Intune – Enable Automatic Software & Security Updates for macOS

In the modern age where security and software updates are critical to keeping your fleet secure, it seems odd to have such an easy to implement setting missing from Intune/Microsoft Endpoint Manager as a native setting that we should be able to configure.

Nevertheless, with this post i will provide a custom configuration profile that you can apply to macOS devices. The profile will apply the below settings to the macOS device.

  • Automatically check for updates
  • Download newly available updates in the background
  • Automatically install macOS updates
  • Automatically install App Store app updates
  • Install XProtect, MRT & Gatekeeper updates automatically
  • Install security updates automatically
  • Delay the software updates from being installed by 7 days

Implementation

Below is the XML configuration of the settings that will be configured, these are the settings mentioned in the above section which will enable software and security updates.

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
	<dict>
		<key>PayloadContent</key>
		<array>
			<dict>
				<key>AllowPreReleaseInstallation</key>
				<false />
				<key>ManagedDeferredInstallDelay</key>
				<integer>7</integer>
				<key>PayloadDisplayName</key>
				<string>Software Update</string>
				<key>PayloadIdentifier</key>
				<string>com.apple.SoftwareUpdate.4bb5aca5-cd0c-4562-bac4-e87c835b29cf</string>
				<key>PayloadType</key>
				<string>com.apple.SoftwareUpdate</string>
				<key>PayloadUUID</key>
				<string>de247aa4-10db-4f48-8dda-91aff64fcdfe</string>
				<key>PayloadVersion</key>
				<integer>1</integer>
			</dict>
		</array>
		<key>PayloadDisplayName</key>
		<string>macOS Automatic Software &amp; Security Updates</string>
		<key>PayloadIdentifier</key>
		<string>Software&amp;SecurityUpdates1.0.cf7e812a-9415-47e9-909b-f1560532d5ce</string>
		<key>PayloadType</key>
		<string>Configuration</string>
		<key>PayloadUUID</key>
		<string>da7e79e8-6311-4266-9621-c1b7b3496893</string>
		<key>PayloadVersion</key>
		<integer>1</integer>
	</dict>
</plist>
  1. You will need to copy and paste the above configuration into a notepad file and rename its extension to .XML
  2. Navigate to Devices – Microsoft Endpoint Manager admin center and click on “Create Profile”
    • Platform – macOS
    • Profile Type – Templates
  3. Click on “Custom”
  4. Click “Create”
  1. Give the profile a name & description(if you wish) – “macOS Automatic Software & Security Updates” and click “Next”
  2. On the configuration settings page, configure the settings
    • Custom configuration profile name – “macOS Automatic Software & Security Updates”
    • Deployment Channel – “Device Channel”
    • Configuration Profile File – Upload the .XML
  3. You should then be able to see the contents of the XML in the read-only editor.
  1. Click next and scope the policy to the devices you require and validate that it is applying successfully.

And that is it, a custom configuration profile that will enable software and security updates on your macOS devices.

Happy implementing 🙂

2 Replies to “Intune – Enable Automatic Software & Security Updates for macOS”

  1. Hi thanks for this!

    Just wondering what do I need to edit to just get the following only:

    -Automatically check for updates – enable
    -Install security updates automatically

    Thanks in advanced

Leave a Reply

Your email address will not be published. Required fields are marked *