OS Updates on Apple devices - revisited (15.3+)
OS Updates on Apple devices - revisited
Despite being a critical task in Endpoint Management, OS Update management is unfortunately quite a chaotic journey.
The days of merged-1.sucatalog.gz and /usr/sbin/softwareupdate.
Initially, macOS softwareupdate command could be used to manually control Software Updates. Update metadata would be made available as “sucatalog” file, one for each macOS version. This mechanism gave FileWave the ability craft our own sucatalog, allowing updates to be entirely hosted and controlled by your FileWave system.
MDM OS Update
On the mobile side, Apple introduced OS update via the MDM protocol. A couple of commands have been added to the protocol : AvailableOSUpdate command would query the device about the updates currently requested by a device, and ScheduleOSUpdate can be used to trigger the update process ; eventually, OSUpdateStatus can report information about the current upgrade progress. This mechanism has been made available on macOS as well, and made mandatory with macOS Big Sur.
The MDM version of OS Update management was supposed to simplify greatly the process, but has some downsides:
- 
all the control is on the device side. Sending “ScheduleOSUpdate” command is the only thing that could be done, and it has only a few options. MDM does not control when update happens, only when it can gently ask the device to update. And information why something went wrong and what to do to remediate the issue is very sparse. And many things could go wrong (network issue, low battery…) 
- 
update information comes directly from devices ; this could be more reliable, but it also leads to confusion as Apple provides different updates for different devices (iPadOS on iPad Pro is not the same as on iPad 9) ; this confusion shows in FileWave where you can see all flavors of iPadOS 17.3.1 without knowing easily which version can be installed on which device. In addition, some updates could be installed while the device is not telling it requires them (see Test and defer software updates for Apple devices ). 
GDMF to the rescue
Apple introduced a new Software Update catalog, named GDMF ; it exposes the list of currently available updates and the devices supporting them, which simplifies the process and provides FileWave all required information. Unfortunately, using GDMF update identifier is reported to be very unreliable when used with MDM ScheduleOSUpdate ommands.
And now, DDM
The new device management protocol, DDM, has now been extended to manage OS updates. It simplifies the process (there is no product identifier, just the version), and Apple assures it’s much more reliable than MDM (from our testing, it is). The only drawback of DDM OS update mechanism is that it requires iOS 17 and macOS 14.
To summarize:
- 
legacy softwareupdate mechanism is unsupported and Apple strongly advises not using it since Catalina 
- 
MDM ScheduleOSUpdate mechanism works quite reliably on iOS, but never worked reliably enough for macOS 
- 
AvailableOSUpdate mechanism to report requested updates can lead to confusion compared to GDMF 
As a conclusion, in FileWave 15.4.0, we will:
- 
Switch to GDMF as the only mechanism to report updates. Legacy sucatalog and AvailableOSUpdate mechanism will be removed. This will simplify tremendously the Software Update Assistant by removing all duplicated versions. 
- 
Switch to DDM as the only mechanism to manage updates on macOS. Managing updates with legacy softwareupdate did not work starting with Catalina and MDM mechanism is way too unreliable. This means that OS update management will be macOS Sonoma (and later) only. 
- 
Switch to DDM for iOS 17 and later, and keep MDM for more ancient versions of iOS / iPadOS. 
We strongly believe that controlling OS updates is a critical task and we are excited to see how Apple DDM support can solve many of the issues which have been reported over the years.
