Skip to main content

Deploying Apple Background Security Updates with DDM and Blueprints

Updated over a week ago

Description

Apple periodically releases Background Security Improvements (BSI) — silent, targeted patches that strengthen system security without changing the OS version number. For IT administrators managing a fleet of Apple devices, ensuring these updates are deployed promptly is a critical part of maintaining a strong security posture. This article walks through how to enforce BSI updates using Declarative Device Management (DDM) and Blueprints.

Prerequisites: Confirm Devices are on an Eligible Base Version

BSI updates are only available to devices already running a specific point release. Before attempting to enforce an update, confirm that target devices are running one of the supported versions. Devices on other versions are not eligible and will not receive the BSI update.

Enforcing the BSI Update

Follow these steps to target and enforce the BSI update on eligible devices:

  1. Create a target group. In Jamf Pro, create a Smart Group that includes only machines running one of the eligible point releases (e.g., 26.3.1 or 26.3.2). This scoping ensures the declaration is only applied where it will have an effect.

  2. Create a Software Update Enforcement blueprint. Follow the steps below to set up the blueprint in Jamf Pro:

    1. Click Blueprints in the sidebar.

    1. Click Create blueprint in the upper-right corner.

    2. Replace the variable Untitled blueprint with a name for the blueprint.

    3. Replace the variable Describe what this blueprint is used for. with a description of the blueprint.

    4. Enter Software Updates in the Search field.

    5. Select the Software Updates component and configure the Date and time of the update and the Target OS version.

      Note: For the Target OS Version, use the current OS version. When a Software Update Enforcement declaration is sent to a device that is already on the specified OS version with only the OSVersion key set, Apple’s system interprets this as an instruction to apply any available Background Security Improvements for that version. No separate identifier or additional parameters are needed. For more details, see Apple’s official documentation.

    6. Click Add.

      Note: A custom declaration could also be used to enforce the BSI update instead of the Software Updates configuration, but this falls out of the scope of Jamf Support.

  3. Assign and deploy the blueprint to the target group. Link the blueprint to your target group and deploy. Devices will detect the queued BSI update and schedule installation.

    1. Click the Scope card to configure the scope.

    2. Select the checkbox next to the group(s) you configured in Step 1.

      Note: If devices are added to a group after a blueprint has been deployed, the new devices will automatically receive the blueprint the next time they check in.

    3. Click Save.

    4. Click Deploy to deploy the blueprint to the configured group(s).

  4. Verify success via Inventory. Once the update has applied, confirm success by checking the SupplementalBuildVersion field in your inventory.

    For example:
    For the macOS 26.3.1(a) BSI scenario, this value should read 25D771280a. Any devices not yet showing this value have not yet received the update.

Related Articles
Keeping Macs up-to-date with Jamf Pro
Jamf Pro's Managed Software Updates with Apple's MDM & DDM Commands
Editing a Jamf Pro Blueprint
Setting OS Update Deferrals using Jamf Pro Blueprints
Deploying Apps to Devices with Elevate
Did this answer your question?