Managing the Apple macOS Sequoia Upgrade with Workspace ONE UEM
At WWDC 2024, Apple announced the next version of their macOS operating system called Sequoia. This highly anticipated new release offers new features, such as seamless drag and drop between Apple devices, a redesigned reader in Safari, a new Passwords app, and Apple Intelligence, along with enhanced functionality with iPhone mirroring, notifications, easier window tiling, and much more. macOS Sequoia was released on September 16th.
Many enterprises prefer to wait on upgrading devices to the latest operating system until they have executed some level of testing to ensure that critical systems and software are not impacted. However, Apple includes a Software Update utility in its operating system that allows users to upgrade to both minor and major releases as soon as they become available. Although this utility is useful, it could result in end users upgrading their macOS devices earlier than IT admins may wish.
Workspace ONE UEM provides IT admins with granular control over the macOS update process, including blocking user-initiated updates in the Software Update Utility. Let’s take a look at how you can manage your organization’s update to macOS Sequoia.
Restricting Apple’s Software Updates Utility on Devices
Apple includes a Software Updates utility in its operating systems that makes easy for users to update their devices to the latest OS. When updates are released by Apple, the user is alerted with a red badge on the Settings icon, and the Software Update utility lists the available update and gives the user options for installation. Enterprise users that update their devices as soon as a release is available risk causing issues with software incompatibility issues. Luckily for IT admins, Workspace ONE UEM provides a profile payload to configure the macOS Software Update utility on devices.
The Software Update payload gives IT admins the ability to configure a number of options for updates on devices. The following options are available to in the payload:
- Update Source – You can configure Software Updates to connect to Apple’s default servers or your own corporate update servers. Keep in mind, this feature has been deprecated in macOS 10.15 and up.
- Software Updates – This section offers the ability to manage how updates are installed (automatically, download in the background, etc.), which updates should be available (all or recommended only), whether beta releases should be available, if app updates should be included, and if the end user is notified of the pending update.
- Schedule – You can set the schedule for when the device checks for updates. This can be configured on a regular interval or set to a specific day and time. You might use this option if you want devices to only check for updates off peak business hours or if you have concerns about bandwidth utilization.
- Restart – The restart options let you configure device behavior in the event that a restart is required. You can force the restart, set a grace period for the restart, allow the user to defer the restart to a later time, and set the maximum number user deferrals.
Although these settings are good to manage, they don’t necessarily stop end users from downloading the latest version of macOS as soon as it becomes available. That is where the Security & Privacy profile payload come in handy.
Once you have the Software Update utility configured the way you want, you can use the Security & Privacy profile to restrict the type of OS updates and how long Software Update should delay before making the update available to users.
NOTE: I do want to point out that the Software Update profile payload and the Security & Privacy profile payload are not dependent on each other. You can use one without the other, or use both in conjunction.
The OS Updates section of the Security & Privacy payload can be used to configured a delay for major updates, minor updates, and non-OS updates. If you enable a delay on any of those three items, you can set the number of days before any update is available in Software Update. For instance, if you enable a 30-day delay on major OS updates, any new major update will not be displayed in Software Updates until 30 days after release. Since macOS Sequoia is considered a major OS update, you can use this option to restrict your users from updating their devices until you have had time to test the new operating system.
NOTE: Apple only allows updates to be delayed for up to 90 days. Once you’ve exceeded 90 days, the update will be available in the Software Updates utility.
Updating Devices to macOS Sequoia
Once you have tested the new version of macOS and you are ready to update your devices, Workspace ONE UEM can help you with that as well. The macOS Device Updates screen lists all available updates for macOS and can assist you with pushing an update out to your devices.
You’ll notice that the list of available updates is listed in order of release with the latest being at the top. Once selected, you can assign an update to an assignment group. You can also define the date and time deployment of the update should begin.
Keep in mind, this is the date and time that the update command will be available to send to devices. The command will be issued during the device’s next check-in cycle. Depending on how you have Workspace ONE configured and whether the device in online, this check-in cycle could be several hours. For example, if you set the time for macOS Sequoia to begin at 01:00, the update will become available at that time. Let’s say, for example, that you have your device check-in time configured for every 12 hours. If a device checks in at 12:59, it will potentially not receive the command to update to macOS Sequoia for 12 hours after the update is available. This is something to keep in mind if you have strict deadline requirements for your updates.
Additionally, you can configure the Install Action for the command. The following methods are available.
| Method | Description |
| Download Only | This method will download the update to the device without installing it. |
| Default | Depending on the current state of the device, this method will either download or install the update. For instance, if the update has already been downloaded, the Default method will install it. |
| InstallAsap | InstallAsap will download the update and notify the user that the deivce will restart in 60 seconds. The user can cancel the restart. |
| NotifyOnly | This method will download the update to the device and notify the user that the update is ready to be installed. |
| InstallLater | The update will be downloaded and the user will be periodically notified that the update is ready to be installed. |
| InstallForceRestart | This method downloads the update and forces a device restart. NOTE: This method might result in data loss. |
If you select InstallLater as your Install Action, an additional option to configure User Deferral settings will appear in the Workspace ONE console. You enable User Deferrals and set the maximum number of times the user can postpone the update before it is installed.
Although the Workspace ONE uses the built-in Apple MDM commands to initiate the installation of an update, it includes additional functionality to monitor the process of the update and initiate the command again if the update fails or is interrupted.
Updating with the Workspace ONE hubcli
I won’t go too deep into this topic, but I will point out that you can also use the Workspace ONE hubcli to manage your macOS Sequoia device update. This may come in handy if you need to script a complex series of actions that need to happen in conjunction with the macOS Sequoia update, or if you wish to create a workflow in Freestyle Orchestrator to manage the update. You can learn more about managing OS updates with hubcli in this Tech Zone resource.
'%3E%3Cpath id='Rectangle_1' data-name='Rectangle 1' d='M0,0H800V300H0Z' transform='translate(2297 -300)' fill='%23E2F0D9'/%3E%3Cg id='Group_5' data-name='Group 5' transform='translate(-6 -3)'%3E%3Ctext transform='translate(2534 -152)' font-size='50' font-family='Roboto-Regular, Roboto'%3E%3Ctspan x='0' y='0'%3ECurated Assets%3C/tspan%3E%3C/text%3E%3Ctext transform='translate(2683 -99)' font-size='20' font-family='Roboto-Regular, Roboto'%3E%3Ctspan x='0' y='0'%3ECard%3C/tspan%3E%3C/text%3E%3C/g%3E%3C/g%3E%3C/svg%3E)
Summary
macOS Sequoia has been a highly anticipated OS update since it was announced earlier this year at Apple’s WWDC 2024. Enterprises that manage macOS devices will be anxious to update and take full advantage of the new features, security enhancements, and performance improvements. Workspace ONE can ease the burden on IT admins with its built-in OS Update management capabilities.
For more detailed information about using Omnissa Workspace ONE UEM to update macOS, please see the following Tech Zone resources.