In the modern age where security and software updates are critical to keeping your fleet secure, it seems odd to have such an easy to implement setting missing from Intune/Microsoft Endpoint Manager as a native setting that we should be able to configure.
Nevertheless, with this post i will provide a custom configuration profile that you can apply to macOS devices. The profile will apply the below settings to the macOS device.
- Automatically check for updates
- Download newly available updates in the background
- Automatically install macOS updates
- Automatically install App Store app updates
- Install XProtect, MRT & Gatekeeper updates automatically
- Install security updates automatically
- Delay the software updates from being installed by 7 days
Implementation
Below is the XML configuration of the settings that will be configured, these are the settings mentioned in the above section which will enable software and security updates.
<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>PayloadContent</key> <array> <dict> <key>AllowPreReleaseInstallation</key> <false /> <key>ManagedDeferredInstallDelay</key> <integer>7</integer> <key>PayloadDisplayName</key> <string>Software Update</string> <key>PayloadIdentifier</key> <string>com.apple.SoftwareUpdate.4bb5aca5-cd0c-4562-bac4-e87c835b29cf</string> <key>PayloadType</key> <string>com.apple.SoftwareUpdate</string> <key>PayloadUUID</key> <string>de247aa4-10db-4f48-8dda-91aff64fcdfe</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </array> <key>PayloadDisplayName</key> <string>macOS Automatic Software & Security Updates</string> <key>PayloadIdentifier</key> <string>Software&SecurityUpdates1.0.cf7e812a-9415-47e9-909b-f1560532d5ce</string> <key>PayloadType</key> <string>Configuration</string> <key>PayloadUUID</key> <string>da7e79e8-6311-4266-9621-c1b7b3496893</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </plist>
- You will need to copy and paste the above configuration into a notepad file and rename its extension to .XML
- Navigate to Devices – Microsoft Endpoint Manager admin center and click on “Create Profile”
- Platform – macOS
- Profile Type – Templates
- Click on “Custom”
- Click “Create”
- Give the profile a name & description(if you wish) – “macOS Automatic Software & Security Updates” and click “Next”
- On the configuration settings page, configure the settings
- Custom configuration profile name – “macOS Automatic Software & Security Updates”
- Deployment Channel – “Device Channel”
- Configuration Profile File – Upload the .XML
- You should then be able to see the contents of the XML in the read-only editor.
- Click next and scope the policy to the devices you require and validate that it is applying successfully.
And that is it, a custom configuration profile that will enable software and security updates on your macOS devices.
Happy implementing 🙂
Hi thanks for this!
Just wondering what do I need to edit to just get the following only:
-Automatically check for updates – enable
-Install security updates automatically
Thanks in advanced
No problem Dylan, Give this code below a shot, i havent tested it so cant verify but it should do the trick.
https://github.com/notbadtech/Intune-macos/blob/11018629d7c861f43d20c94c47dee4638266914f/Enable%26InstallSecurityUpdates
Thanks a bunch Omar. I will give it a shot and let you know how it goes
Also if I may ask how do you go about creating these?
Hi.
Does the above XML work on all available macOS software out there in the wild?
Thank you
Hello! I’m having some issues with this when trying to deploy, can you help? Error reads:
ERROR CODE
0x87d1138a
ERROR DETAILS
iOS device has rejected the command due to incorrect format
Thanks in advance!
Are you applying this policy to iOS devices? This profile is for macOS Devices
Hi Omar, script looks awesome but I Get the same errors as Adam does.
root\ccm\cimodels:CustomConfiguration.Key=’macOS Automatic Software & Security Updates’,Type=8 [root\ccm\cimodels:CustomConfiguration.Key=’macOS Automatic Software & Security Updates’,Type=8]
Error
-2016341110 (iOS device has rejected the command due to incorrect format)
Any insight on that?
Kind regards,
Willem
Hi, how can check if the macOS updates are enabled via Graph Explorer?
Hi, i tested this XML and seems to be working to update from macos 11.6 to 11.6.5. will test from other versions as well and update. Also question, is it possible to target specific update version ( example from 11.2.1 to 12.3 or similar)
Hi. I have deployed the configuration successfully to a couple of devices, but how do I check if it is working on the Mac client? Anywhere I can see the settings are enforced?
Hello Omar,
what tool/software do you use to create these profiles? i would like to edit if possible to only do the following
• Automatically check for updates
• Download newly available updates in the background
• Automatically install macOS updates
• Install security updates automatically
• Delay the software updates from being installed by 7 days
Omar, great posting, very much appreciated.
I have tried this on current Monterey 12.3.1 devices and no configuration is flowing through.
Is the payload ID a changing value by chance?
update: the profile shows as a success, it shows in the System preferences > Profiles area as ‘verified’ and looks good with ‘delayed software update = 2 days’.
maybe it has applied and I assumed it would appear as the appropriate ticks in the System Preferences > Software Updates > Advanced area?
If this helps others, I needed to tick all the boxes under System Preferences > Software Updates > Advanced
Following the XML here, it did not tick any box.
Following the Apple Developer page: https://developer.apple.com/documentation/devicemanagement/softwareupdate
you need to add ALL the properties.
Sorry, this comment box wont let me paste XML
msg me if you need help, even XML file verified, happy to help
Is there a way to prompt a user before the updates are applied?
Hey,
So just to understand what you did, you grabbed the XML here went to the apple Developer Page added all the properties and called it a day?
@Jay: I edited the xml file from here and added AutomaticallyInstallAppUpdates and AutomaticallyInstallMacOSUpdates. ALL the boxes are checked now and these 2 are greyed out so users cannot uncheck. My mac is still on 12.3.1 so not sure when it will automatically get the 12.4 update.
Hi Shane: Just to confirm, I added the following to Omar’s xml and now all the boxes are checked in System Preferences > Software Updates > Advanced
Should my macbook automatically get 12.4 as I’m seeing “An update is available for your Mac” however it’s not automatically updating. Am I missing something? Thanks!
AutomaticallyInstallAppUpdates
AutomaticallyInstallMacOSUpdates
Hi Shane, same as Thus above,
I added the missing lines to Omar’s xml and now all the boxes are checked and greyed out in System Preferences > Software Updates > Advanced
Should my macbook automatically get 12.5 as I’m seeing “An update is available for your Mac” however it’s not automatically updating. Am I missing something? Thanks!
AutomaticallyInstallAppUpdates
AutomaticallyInstallMacOSUpdates are both set to true in my xml:
Hello Shane, good day to you. I followed your suggestion and all the option is ticked but the deferral seems not working on my side I set to 1 day only and its been weeks still the OS not updated still showing that I need to click on update now. Possible to have a copy of the XML I’d like to try that. Both your option and Omar option combine works and its great we can do this but only the deferral for my side not working. Thanks!