Intune + macOS: Enforcing software updates by a specific time using DDM
Tuesday, April 8, 2025
Intune has offered software update management for macOS 14 and newer via declarative device management (DDM) for some time now. However, until recently, the administrator had to update the OS Version String of an existing policy or create a new policy every time Apple released a new software update. This was impractical. Microsoft has heard this feedback and has added a new DDM setting that allows an administrator to take a set and forget approach to software update management for Mac devices. For example: if you specify that updates should be installed at 13:00, then whenever Apple releases an update, that update will be installed at 13:00.
The new DDM setting is called “Software Update Enforce Latest”, and can be added from the Settings Catalog Settings picker (Intune > Devices > macOS > New Policy > Settings Catalog). You’ll need to set three values for this feature to work:
-
True or false to enable or disable the feature
-
Delay In Days, which specifies after how many days the update will be forcibly installed
-
Install Time, which specifies in a 24-hour format when the update will be installed. Note that you must add leading zeroes for single digit hours (e.g. 06:00). The time set is relative to the device’s local time.
Note that automatic downloading of updates must be enabled for this to work. This can be done by adding the Automatic Actions category and setting the value of Download to AlwaysOn.
If users are Standard Users as opposed to Administrators on their Macs, then “Allow Standard User OS Updates” must also be enabled.
Once you have configured the setting, all that’s left it to assign it. Note that you cannot apply assignment filters to DDM policies.
To verify whether the policy has been received by the device, you’ll need to dive into System Settings > General > Device Management > Management Profile. With the Management Profile opened, scroll down until you see “Software Update”. This DDM Payload contains the settings you configured in Intune.
As for the user experience: the user will receive a native macOS notification informing them of a pending update. They will be given the choice to install the update then or to defer until later.
Additionally, the update will also be visible from within System Settings with an explanatory text accompanying it.
Once the deadline is reached, the Mac will start a countdown timer from 60 seconds until 0, and forcefully reboot the device to install the update. In case the deadline was missed (due to the Mac being in sleep mode, for example) a grace period of 1 hour will be extended to the device.
In case something is not working as expected, you can inspect the logs generated on the device in Console.app. You can query the log stream on macOS devices by searching for “softwareupdated” of type “Process”. Or you can inspect the install.log for values set by the MDM. Bonus tip: you can run sudo softwareupdate -ia from a Terminal application and then capture the events in Console.app to gain insight as to what is happening with the softwareupdated daemon process.
