Intune
How to Deploy Software Updates to macOS Devices with Declarative Device Management using Microsoft Intune
Topics: Intune, Security and Compliance, Systems Management
You are all familiar with buzzwords like CoPilot, AI, and LLM. Well, I have another one for you: DDM, which stands for Declarative Device Management. According to Apple, DDM updates the existing device management protocol by allowing devices to apply settings asynchronously and report their status back to the MDM without constant polling.
Consider the traditional update process: when a computer needs to install updates, it frequently checks the update server for new releases, which can slow the system and consume resources. With DDM, you can provide a predefined list of updates and enforce a deadline, allowing the device to install updates automatically without constant server checks. This reduces the load on both the device and the server. Best of all, the process is significantly faster.
Also, if you want to learn more about software updates with macOS devices, watch one of Benjamin Flamm’s Microsoft Technical Takeoff videos.
What’s Required?
IT admins do not need to enable Declarative Device Management, as it is available within Configuration Profiles. However, to use DDM configurations, devices must be running macOS 14.0 or later.
Scenario
In this scenario, I will focus on deploying software updates with DDM using a targeted version and date. I will also review the Software Update Enforce Latest section introduced in Service Release 2503, which enables automatic upgrades of macOS devices without manual version entry.
Step-by-Step Guide to Configuring Manual Software Updates with Declarative Device Management
Let’s fire up Microsoft Intune and get started. Go to Intune > Devices > macOS > Configuration > +Create.
Next, create a profile by selecting macOS as the Platform and Setting Catalog as the Profile Type. Once complete, click Create.
In the Basics section, provide a Name and Description for your policy. You may use the following test values:
Name: macOS – DDM Updates.
Description: This policy delivers software updates using Declarative Device Management.
Click +Add settings to view the settings picker options. Fortunately, DDM is easily accessible. Select Declarative Device Management (DDM).
When you open the drop-down menu, several DDM configurations appear. In this scenario, we will focus on Software Update and Software Update Settings to target a specific OS version and enforce a deadline. Click Software Update to view its four subcategory settings, which will appear on the left side of your screen.
Before closing, select Software Update Settings. Choose the necessary subcategory options—you won’t use all of them, but I will cover most. Once you have made your selections, click the X in the top right corner to configure the settings.
The settings may not appear in the same order, so please verify the sequence. First, configure Notifications. Hover over the infographic to see that when enabled, the device displays all software update enforcement notifications; when disabled, notifications appear only one hour before the enforcement deadline. I prefer full communication, so I set it to Enabled.
Next, configure Rapid Security Response. This section enables rapid security responses for devices and allows end users to roll back updates if necessary. I have set both options to Enabled.
Next, configure Deferrals to control when users can view new updates. Although deferred updates remain hidden, enforced updates will override this setting. For example, if Version 2 is released today but you want to delay visibility for 7 days to allow time for testing or adjustments, set the deferral period to 7 days. For this demonstration, I will set all deferral options to 0.
In the next section, Automatic Actions, you can control whether end users are allowed to download updates by selecting options such as Allowed, Always On, or Always Off. You can also choose to allow Standard User OS Updates, enabling end users to perform major and minor software updates. In my example, I have set all options to Allowed.
Finally, configure Software Update settings—a crucial step for enforcing updates properly. The following options are available:
- Details URL: This optional field displays update details. You might add, for example, Apple’s release notes for further information.
- Target Build Version: Specify the target build number; in this example, it is 24D81.
- Target Date Time: Select the date and time for update enforcement. If the device does not update manually before this time, the update will be forced. In this example, I have set it to 6:00 PM CST, ensuring enforcement at the local 6:00 PM.
- Target OS Version: Choose the desired OS version from the drop-down menu; for instance, in this example, I have selected 15.3.2.
Once your configuration is complete, deploy the policy and review the end user experience. Click Next to set your assignments.
End User Experience
Current Update Settings: Before 6 PM, the device is running version 15.3.1.
After DDM Configuration Assignment: Once the update was released, it was applied to the device within minutes, and the end user received a notification. The management profile displays the details specified in the DDM configuration.
Post-6 PM update.
You might ask: what about automatic updates? Return to Microsoft Intune and open the settings catalog under Declarative Device Management to find the Software Update Enforce Latest option.
Instead of manually setting versions and builds, you can enforce the latest software update available for the device model. You can also set a delay (in days) before a deadline is enforced after a new update is released by Apple. Finally, specify the installation time, noting that a 24-hour clock format is used.
In my example, the policy automatically enforces the latest update version after a 7-day delay at 18:00 local time.
Conclusion: Software Updates Deployed to macOS Devices using Declarative Device Management in Microsoft Intune
Declarative Device Management streamlines the update process by reducing manual steps and ensuring that macOS devices stay secure and up to date. With Microsoft Intune, IT admins can enforce targeted update deadlines while minimizing network strain.
Thank you for following along. I hope you found this guide helpful. I am excited about the potential of these Microsoft Intune features.
