Did somebody mention macOS updates?

So, it is 2023 and what is the hot topic in the Apple world? Nice new shiny M2 devices? New Apple features? The Apple Vision Pro? I am afraid we are all still talking about macOS updates. 

Following on from last year’s WWDC event. Apple is focusing on delivering security updates, such as rapid response updates. Whilst we have seen an initial test, we are yet to see the final finished article.

So what is the current state of play? 

The only recommended approach is to use Mobile Device Management (MDM) commands to leverage these updates. Without a doubt, MDM is clearly the way to go in terms of managing Apple devices, a significant obstacle remains when managing updates at scale. Whilst an end user can go ahead and update their system themselves from a manual check, prompt or even a nudge, if they are not the volume owner or administrator of the system they may be prompted to enter an admin password.

The challenge of the admin prompt:

Being a Volume Owner (the first user who logged into the device) will allow a user to authorise macOS updates via System Settings > Software Update. However, certain Apple upgrades or updates will still require administrator privileges. In environments that do not allow local administrator rights for users, because of security, compliance or business requirements, this means that IT must touch every single device in order to keep it updated. This defeats the very purpose of centralised device management and automation. 

Apple’s documentation on volume ownership tells us that:

It is possible to be a volume owner and not be an administrator, but certain tasks require checking the ownership of both. For example, modifying startup security settings requires being both an administrator and a volume owner, while authorising software updates is allowed by standard users and only requires ownership.

Forcing updates:

Of course, the functionality to send Mobile Device Management (MDM) commands to managed computers, forcing them to download and install updates, does exist. However, there are several requirements that will need to be met by managed devices in order for the end user to have a successful update applied.

Requirements for forced updates:

• Intel Mac with macOS 11 (Big Sur) or above
• Apple Silicon Mac with macOS 11 (Big Sur) or above, with a Bootstrap Token escrowed
• a 2013 model or older cannot run macOS Monterey (except the 2013 Mac Pro)
• more than 49 GB of space remaining
• more than 50% of battery power
• ensuring that the device is plugged into power when the installation action takes place

On Apple Silicon in particular:

• No Bootstrap Token – lack of this prevents updates via MDM push but can be fixed without wiping.
• No Volume Owner – Being a Volume Owner allows users to authorise macOS updates via System Settings > Software Update.  The first user to log in to a Mac is the Volume Owner. The Mac will need to be wiped and rebuilt if no Volume Owner exists.
• The Mac needs to be online to receive the update command.
• The Mac must not shut down while the update/upgrade command was executing.
• The update/upgrade command could time out due to the network conditions or the Apple software update servers being busy at that time.

In addition…

Apple Support indicates it can take up to five hours after sending the update command for the Mac to begin downloading the update in the background while it negotiates with Apple’s software update servers. With the above mentioned approach, it is worth noting that the update can happen at any time. This is another challenge when trying to ensure compliance at scale.

As long as all of the criteria have been met, with the advent of Rapid Responses and new MDM framework coming to Sonoma, this workflow looks to be our best approach and is continuously being updated and worked on by Apple.

Download now, update later.

In addition to the force update and install method, we can leverage Mobile Device Management (MDM) commands to download the macOS update to the end user’s device allowing them to update at a later date. 

This option will present the end user with the following options:

• Install Now: Download the update and install it immediately.

• Try Tonight: Download and install later.

If the user selects this option, based on machine learning from the data over the last 21 days, the Mac finds the best time to download and install the update — roughly between 2:00 am – 4:00 am (it may not always be during this time).

• Remind Me Tomorrow: Defers the update until the next day.

This approach will pre-allow a non-admin to update their Mac manually. However, it can be installed at a time that is convenient for the end user.

Whilst the act of forcing an update might not work for every organisation, this can be as much a direction problem as well as a technical one. Keeping an open dialog with your end users, as making them aware that you will be pushing these updates is key.

Finally, it is about empowering the IT admin to understand the toolkit they have at their disposal. This will, in the end, help them to better communicate with their colleagues and users. 

Useful links:

Update macOS on a Mac (Apple):
https://support.apple.com/en-us/HT201541

If an error occurs while updating or installing macOS (Apple): https://support.apple.com/en-gb/HT212526

Mac models with the Apple T2 Security Chip (Apple): https://support.apple.com/en-gb/HT208862

Manage macOS updates with Mobile Device Management (MDM) (Apple): https://support.apple.com/en-gb/HT211951

Manage software updates for Apple devices (Apple): https://support.apple.com/en-gb/guide/deployment/depc4c80847a/web

Use secure token, bootstrap token and volume ownership in deployments (Apple): https://support.apple.com/en-gb/guide/deployment/dep24dbdcf9e/web