In the modern age where security and software updates are critical to keeping your fleet secure, it seems odd to have such an easy to implement setting missing from Intune/Microsoft Endpoint Manager as a native setting that we should be able to configure.
Nevertheless, with this post i will provide a custom configuration profile that you can apply to macOS devices. The profile will apply the below settings to the macOS device.
- Automatically check for updates
- Download newly available updates in the background
- Automatically install macOS updates
- Automatically install App Store app updates
- Install XProtect, MRT & Gatekeeper updates automatically
- Install security updates automatically
- Delay the software updates from being installed by 7 days
Below is the XML configuration of the settings that will be configured, these are the settings mentioned in the above section which will enable software and security updates.
<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>PayloadContent</key> <array> <dict> <key>AllowPreReleaseInstallation</key> <false /> <key>ManagedDeferredInstallDelay</key> <integer>7</integer> <key>PayloadDisplayName</key> <string>Software Update</string> <key>PayloadIdentifier</key> <string>com.apple.SoftwareUpdate.4bb5aca5-cd0c-4562-bac4-e87c835b29cf</string> <key>PayloadType</key> <string>com.apple.SoftwareUpdate</string> <key>PayloadUUID</key> <string>de247aa4-10db-4f48-8dda-91aff64fcdfe</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </array> <key>PayloadDisplayName</key> <string>macOS Automatic Software & Security Updates</string> <key>PayloadIdentifier</key> <string>Software&SecurityUpdates1.0.cf7e812a-9415-47e9-909b-f1560532d5ce</string> <key>PayloadType</key> <string>Configuration</string> <key>PayloadUUID</key> <string>da7e79e8-6311-4266-9621-c1b7b3496893</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </plist>
- You will need to copy and paste the above configuration into a notepad file and rename its extension to .XML
- Navigate to Devices – Microsoft Endpoint Manager admin center and click on “Create Profile”
- Platform – macOS
- Profile Type – Templates
- Click on “Custom”
- Click “Create”
- Give the profile a name & description(if you wish) – “macOS Automatic Software & Security Updates” and click “Next”
- On the configuration settings page, configure the settings
- Custom configuration profile name – “macOS Automatic Software & Security Updates”
- Deployment Channel – “Device Channel”
- Configuration Profile File – Upload the .XML
- You should then be able to see the contents of the XML in the read-only editor.
- Click next and scope the policy to the devices you require and validate that it is applying successfully.
And that is it, a custom configuration profile that will enable software and security updates on your macOS devices.
Happy implementing 🙂