Apple MDM OS Software Updates

What

All MDM configured devices will report and receive Software Updates via MDM. This is the same for:

iOS
iPadOS
tvOS
macOS (Either Big Sur and above or earlier versions if the client is configured for MDM Software Updates)

When/Why

Before MDM

~~Unlike~~The FileWave Server would pull the ~~old~~catalogue of all possible updates from Apple. This same catalogue would be delivered from the FileWave Server to each macOS ~~catalogues,~~client. noAfter a Fileset containing the update was created and associated, the FileWave Client would use the Software Update process to instal associated updates, which would be sent from the Server to the device.

MDM

MDM Software Updates work mostly like Apple VPP Filesets, in as much as FileWave does not store the update. Instead, the Fileset is a reference to the update on the App Store. Only updates reported as required from devices through MDM will show ~~until at least one device has reported an update as required. Once this has happened, that update will remain visible~~ in the Software ~~Updates~~Update view.

Only once the first requested update is reported, will the drop down option in the Software Update view show macOS updates as an option. All updates reported will persist in this view.

The 'Requested Only' tick box will only show those updates that are believed to be currently requested by devices. Each check-in from a device should update the list of appropriate updates for that device.

Apple catalogue updates take up storage on the server once the Fileset is created. MDM Filesets do not store the updates.

How

MDM Reporting

When necessary, FileWave server will send an APNs ~~request~~ to ~~devices,~~Apple ~~causing~~requesting ~~any receiving device to~~devices check-in. On ~~check-in,~~doing so, the FileWave Server will ~~send~~respond anwith MDM commands, one of which being a request for ‘AvailabeOSUpdate’. ~~request~~The ~~to devices. This~~device should ~~trigger~~reply ~~the device to report back to the server~~with all possible appropriate updates. For example:

If macOS 14.5 were the latest version, a device running 14.3.1 may request all of those between:

14.4

14.4.1

14.5

Apple decide which prior updates ~~for~~will ~~that~~still ~~device.~~be available. A device may be updated to any version requested, not just latest.

Software Update View

If not already visible in the Software Updates view, each reported update will be ~~added,~~added. ~~but~~When ~~for~~an ~~all~~update ~~possible updates, when~~is selected, the list of devices reporting the update as required will be displayed. From this same view, the desired update may be used to ‘Create Fileset’ and then ~~associated~~associated.

~~Due~~

During the transition between MDM and Catalogue Software Updates, two macOS options will be present:

macOS - Apple Catalogue updates

~~being~~

macOS ~~available~~MDM ~~either~~- byApple ~~the~~MDM ~~old~~updates

~~catalogue~~

~~method~~

As orof ~~MDM,~~FileWave ~~there~~15.4, ~~are~~only ~~two~~one ~~options~~macOS option will be present in the ~~Software~~drop ~~Update~~down ~~listings.~~box. Apple Catalogues will no longer be available as standard.

Fileset Association

Within the created Association is an 'Instal at' date/time. For MDM ~~updates,~~Software ~~select~~Updates, the ~~‘macOS~~command ~~MDM’~~to ~~updates~~trigger ~~option.~~

the

Diggingrequest Deeper

Asinstal the update will only be added to the MDM Command Queue once this date/time has been reached. This is not an ~~example,~~exact ~~imagine~~defined time, since APNs check-in request and device response may not be until a day/time after this. Additionally, other factors can impact the device's reaction to any such request, e.g batter power.

MDM Software Updates and Rapid Security Responses are impacted by battery percentage of the device. If not on charge, there is a minimum percentage required for the update to commence. Please see the below chart.

Mac Notebook Type	ASU Battery Requirement	RSR Battery Requirement
Mac with Apple silicon	20% Priority key set as High	10%
Mac with Apple silicon	50% Priority key not set	10%
Intel Based Mac	50%	20%

DDM

FileWave introduced additional software update features with version 15.~~6.1~~4, ~~was~~in particular, Force Reboot through Apple's new DDM protocol. If the ~~latest~~user ~~iOS~~has ~~version~~not actioned the update prior to this time, the device should then force this installation.

'Instal at' date/time, if not set, defaults to the time the association is created. The 'Instal at' date/time in FileWave 15.4 is now a Force Reboot time. Alter this time if this is undesirable.

The FileWave option to 'Automatically Instal on new devices' does not show the association. It is therefore not possible to alter this date/time.

MDM Process

Since FileWave does not deliver the update to devices, but a reference to the update on the App Store, devices must first fetch the update. Therefore, the installation process of an update is twofold, one to download the update and another to instal the update.

Since updates can be very large, there can naturally be some delay between the initial association and the actual installation.

If the device were upgraded between the association being created and the device ~~were running 15.5. The versions~~receiving the ~~device may report as appropriate could be:~~

~~iOSUpdate 15.5.1~~

~~iOSUpdate 15.6~~

~~iOSUpdate 15.6.1~~

~~Any one of these updates could be associated to the device, allowing the device to be either updated to the latest version or an intermediate version.~~

Fileset Creation

~~Creation of the Fileset is nothing more than data to inform the device which update it should update to.~~

Fileset Installation

~~To instal an update via MDM involves a~~ command to ~~be sent to the device twice ‘ScheduleOSUpdate’~~

The first time the command is sent it will inform the device to download the update. Once acknowledged, periodically the FileWave Server will send additional APNs requests with the intent to send OSUpdateStatus commands; this command should establish the current percentage downloaded.

~~When the download is 100% complete, the ‘ScheduleOSUpdate’ command is resent. This time the device will commence/schedule the actual instal of the update once acknowledged.~~

~~Updates will still need to be considered appropriate by the device on receipt of the update. For example,~~update, if the device had reported an update were required and the association were made, if the user had updated the device between these two events, then this update Fileset would no longer be necessary on receipt.

This process also relies upon the updates still being available from Apple. In the same way, if an update were associated, but between these two events Apple pulled the update from their servers, then again the update would not actually be triggered on the device.

If the update is no longer ~~required,~~appropriate, the device will silently ~~ignores~~ignore ~~the update, there is no report back from the device to suggest this has happened.~~it.

Update Reporting

~~Taking the above example, if the device were running iOS 15.5 and reported the same list of updates, consider the following:~~

~~Fileset pushed to update all devices to 15.5.1~~

~~All devices update~~

~~Next check-in, devices will no longer report 15.5.1 as required~~

~~Software Update view will still show the 15.5.1 update, but it will no longer show where ‘Requested Only’ is selected~~

During the process, if some devices have completed the update, but not others, the update will still show in the ‘Requested Only’ view, but when highlighted, any devices that have subsequently checked-in and sent an inventory for a newer ‘AvailableOSUpdate’ command, those devices will no longer be seen in the list of reported devices for that update.