Intune

iOS Declarative Software Updates

By
Sebastiaan Smits
This is some text inside of a div block.

During WWDC 2023, Apple introduced new Software Update Controls. The highlight? It will now be possible to enforce software updates on Supervised iOS and iPadOS devices via MDM!

Current Software Update Mechanism

With the existing Software Update options in MDM, you have some control:

  • Postpone Major and Minor updates (up to 90 days).
  • Use Rapid Security Response for emergency patches.
  • Prompt users to download and prepare a specific iOS or iPadOS version.

However, you cannot force the installation—it relies on the user’s choice to either install immediately or schedule it for later.

The Game Changer: Declarative Software Updates

For the first time, you can set a deadline for updates, ensuring installation is enforced. While Apple hasn’t fully detailed what happens at the deadline, it’s reasonable to infer that the device will automatically start the installation and reboot, provided certain conditions (e.g., battery charge) are met. These specifics are yet to be clarified.

How It Works

To clarify, these features are available for macOS as well, but this blog focuses on iOS and iPadOS. The prerequisites are:

  1. iOS and iPadOS 17
  2. Devices must be Supervised
  3. MDM must support the new Declarative Device Management Software Update Profile

The first two are standard—new features often align with the latest software releases, and Supervision ensures the devices are company-owned, justifying this level of control. The third point, however, introduces a significant shift:

Declarative Device Management Framework

This is Apple’s new management approach, enabling devices to:

  • Autonomously apply changes.
  • Report updates back to the MDM server.

MDM vendors must adopt this framework before organizations can leverage these new capabilities. To facilitate adoption, Apple announced Transition Profiles, simplifying the move from traditional MDM to Declarative Device Management. Key pillars of this framework include:

  1. Configurations: Can be pushed to devices in advance and triggered later, allowing on-demand changes.
  2. Predicates: Logical conditions that determine whether the device will apply a configuration.
  3. Asynchronous Data Channels: Status updates are no longer dependent on real-time connections; updates are queued and fetched when ready.

These pillars enable the new Declarative Software Updates.

Breakdown of Declarative Software Updates

  1. Configuration:
    • Apple introduced a new Software Update Configuration to enforce updates by a specific deadline.
    • Identifier: com.apple.configuration.softwareupdate.enforcement.specific
  2. Predicate:
    • The deadline set in the configuration acts as the trigger for installation enforcement.
    • Apple hinted at additional predicates, such as distinguishing between Seed and GM versions or identifying Rapid Security Response patches.
  3. Asynchronous Data Channels:
    • Four new status items for reporting update progress:
      • Softwareupdate.install-reason
      • Softwareupdate.pending-version
      • Softwareupdate.install-state
      • Softwareupdate.failure-reason

End-User Experience

The combination of these components ensures a seamless update process:

  • Before the Deadline: Users receive prompts to install updates immediately or schedule them for the night. Alternatively, they can manually install updates via Settings.
  • Prompt Frequency:

Styled Table
Time Before Deadline Prompt Frequency
From deadline setting Daily
24 hours before Hourly
1 hour before Every 30 minutes
30 minutes before Every 10 minutes

  • Missed Deadline: If the user hasn’t acted and the deadline has passed, they will receive a notification that the update is overdue. The installation will begin one hour later.

Conclusion

The ability to set deadlines for iOS and iPadOS updates is a much-needed advancement, streamlining update management. However, its adoption depends on MDM vendors implementing the Declarative Update Profiles and facilitating the transition to the Declarative Device Management framework.

Looking ahead, we can expect more sophisticated controls and logic for managing software updates. Declarative Device Management is still in its early stages, but it promises exciting developments in the future.

READ MORE

February 3, 2025

Use Cloud PKI with Intune – Part 2: Device Configurations

This blog post, part two of the Cloud PKI series, guides you through deploying a Root Certificate and configuring SCEP in Intune to ensure devices receive client certificates for secure authentication.

June 8, 2025

Knox Mobile Enrollment with Intune: Streamlining Android Device Provisioning

Master seamless Android device provisioning. See how to integrate Knox Mobile Enrollment (KME) with Microsoft Intune for efficient, zero-touch enterprise deployments. Your guide to simplified mobile device management starts here.

June 15, 2025

Enhancing Script Security: Implementing Multi-Admin Approval for Intune Scripts

Strengthen your Intune environment against unauthorized or accidental actions across your Windows, iOS and Android fleets. Learn to implement multi-admin approval for critical device commands, adding a vital layer of security and accountability.

June 17, 2025

Automate & Secure: How Intune's DDM Ensures Latest iOS Versions on Your Devices

Master Intune DDM for iOS software updates. This guide shows IT admins how to automatically enforce the latest iOS versions, ensuring devices are secure and compliant. Read more!

In-depth blog posts on Intune, PowerShell, and Mobile Device Management—driven by real-world enterprise experience managing iOS, Android, and Windows devices at scale.
Menu
AboutContact UsPrivacy Policy
External
AppleAndroidWindows
Follow us
© SecureSein by Sebastiaan Smits. Powered by Webflow