released by Apple directly:
macOS - Default - Software Update - OS Version - Latest
assigned to: Pilot users group
Software Update Enforce Latest
Enforce Latest Software Update Version: True
Delay In Days: 3
Install Time: e.g.: 17:00
So, once an update has been release by Apple, they will get it pushed with a installation deadline of 3 days.
Note, that "Delay In Days" is not a deferral period for the latest update (naming is misleading here). It is a "deadline for installation". Also note that the deadline is calculated based on the policy application date, not the Apple update release date. If a device remains offline for several days, the deadline will be extended.
Broad policy
You might think about using "Deferrals"... Wouldn't those settings be great for deferring updates for our broad users group?

The problem is that deferrals are overwritten by policies such as 'Software Update' or 'Enforce Latest Software Update Version'. As a result, the specified or latest version is offered immediately, bypassing any configured deferral period.
What about just using "Deferrals" for our broad ring? The downside is that we'd lose the ability to set an installation deadline
So, our broad users group will receive the desired OS version via this policy:
macOS - Default - Software Update - OS Version - Broad
assigned to: All users, exclude: Pilot users group
Software Update
Target OS Version: e.g. 15.5
Target Date Time: e.g.: xx/xx/xxxx, 17:00
Since, we cannot combine "Software Update Enforce Latest" with a deferral, we have to specify and update the desired version for our broad ring manually.
Hopefully, Microsoft will introduce a deferral option for "Software Update Enforce Latest" policy in future. This would enable a fully automated process without touching the OS version manually (e.g.: pilot policy with 0 days deferral, broad policy with 5 days deferral).
If desired, the broad ring can even be divided into multiple ones to achieve a more gradual rollout: Split this policy into multiple policies with different broad groups and adjust the target OS version step-by-step.
Update release flow
Admin
group your users into:
Beta users group
Pilot users group
all other users will automatically be in the broad ring
inform Beta users to opt-in for Beta program and test those versions
pilot users will automatically get the current version on the release day with enforcement after 3 days
if no issues occur: update the broad policy to the latest version after, for example, a 5-day delay
if issues occur: leave broad policy untouched until issues are resolved
End user experience
Users will automatically be informed via notifications. First one will appear once the update policy has been applied and an update is scheduled (displaying the deadline):

If the update installation reaches the deadline, users will see a countdown before the enforced restart:

If the deadline has been exceeded (e.g.: device turned off), it will try again on regular basis.
Policy download
Download the described policies as JSON to easily import them into Intune: