Skip to main content

Jamf Pro's Managed Software Updates with Apple's MDM & DDM Commands

Updated this week

Description

The goal of this article is to provide context for understanding Apple's remote MDM and DDM Software Update workflows, executed from Jamf Pro using Managed Software Updates. Please see the OS Updates Rubric attached to this article for more information regarding install action commands, OS compatibility, MDM update keys, and expected behavior.

Article Contents


Apple Commands for OS Updates and Upgrades

The remote MDM command options we can utilize in Jamf Pro's Managed Software Updates (and Jamf Pro Mass Action OS Updates) are limited to the ScheduleOSUpdate command keys created and maintained by Apple for the different install and deferral actions for macOS.

Each install related action for the ScheduleOSUpdate command has different compatibility in regards to minor updates and major OS upgrades. For example, the keys InstallForceRestart and MaxUserDeferrals are only compatible for minor updates (macOS 14.x to 14.y), whereas the key InstallASAP is compatible with major upgrades (macOS 13 to macOS 14).

This is stated for the MaxUserDeferrals key in Apple's MDM Dev Guide but not for the InstallForceRestart key or the InstallASAP key. We were able to determine and confirm expected behavior for the InstallForceRestart and InstallASAP keys through testing and finding additional mentions of the expected behavior outside of Apple's MDM Dev Guide.

For example, in the “Deploying macOS Monterey” video from Apple, it is stated that the InstallASAP key is the install action that should be used for major macOS upgrades via MDM. In turn, this means that the InstallForceRestart key can not be used for major OS upgrades, which we have confirmed through testing the key with minor OS updates and major OS upgrades. All MDM & DDM keys and their Managed Software Updates commands are outlined below, for clarity.


MDM Keys from Apple's Documentation

  • DownloadOnly is compatible with iOS 9 and later, macOS 11 and later, and tvOS 12 and later.

  • InstallASAP is compatible with iOS/iPadOS 9 and later, macOS 10.11 and later, and tvOS 12 and later.

  • NotifyOnly is compatible with macOS 10.11 and later.

  • InstallLater is only compatible with macOS 10.11 and later.

  • InstallForceRestart is only compatible with macOS 11 and later.

  • MaxUserDeferrals is only supported when used with the InstallLater key, and is only supported for minor OS updates.

DDM SoftwareUpdateEnforcementSpecific Keys

  • TargetBuildVersion is compatible with iOS/iPadOS 17 and later, macOS 14 and later.

  • TargetLocalDateTime is compatible with iOS/iPadOS 17 and later, macOS 14 and later.

  • TargetOSVersion is compatible with iOS/iPadOS 17 and later, macOS 14 and later.


Jamf Pro Managed Software Updates Install Actions and Corresponding Keys

INSTALL ACTION

APPLE MDM & DDM KEYS

COMPATIBLE OS

Download Only

DownloadOnly
NotifyOnly

iOS/iPadOS 9+
macOS 11+
tvOS 12+

Download and Install

InstallASAP

iOS/iPadOS 9+
macOS 11+
tvOS 12+

Download and Schedule to Install

TargetBuildVersion
TargetLocalDateTime
TargetOSVersion

iOS/iPadOS 17+
macOS 14+

Download, Install, and Allow Deferral

InstallLater
MaxUserDeferrals

macOS 10.11+

Download, Install, and Restart

InstallForceRestart
MaxUserDeferrals

macOS 11+


Since MaxUserDeferrals, InstallLater, and InstallForceRestart are macOS only, this means iOS and iPad OS cannot use the Jamf Pro install actions "Download, install, and allow deferral" or "Download, install, and restart". Additionally, when using "Download Only" with iOS/iPadOS, trying to use the sub-option "Notify Only" will fail too, since that is also macOS only.

However, because iOS/iPadOS is compatible with Apple's new DDM keys, they can use the Jamf Pro install action "Download and Schedule to Install" — this would be the recommended alternative for iOS for the "Download, install, and allow deferral" and "Download, install, and restart" install actions.


Target Versions and Behavior

As noted previously, which version/latest update options work with each install action type depends on the context and the starting OS, so there isn't a hard rule to fall back to for some of the install action and target version combinations. If the latest OS version available for the given device is a major upgrade, like macOS 13 to macOS 14, then the upgrade will be using a full macOS installer which utilizes the local InstallAssistant application on macOS. InstallAssistant apps can only be installed by MDM when the InstallASAP key is used by the Install Action, as noted in the Apple video about Monterey, so that is how InstallASAP and InstallForceRestart differ.

Latest Version Available & Latest Major Version

For both the "Latest Version Available" and "Latest Major Version" options in Jamf Pro, the computer will ping Apple servers to see what OS updates are available for it and then choose the highest possible version it is compatible with as the option to download, even if it is a major OS jump (such as macOS 13 to macOS 14).

If the highest compatible version is a jump to the next major OS, then the Jamf Pro install action "Download, Install, and Restart" will fail when combined with these target version options because of the InstallForceRestart key. So if we know a computer or computer group is eligible for a major OS upgrade, then we need to use the Jamf Pro install actions "Download Only" or "Download and Install" which contain the InstallASAP key.

Latest Minor Version Process

The server asks the device for available updates and the device sends back a response list of what it has available. Then that list is compared to the currently installed/known version of OS on the device to decide if it should update or not. For example, if a computer is running macOS 13.x, it will only report back available updates in the 13.x series as being eligible to install.

Specific Version Process

The server looks to Apple’s gdmf.apple.com/v2/pmv feed of available software updates and offers a dropdown menu based on those results to choose from. After the command is sent, the device is asked to present its own available updates. If the device sees the version selected in Jamf Pro when sending the update command as available, the computer selects that update to move forward. If that version is not available, then the computer will not proceed further.

With this context in mind, this means that the Jamf Pro install action "Download, Install, and Restart" can only be used with the target version options "Latest minor version" and "Specific version", the latter option being dependent on the specified version being within the same major macOS version that the computer is already running.

For example, if the install action selected for a computer on Ventura is "Download, Install, and Restart" and the target version option selected is "Latest version based on device availability", "Latest major version", or "Specific Version > 14.x.x", we would expect the computer to reject the command or fail to kick off the update process due to the InstallForceRestart key not being viable for major OS upgrades.

For any computers on Ventura, the compatible install action would instead be "Download and Install" combined with target version options "Specific Version > 14.x.x", "Latest major version", or "Latest version based on device eligibility".

If an incompatible install action command for the given target macOS version is sent to a computer, the computer should respond to the server with an error along the lines of "Unsupported InstallAction for this ProductKey". However, there are instances of computers accepting the command but still not proceeding further locally. In these instances, live local console logs are needed from the affected computer to see what is happening at the computer level after the computer has accepted the MDM command.

Command Resiliency

An additional point of context to keep in mind is that the InstallASAP, InstallLater, and InstallForceRestart MDM keys have no resiliency which limits the progress information we receive back from the devices on the MDM side. Meaning, when a computer accepts an update command that contains any of those keys and sends an Acknowledgement response back to the server, it will not send a follow up update to the server later on if the update is interrupted or fails due to an issue like low battery or network/power interruption. This results in the update process failing locally, but because the MDM server isn't informed (as there’s no native mechanism designed by Apple for this yet), the server will not automatically send automated retries to the device in question.

macOS Intel vs Silicon Updates

Generally speaking, there is not really a single guaranteed upgrade method across Intel and Silicon devices due to the differences in hardware and how they interact with update/upgrade installers and their end users. For example, Intel computers rarely require any user interaction for an update or upgrade to take place, but Silicon computers do require forms of user interaction because the local user(s) must be a volume owner to perform software updates and upgrades. So if a normal update or upgrade via System Settings is initiated on a Silicone computer, there will be a popup requesting the local user password before the computer will proceed with the update or upgrade.

From the MDM side, this means Apple Silicon computers must have a Bootstrap Token escrowed to Jamf Pro in order to update automatically without user interaction. Because of these differences, environments with mixed Intel and Silicon computers may need to have two separate workflows for managing software updates, depending on the needs of the environment.

That said, Apple's remote MDM commands are designed for both Intel and Silicon computers, so as long as the Silicon Macs have escrowed a Bootstrap Token to the server, they should be able to process the commands without issue.

More Resources

Did this answer your question?