Software Update Enforcement for iOS Devices in Workspace ONE UEM
Introduction
Last week, Omnissa announced support for Apple’s Declarative Device Management for iOS devices with the release of version 2406 of Workspace ONE UEM. As detailed in my recent Tech Zone blog post, this initial release is just the beginning of our journey towards alignment with Apple’s new device management paradigm. Our commitment to achieving complete parity with Apple’s vision for device management remains firm with this latest release. On top of the existing support discussed in my earlier blog post, version 2406 has also added support for a DDM declaration that has been highly requested by Workspace ONE IT admins: Software Update Enforcement.
Software Update Enforcement
Declarative Device Management differs from Apple’s legacy MDM protocol by making managed devices more autonomous. Each device is responsible for enforcing its own configuration based on the desired state as defined in Workspace ONE UEM. Instead of the MDM servers triggering a repetitive cycle of commands to verify and re-verify the device state, each device applies management logic in response to its own state changes.
This new mindset of autonomous devices has been applied to operating system updates using a new DDM declaration called, Software Update Enforcement. With this new declaration, IT admins can assign specific updates to devices and specify a date and time when the update will be enforced on the device regardless of user deferrals. Let’s take a look at how Software Update Enforcement works in Workspace ONE UEM.
Software Update Enforcement Declaration
The process for creating a Software Update Enforcement declaration is similar to creating a legacy profile in Workspace ONE UEM. Once you select your platform, you are presented with the option to select a Management Type. In this case, you would choose Declarative, and select Configuration for the Declaration Type and Device for the Context.
The Software Update Enforcement payload contains four configuration parameters, two of which are mandatory. These parameters determine the configured behavior for the update. The parameters are:
- Target OS Version - This is the target OS version to which you want your devices to update. This is a mandatory field. Example: 17.5.1.
- Target Build Version - This represents the target build version. This field is optional. Example: 20A242.
- Target Local Date Time - This is the local date and time when you want to force the installation of the update. This is a mandatory field.
- Details URL - This is a URL that you may want to direct your end users to for more information about the update. This is an optional field.
To get the correct Target OS Version and Target Build Version, you can review Apple’s operating system release details here.
Once assigned to a group, Workspace ONE sends the declaration to the devices. The device will acknowledge the declaration. From here, execution of the update task is delegated to the device, which will manage the update process going forward.
Enforcement Process on the Device
Once the device receives the declaration, it begins downloading the specified update to the device. What happens after that depends on the Target Local Date Time set in the declaration. The behavior on the device will progressively change as the Target Local Date Time draws near.
Let’s start 30 days out from the Target Local Date Time. The device display the update on the Software Update in the device Settings User Interface. The only indication the user will have that an update is pending will be a red badge on the Settings icon. The user has the option to install the update at their convenience in the Settings User Interface.
Within 14 days of the Target Local Date Time, the device will send a notification to the user once a day. This notification will give the option to either install immediately, or defer the update for later. The update is still available within the Settings User Interface if the user chooses to install the update manually.
Things begin to accelerate once we are less than 24 hours from the Target Local Date Time. The device notifies the user once an hour, giving the option to either install the update or defer it for later. Deferring the update will only defer it for an hour. The user will receive another notification an hour later. Additionally, the Settings User Interface will only provide the option to install the update. There is no longer an option to defer the update.
If the user remains stubborn and still refuses to update their device, the notifications will increase during the final hour before the Target Local Date Time. A notification will be sent at 60 minutes, 30 minutes, and 10 minutes. Each of these will give the user the option to defer the update. One minute prior to the Target Local Date Time, the user will be notified that the update is pending. They will have no option to defer the update.
When the Target Local Date Time arrives, the device will force the user to enter their passcode if one is set on the device, and then begin the update installation.
Something to Keep in Mind
Workspace ONE UEM has a built-in iOS Updates interface, which allows IT admins to schedule and push updates out to devices. This functionality uses software update commands to initiate updates on devices. When using the Software Update Enforcement declaration in DDM, all other software update commands sent to the device are ignored. The Software Update Enforcement declaration takes precedence over all other commands.
For example, if you have used the iOS Updates interface to configure your devices to update to iOS 17.6, and then created a Software Update Enforcement declaration for the same devices to update to 17.6.1, the declaration would be enforced over the other command.
Omnissa is working diligently to integrate Software Update Enforcement declaration into the existing iOS Updates interface, meaning that IT admins will be able to use both the legacy update functionality along with the new DDM Software Update Enforcement declaration within the same iOS Updates interface. Stay tuned for updates on the development process over the next few months.
For more information about using the built-in iOS Update feature in Workspace ONE UEM, please see the below Tech Zone article.
'%3E%3Cpath id='Rectangle_1' data-name='Rectangle 1' d='M0,0H800V300H0Z' transform='translate(2297 -300)' fill='%23E2F0D9'/%3E%3Cg id='Group_5' data-name='Group 5' transform='translate(-6 -3)'%3E%3Ctext transform='translate(2534 -152)' font-size='50' font-family='Roboto-Regular, Roboto'%3E%3Ctspan x='0' y='0'%3ECurated Assets%3C/tspan%3E%3C/text%3E%3Ctext transform='translate(2683 -99)' font-size='20' font-family='Roboto-Regular, Roboto'%3E%3Ctspan x='0' y='0'%3ECard%3C/tspan%3E%3C/text%3E%3C/g%3E%3C/g%3E%3C/svg%3E)
Summary
Software Update Enforcement is a handy tool for ensuring your iOS devices are updated and secure. IT admins can control what updates get applied and when all updates must be completed. Support for Declarative Device Management for managing iOS devices in Workspace ONE UEM is available in version 2406 with support for macOS coming soon.
Declarative Device Management is part of the new Workspace ONE UEM Modern SaaS Architecture, which is currently in the rollout phase with version 2406 to SaaS tenants around the globe. It will be introduced to your tenants in the coming months as the rollout proceeds. If you don’t see it in your tenant now, be patient. It will get there soon enough.