Managed software updates make Apple patch management easier

Apple patch management and macOS and iOS upgrades just got much easier to manage. Learn how to deliver a seamless end-user experience during updates.

October 11 2024 by

Haddayr Copley-Woods

JNUC 2024 Nashville managed software updates: Apple patching got a lot easier

Some Apple admins can find Apple patch management and OS upgrades, well, a bit of a pain in the neck.

David Goldberg, Desktop Engineer, Horizon Blue Cross Blue Shield of NJ; and Adam Derrick, Sales Engineer III, Jamf; discussed the pain points and how to improve the experience of OS upgrades and Apple patch management.

MDM challenges for Apple patch management and OS upgrades

Traditional MDM is dependent on device check-in. The process goes something like this:

  1. Device enrolls into MDM
  2. MDM pushes policies to device
  3. Device reports back its status on a schedule, but it’s not a real-time status.

Beyond the sheer volume of traffic that can cause update problems, some device states also make updates impossible for legacy MDM. For example, if an iPhone is in a locked state, it isn’t available for updates. This means that the server must call repeatedly to get the job done, and if the device is in an unlocked state the next time it calls, it can update. Otherwise, it will fail.

Considering these issues, it’s no wonder that updating large fleets of devices can sometimes be difficult.

Will DDM save us?

It sure looks like Declarative Device Management (DDM) could be the answer.

What is DDM?

In a nutshell, Apple describes DDM as a “transformative update” to the existing MDM protocol. Instead of depending on status reports that aren’t in real-time? DDM allows devices to act proactively and autonomously.

DDM allows this through programmed settings that each Apple admin can set in order to best meet the needs of their organization. Each device has instructions on how to react to specific changes in its state. And how to take any action required— without awaiting instructions from a server.

Read our DDM blog post, and follow the link to our paper on the topic for more in-depth information.

Why use DDM?

The way DDM allows devices to detect their own state changes and take action makes updates go far more smoothly.

For instance, IT can download updates to devices and then schedule them to run that update during a low-load time of the day or week, such as a Sunday at midnight. Since the update is already on the device, the iPhone can run the update whether in a locked or unlocked state. If there is a problem, the device will try again until the update completes rather than requiring manual pushes.

  • DDM makes more accurate and timely device information available
  • DDM also makes reporting far easier as each device can provide a report on its status at any time.
  • DDM, even though it enables autonomous action on the part of devices, allows IT more control and knowledge about devices.
  • DDM increases device security by making it possible for devices to load the new OS as soon as it’s released and, of course, Jamf supports OS updates from the day they become available.

Introduction of managed software updates

With managed software updates, IT can scope updates and patches using Smart Groups, remaining in full control of how the patches and updates roll out. In addition, custom notifications keep end-users in the loop, as well.

After Jamf launched the beta of managed software updates at JNUC last year, it left it in beta long enough to allow everyone to try it and to give developers feedback. Using this feedback, Jamf launched to the general public.

The managed software updates experience

Attendees to the presentation watched a demo of exactly how Jamf’s managed software updates works.

Screenshot of Jamf's managed software updates dashboard.

Managed software updates dashboard

Adam Derrick showed how easy it is to:

  • View inventory information
  • Select from Smart Groups
  • View config profile statuses
  • Send a remote command to download and then schedule an update
  • And more

How do these updates work in the background?

David Goldberg ran attendees through an explanation of how these updates work in the background, including information such as:

  • Workflow for sending and receiving declarations
  • Devices running the update at the scheduled time
  • Devices reporting status and inventory changes to the server

Even with these clear steps, update issues can happen. That’s why managed software updates uses DDM to provide unprecedented visibility over update progress, such as information on:

  • Failed updates
  • Devices with power too low or turned off
  • Devices that are deferring updates
  • Devices that do not, for whatever reason, comply

With this real-time information, Apple admins can address issues immediately.

Managed software updates takeaways

While no process is completely foolproof, Goldberg has found that managed software updates with DDM and Jamf Pro are far more reliable than legacy MDM. He has also received excellent feedback from end users at his organization about software updates. (And perhaps some complaints from professors who don’t want to update at all — this points to increased security and compliance standards that are met when using DDM.)

Jamf’s commitment to remaining in lockstep with Apple and taking advantage of all DDM improvements as soon as they are released means that managed software updates are only going to get better and better.