Managing Software Updates for macOS using Intune with all the shiny bells and whistles!

-

Every now and then I come across customers seeking advice on managing macOS devices. The most common ask is around keeping them patched and secured which usually tops the list of the requirements. When users install their own updates (instead of admins managing the updates), it can disrupt user productivity and business tasks. Lately, Intune has made huge strides in managing macOS devices as part of cross platform management in general. There are built-in policies in Intune that one can use to manage device updates, configure when devices are updated, and review the device update status.

Currently, there are mainly two ways to manage software updates for macOS using Intune -

1. DDM settings - Recommended on macOS 14.0 and newer devices, DDM is a new way to manage settings allowing installation of a specific update by an enforced deadline. The independent nature of DDM provides an improved user experience, as the device handles the entire software update lifecycle. It prompts users that an update is available and also downloads, prepares the device for the installation, & installs the update. 

2. MDM settings - Recommended on macOS 13 and older devices, software update policy can be used to manage when updates are installed, and a settings catalog policy to manage how updates are installed.

While Microsoft recommends using DDM over MDM settings on macOS 14+ devices, if you do end up using both, then there is a precedence order under which the settings will apply.

macOS precedence order:

1. Managed software updates (Settings catalog > Declarative Device Management > Software Update)
2. Update policies (Devices > Update policies for macOS)
3. Software updates (Settings catalog > System Updates > Software Update)

Note: If you configure managed software updates and also have other software update policies assigned, then it's possible the other update policies have no effect.

For all intent and purposes, I went ahead and created both managed and update policies as I wanted to lock down some of the update settings that I didn't want user to tamper with. Let's begin...

Managed Software Updates

DDM settings can be setup using settings catalog for macOS in Intune.

2. Browse to Devices –> Configuration
3. Click Create -> New Policy
4. Select Platform as macOS
5. Select Profile type as Settings catalog
6. Provide a Name and hit next.
7. Click on Add settings.
8. Configure the following -

Target Build Version - 23G80 (Note: The system uses the build version for testing during seeding periods. The build version can include a supplemental version identifier, for example, '20A242a'. If the build version isn't consistent with the target OS version specified in the 'TargetOSVersion' key, the target OS version takes precedence.)

Target Date Time (UTC) - 1/8/2024, 12:30:00 (Note: The time specified in the console will be converted to UTC based on the tenant location. In my case it is UTC +1.)

Target OS Version - 14.6 (Note: The time specified in the console will be converted to UTC based on the tenant location.)

Details URL - https://support.apple.com/en-us/HT214119 (Optional)

When you configure managed software updates, you might want to hide updates from users for a specified time period. To hide the updates, we use the same settings catalog policy that configures an update restriction. A restriction period gives you time to test an update before it's available to users. Here is all that I configured -


Software Updates Settings Catalog

As stated earlier under the precedence order, Software Updates settings can be setup using settings catalog for macOS to manage certain features. I configured some, but not all as I want DDM to take over for most part.

2. Browse to Devices –> Configuration
3. Click Create -> New Policy
4. Select Platform as macOS
5. Select Profile type as Settings catalog
6. Provide a Name and hit next.
7. Click on Add settings.
8. Configure the following -


Custom Attribute for macOS for inventory tracking (Optional)

While one can gather patching status through the "macOS update installation failures" device report, I realized that it didn't give me everything related to patching in one place. To address this, I decided to capture the patching details in a custom attribute for macOS. Here is a basic script I put together to gather the details -

#!/bin/sh
#set -x

macOS=$(system_profiler SPInstallHistoryDataType | grep -A 4 "macOS\|Security" | tail -5)
XProtectPayloads=$(system_profiler SPInstallHistoryDataType | grep -A 4 "XProtectPayloads\|Security" | tail -5)
XProtectPlistConfigData=$(system_profiler SPInstallHistoryDataType | grep -A 4 "XProtectPlistConfigData\|Security" | tail -5)

echo "Update History:" $macOS, $XProtectPayloads, $XProtectPlistConfigData

Next is to import it in Intune -

2. Go to Devices -> macOS -> Custom attributes for macOS -> Add.
3. Give a Name and a even a Description if needed.
5. Configure the following settings:


End Result

After the device checks in, the update settings will report as configured, managed and locked down.





Due to the deferral restrictions, the update will not be visible to the user until the deferral period has passed.



Once the deferral period has passed, user will see a prompt that the update is available and scheduled for install based on UTC calculation for the local time against the configured deadline time in the policy.


The update will be visible under General-> Software Updates together with custom details URL as shown below.


Once the update installs at the scheduled time, the device will report targeted OS version.


The custom attribute for macOS should populate the result as well.


Final thoughts..

Declarative device management is a game changer as it is an update to the existing protocol for device management that can be used in combination with the existing MDM protocol capabilities. Not only it allows the device to asynchronously apply settings and report status back to the MDM solution without constant polling, but also gives the organizations more confidence that devices are being patched and kept in desired state. The fact that a precedence order is established if multiple update settings are enforced, certainly allows more flexibility and options.

Comments

Post a Comment

Popular posts from this blog

How to force escrowing of BitLocker recovery keys using Intune

-
Image
Every now and then it so happens that BitLocker recovery keys do not escrow in AAD. The usual culprits are incorrect BitLocker policies and\or the device hardware configuration failing to meet the minimum requirements. The other scenario and something I recently experienced is when everything is setup right and still the recovery key doesn’t escrow in AAD. As I understand, this can happen if the escrow process got interrupted the first time due to network or local devices related issues and the process could not resume. To circumvent this issue, one can simply push a PowerShell script to the devices to force the escrow of the recovery keys to AAD. Here is a script to do so. try{ $BitlockerVol = Get-BitLockerVolume -MountPoint $env:SystemDrive         $KPID=""         foreach($KP in $BitlockerVol.KeyProtector){             if($KP.KeyProtectorType -eq "RecoveryPassword"){                 $KPID=$KP.KeyProtectorId                 break;             }         }        $o
Read more

Intune: Configure Printers for Non-Administrative Users

-
Image
Configuring printers for end users or giving them the ability to do it themselves is a normal requirement for organizations. Now if your users are Administrators, then the configuration can be straight forward, but in case of Non-Administrators there are additional steps required as Non-Administrators will not be able to add a driver in the driver store despite being able to install a printer. In this blog, I will cover the steps that I took to address this requirement using Intune. The setup involves 2 steps -  1. Setup registries. 2. Install the driver and configure the printer Setting up registries – The registries that need to be configured are actually part of a GPO setting – Allow non-administrators to install drivers for these device setup classes It can be found under: Computer Configuration -> Policies -> Administrative Templates -> System -> Driver Installation I used a Powershell script to set the values and wrapped it in a Win32 application. $Path1
Read more

Configure CloudAPAuthEnabled to support Conditional Access in Google Chrome natively

-
Image
Starting with version 111 of Google Chrome, organizations can leverage conditional access policies natively using  CloudAPAuthEnabled . Before this release, Conditional access policies were only supported on Google Chrome by using additional extensions like Windows Accounts and Office Online . If you want to know more about the use of these extensions, then you can read all about it over here . Let's see the new policy involving  CloudAPAuthEnabled in a little detail and how can organization configure it using enterprise device management solutions. CloudAPAuthEnabled   is a setting that can be configured using the policy  Configures automatic user sign-in for accounts backed by a Microsoft® cloud identity provider .  By setting this policy to 1 (Enabled), users who sign into their computer with an account backed by a Microsoft cloud identity provider or who have added a work or school account to Microsoft Windows, can be signed into web properties using that identity automatical
Read more