Intune – Enable Automatic Software & Security Updates for macOS

In the modern age where security and software updates are critical to keeping your fleet secure, it seems odd to have such an easy to implement setting missing from Intune/Microsoft Endpoint Manager as a native setting that we should be able to configure.

Nevertheless, with this post i will provide a custom configuration profile that you can apply to macOS devices. The profile will apply the below settings to the macOS device.

  • Automatically check for updates
  • Download newly available updates in the background
  • Automatically install macOS updates
  • Automatically install App Store app updates
  • Install XProtect, MRT & Gatekeeper updates automatically
  • Install security updates automatically
  • Delay the software updates from being installed by 7 days

Implementation

Below is the XML configuration of the settings that will be configured, these are the settings mentioned in the above section which will enable software and security updates.

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
	<dict>
		<key>PayloadContent</key>
		<array>
			<dict>
				<key>AllowPreReleaseInstallation</key>
				<false />
				<key>ManagedDeferredInstallDelay</key>
				<integer>7</integer>
				<key>PayloadDisplayName</key>
				<string>Software Update</string>
				<key>PayloadIdentifier</key>
				<string>com.apple.SoftwareUpdate.4bb5aca5-cd0c-4562-bac4-e87c835b29cf</string>
				<key>PayloadType</key>
				<string>com.apple.SoftwareUpdate</string>
				<key>PayloadUUID</key>
				<string>de247aa4-10db-4f48-8dda-91aff64fcdfe</string>
				<key>PayloadVersion</key>
				<integer>1</integer>
			</dict>
		</array>
		<key>PayloadDisplayName</key>
		<string>macOS Automatic Software &amp; Security Updates</string>
		<key>PayloadIdentifier</key>
		<string>Software&amp;SecurityUpdates1.0.cf7e812a-9415-47e9-909b-f1560532d5ce</string>
		<key>PayloadType</key>
		<string>Configuration</string>
		<key>PayloadUUID</key>
		<string>da7e79e8-6311-4266-9621-c1b7b3496893</string>
		<key>PayloadVersion</key>
		<integer>1</integer>
	</dict>
</plist>
  1. You will need to copy and paste the above configuration into a notepad file and rename its extension to .XML
  2. Navigate to Devices – Microsoft Endpoint Manager admin center and click on “Create Profile”
    • Platform – macOS
    • Profile Type – Templates
  3. Click on “Custom”
  4. Click “Create”
  1. Give the profile a name & description(if you wish) – “macOS Automatic Software & Security Updates” and click “Next”
  2. On the configuration settings page, configure the settings
    • Custom configuration profile name – “macOS Automatic Software & Security Updates”
    • Deployment Channel – “Device Channel”
    • Configuration Profile File – Upload the .XML
  3. You should then be able to see the contents of the XML in the read-only editor.
  1. Click next and scope the policy to the devices you require and validate that it is applying successfully.

And that is it, a custom configuration profile that will enable software and security updates on your macOS devices.

Happy implementing 🙂

20 Replies to “Intune – Enable Automatic Software & Security Updates for macOS”

  1. Hi thanks for this!

    Just wondering what do I need to edit to just get the following only:

    -Automatically check for updates – enable
    -Install security updates automatically

    Thanks in advanced

      1. Thanks a bunch Omar. I will give it a shot and let you know how it goes

        Also if I may ask how do you go about creating these?

  2. Hello! I’m having some issues with this when trying to deploy, can you help? Error reads:

    ERROR CODE
    0x87d1138a
    ERROR DETAILS
    iOS device has rejected the command due to incorrect format

    Thanks in advance!

      1. Hi Omar, script looks awesome but I Get the same errors as Adam does.

        root\ccm\cimodels:CustomConfiguration.Key=’macOS Automatic Software & Security Updates’,Type=8 [root\ccm\cimodels:CustomConfiguration.Key=’macOS Automatic Software & Security Updates’,Type=8]
        Error
        -2016341110 (iOS device has rejected the command due to incorrect format)

        Any insight on that?

        Kind regards,

        Willem

  3. Hi, i tested this XML and seems to be working to update from macos 11.6 to 11.6.5. will test from other versions as well and update. Also question, is it possible to target specific update version ( example from 11.2.1 to 12.3 or similar)

  4. Hi. I have deployed the configuration successfully to a couple of devices, but how do I check if it is working on the Mac client? Anywhere I can see the settings are enforced?

  5. Hello Omar,
    what tool/software do you use to create these profiles? i would like to edit if possible to only do the following
    • Automatically check for updates
    • Download newly available updates in the background
    • Automatically install macOS updates
    • Install security updates automatically
    • Delay the software updates from being installed by 7 days

  6. Omar, great posting, very much appreciated.
    I have tried this on current Monterey 12.3.1 devices and no configuration is flowing through.
    Is the payload ID a changing value by chance?

    1. update: the profile shows as a success, it shows in the System preferences > Profiles area as ‘verified’ and looks good with ‘delayed software update = 2 days’.
      maybe it has applied and I assumed it would appear as the appropriate ticks in the System Preferences > Software Updates > Advanced area?

    1. Hey,
      So just to understand what you did, you grabbed the XML here went to the apple Developer Page added all the properties and called it a day?

      1. @Jay: I edited the xml file from here and added AutomaticallyInstallAppUpdates and AutomaticallyInstallMacOSUpdates. ALL the boxes are checked now and these 2 are greyed out so users cannot uncheck. My mac is still on 12.3.1 so not sure when it will automatically get the 12.4 update.

    2. Hi Shane: Just to confirm, I added the following to Omar’s xml and now all the boxes are checked in System Preferences > Software Updates > Advanced
      Should my macbook automatically get 12.4 as I’m seeing “An update is available for your Mac” however it’s not automatically updating. Am I missing something? Thanks!
      AutomaticallyInstallAppUpdates
      AutomaticallyInstallMacOSUpdates

      1. Hi Shane, same as Thus above,

        I added the missing lines to Omar’s xml and now all the boxes are checked and greyed out in System Preferences > Software Updates > Advanced
        Should my macbook automatically get 12.5 as I’m seeing “An update is available for your Mac” however it’s not automatically updating. Am I missing something? Thanks!
        AutomaticallyInstallAppUpdates
        AutomaticallyInstallMacOSUpdates are both set to true in my xml:

    3. Hello Shane, good day to you. I followed your suggestion and all the option is ticked but the deferral seems not working on my side I set to 1 day only and its been weeks still the OS not updated still showing that I need to click on update now. Possible to have a copy of the XML I’d like to try that. Both your option and Omar option combine works and its great we can do this but only the deferral for my side not working. Thanks!

Leave a Reply

Your email address will not be published.