Software update profile keys demystified

Note: At the moment I’m limited with my testing capabilities, therefore it’s impossible to test more different combinations of these profile keys. You can contact me via slack @patrick_van_nerum if you think some info isn’t correct. I will update this blogpost if I have additional testing capabilities and test results.

When macOS Monterey got released this week I noticed that my Big Sur laptop showed Monterey in the Software update Preference panel.
On an older test laptop with Catalina installed it didn’t show Monterey as an upgrade option. It turns out I had totally forgotten that with the release of macOS 11.3 Apple added additional software update and upgrade keys to the mdm restriction payload. When Apple released those keys I was excited and I did ask my mdm provider to support these keys as these are a major improvement for our classroom and laptop deployments. The ticket got closed that it will be added in the near future. After this I totally forgot as we don’t have any Big Sur clients in production yet. I’ve got everything in place for Big Sur now, but I’m going to probably skip that and deploy straight to Monterey soon hoping to get a better update experience for our labs with the new software update mdm commands when my mdm provider makes them available.

To better understand all the existing and new keys I searched this Apple developer page: https://developer.apple.com/documentation/devicemanagement/restrictions and split them up in logical groups

Apple just updated their Apple Platform Deployment with loads of information around this subject: https://support.apple.com/en-gb/guide/deployment/depc4c80847a/web


————————————————————————————————————————————————————————————————————————————————————————————————————————————
Major OS:

forceDelayedMajorSoftwareUpdates
If set to true, delays user visibility of major OS Software Updates.
Available in macOS 11.3 and later.
Default: false

enforcedSoftwareUpdateMajorOSDeferredInstallDelay
This restriction allows the admin to set how many days to delay a major software update on the device. When this restriction is in place the user sees a software update only after the specified delay after the release of the software update. This value controls the delay for forceDelayedMajorSoftwareUpdates.
Available in macOS 11.3 and later.
Default: 30
Minimum: 1
Maximum: 90

————————————————————————————————————————————————————————————————————————————————————————————————————————————
Minor OS:

forceDelayedSoftwareUpdates
If true, delays user visibility of software updates. In macOS, seed build updates are allowed, without delay. Requires a supervised device in iOS and tvOS.
The delay is 30 days unless enforcedSoftwareUpdateDelay is set to another value.
Available in iOS 11.3 and later, macOS 10.13 and later, and tvOS 12.2 and later.
Default: false

enforcedSoftwareUpdateMinorOSDeferredInstallDelay
This restriction allows the admin to set how many days to delay a minor OS software update on the device. When this restriction is in place the user see a software update only after the specified delay after the release of the software update. This value controls the delay for forceDelayedSoftwareUpdates.
Available in macOS 11.3 and later.
Default: 30
Minimum: 1
Maximum: 90

enforcedSoftwareUpdateDelay (1/2)
Sets how many days to delay a software update on the device. With this restriction in place, the user doesn't see a software update until the specified number of days after the software update release date. This value is used by forceDelayedAppSoftwareUpdates and forceDelayedSoftwareUpdates.
Requires a supervised device in iOS and tvOS.
Available in iOS 11.3 and later, macOS 10.13.4 and later, and tvOS 12.2 and later.
Default: 30
Minimum: 1
Maximum: 90

————————————————————————————————————————————————————————————————————————————————————————————————————————————
Non OS:

forceDelayedAppSoftwareUpdates
If true, delays user visibility of non-OS Software Updates. Requires a supervised device.
Visibility of Operating System updates is controlled through forceDelayedSoftwareUpdates.
The delay is 30 days unless enforcedSoftwareUpdateDelay is set to another value.
Available in macOS 11 and later.
Default: false

enforcedSoftwareUpdateNonOSDeferredInstallDelay
This restriction allows the admin to set how many days to delay an app software update on the device. When this restriction is in place the user sees a non-OS software update only after the specified delay after the release of the software. This value controls the delay for forceDelayedAppSoftwareUpdates.
Available in macOS 11.3 and later.
Default: 30
Minimum: 1
Maximum: 90

enforcedSoftwareUpdateDelay (2/2)
Sets how many days to delay a software update on the device. With this restriction in place, the user doesn't see a software update until the specified number of days after the software update release date. This value is used by forceDelayedAppSoftwareUpdates and forceDelayedSoftwareUpdates.
Requires a supervised device in iOS and tvOS.
Available in iOS 11.3 and later, macOS 10.13.4 and later, and tvOS 12.2 and later.
Default: 30
Minimum: 1
Maximum: 90

Profiles and keys

Basically we have a software update restriction pre macOS 11.3 (starting from macOS 10.13) and post macOS 11.3 that both need their own set of keys.

Pre macOS 11.3:

We only had one option: set a delay from 1 till 90 days for ALL Apple software updates and upgrades.
Here we only use these 2 keys from the list above:

  • forceDelayedSoftwareUpdates
  • enforcedSoftwareUpdateDelay

Post macOS 11.3:

We have 3 options which you can choose independently from 1 till 90 days:

  • Major upgrades for example upgrade from macOS Big Sur to macOS Monterey. Use these 2 keys from the list above:
    • forceDelayedMajorSoftwareUpdates
    • enforcedSoftwareUpdateMajorOSDeferredInstallDelay
  • Minor updates for example macOS Big Sur 11.6.0 to 11.6.2. Use these 2 keys from the list above:
    • forceDelayedSoftwareUpdates
    • enforcedSoftwareUpdateMinorOSDeferredInstallDelay
  • Non OS updates for example Safari. Use these these 2 keys from the list above:
    • forceDelayedAppSoftwareUpdates
    • enforcedSoftwareUpdateNonOSDeferredInstallDelay

Testing:
I used a macOS 11.5.1 client to test. It should show or hide Monterey, macOS 11.6, macOS 11.6.1 and maybe a “Device Support Update”. There are 3 profiles created with the settings for delay set to more days than I will do in production. This was just for testing purposes! In production I probably set Defer Minor and Non OS updates to 7 days.

  1. Defer Major upgrades 60 days
  2. Defer Minor updates 30 days
  3. Defer Non OS updates 30 days

You can download profile examples from my github repo: https://github.com/pnerum/profiles

In my testing scenarios the pre 11.3 profiles, the post 11.3 Major and Minor profiles all worked. Sometimes we needed a reboot before the new pushed profile was showing the results I expected. Only the Defer Non OS updates was a bit of a strange one. I suspect the “Device Support Update” or Safari 15.1 falls under this category. But when all 3 profiles where installed those updates were still presented.

Results:

When using no profile at all Software Update showed: macOS Monterey, macOS 11.6.1 and the “Device Support Update”


Only defer Major upgrades 60 days succeeded:

Only defer Minor updates 30 days succeeded by not showing macOS 11.6.1:

Defer Non OS updates failed?:

In my testing with macOS Big Sur 11.3+ deferring major Monterey, minor updates 11.6 from 11.1 and minor update 11.6.1 from 11.6 worked perfectly with the matching profiles. Even when I changed a defer minor profile from 90 to 30 days I noticed immediately in the Software update preference pane a change that I was expecting.

But defer Non OS updates seems a bit of a mystery. I couldn’t defer the “Device Support Update” and the Safari 15.1 update. Even when all profiles were installed with a 90 days deferral. As Monterey is just released I can’t test similar minor updates yet. The only clue we have is the updated documentation page:

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s