Intune

Enforce iOS updates with Intune

By
Sebastiaan Smits
This is some text inside of a div block.

In recent years, Apple has made significant changes to its Mobile Device Management (MDM) protocol, introducing a new framework called Declarative Device Management (DDM). This evolution shifts more intelligence and autonomy to the device itself, reducing reliance on the MDM server and enabling features like DDM Software Updates. This functionality is available for iPadOS, iOS, and macOS. While this post focuses on iOS and iPadOS, macOS operates similarly.

Why We Need It

When DDM Software Update was announced during WWDC, it generated considerable excitement. I wrote the blog iOS Declarative Software Updates. Prior to this, MDM offered a Software Update Policy, but it often proved unreliable. Updates could be pushed, but they were immediate, with no user warning, and heavily dependent on the MDM server’s timing. As a result, the process worked consistently for only a fraction of devices.

DDM Software Update changes this by allowing devices to manage updates intelligently. It introduces the concept of a ‘Target Date Time,’ the date and time when the update will be enforced, prompting a reboot and installation. Once the device receives this policy, it schedules reminders to inform the user about the update deadline. The reminder schedule is as follows:

  • Upon receiving the policy: Daily reminders
  • 24 hours before the deadline: Hourly reminders
  • 1 hour before the deadline: Every 30 minutes
  • 30 minutes before the deadline: Every 10 minutes

Users can postpone the update, but the frequency of prompts increases as the deadline approaches.

How to Configure in Intune

To set up DDM Software Update in Microsoft Intune, follow these steps:

Microsoft Intune Admin CenterDevicesConfiguration profilesCreate profileiOS/iPadOSSettings catalogCreateAdd settingsDeclarative Device Management (DDM) Software Update.

Configuration Options

  • Name Your Policy: Give your configuration profile an appropriate name.
  • Target Date Time: Specify the enforcement deadline. This is based on the device’s local time.
  • Target OS Version: Define the OS version users will update to. Typically, this is the latest version signed by Apple. When a new major update is released, Apple signs both the new version and the previous one, allowing users to delay adopting the major release while receiving security updates for the current version. (For more on managing update cadences, see this blog post.)
  • Details URL: Optionally, provide a URL with more information about the update for users.
  • Target Build Number: Ensure users install a specific build, if required.

"Screenshot showing the configuration process for setting up DDM Software Update in Microsoft Intune, including steps to name the policy, specify target date/time, OS version, build number, and optional details URL."

Enforcement Behavior

If a user misses the deadline (e.g., their device is offline), enforcement begins as soon as the device reconnects. At this point, the device resumes at the 24-hour threshold, prompting hourly reminders until the update is installed.

Additionally, certain conditions must be met for the update to proceed, such as sufficient battery life, network connectivity, and available storage. For more details, refer to Apple’s documentation here.

Conclusion

DDM Software Update is a robust tool that significantly enhances how organizations manage iOS updates. By setting clear deadlines and leveraging device autonomy, enterprises can ensure updates are applied efficiently while maintaining user awareness and minimizing disruptions.

READ MORE

February 3, 2025

Use Cloud PKI with Intune – Part 2: Device Configurations

This blog post, part two of the Cloud PKI series, guides you through deploying a Root Certificate and configuring SCEP in Intune to ensure devices receive client certificates for secure authentication.

June 8, 2025

Knox Mobile Enrollment with Intune: Streamlining Android Device Provisioning

Master seamless Android device provisioning. See how to integrate Knox Mobile Enrollment (KME) with Microsoft Intune for efficient, zero-touch enterprise deployments. Your guide to simplified mobile device management starts here.

June 15, 2025

Enhancing Script Security: Implementing Multi-Admin Approval for Intune Scripts

Strengthen your Intune environment against unauthorized or accidental actions across your Windows, iOS and Android fleets. Learn to implement multi-admin approval for critical device commands, adding a vital layer of security and accountability.

June 17, 2025

Automate & Secure: How Intune's DDM Ensures Latest iOS Versions on Your Devices

Master Intune DDM for iOS software updates. This guide shows IT admins how to automatically enforce the latest iOS versions, ensuring devices are secure and compliant. Read more!

In-depth blog posts on Intune, PowerShell, and Mobile Device Management—driven by real-world enterprise experience managing iOS, Android, and Windows devices at scale.
Menu
AboutContact UsPrivacy Policy
External
AppleAndroidWindows
Follow us
© SecureSein by Sebastiaan Smits. Powered by Webflow