Enforce OS updates

Available in Fleet Premium

In Fleet, you can enforce OS updates on your macOS, Windows, iOS, and iPadOS hosts remotely using the Fleet UI, Fleet API, or Fleet's GitOps workflow.

For Apple (macOS, iOS, and iPadOS) hosts, Apple requires that the OS version is one from the list of available OS versions. The update will only be enforced if you use a version in that list.

Fleet UI

1. Head to the Controls > OS updates tab.

2. To enforce OS updates for enrolled macOS, iOS, or iPadOS hosts, select the platform and set a Minimum version and Deadline.

3. For Windows, select Windows and set a Deadline and Grace period.

4. macOS only: check "Update new hosts to latest" if you would like hosts to automatically update to the latest OS version during automatic (ADE) enrollment, regardless of the minimum version and deadline settings.

Fleet API

Use the modify team endpoint to turn on minimum OS version enforcement. The relevant payload keys in the mdm object are:

• macos_updates
• ios_updates
• ipados_updates
• windows_updates

GitOps

OS version enforcement options are declared within the controls section of a Fleet GitOps YAML file, using the following keys:

• macos_updates
• ios_updates
• ipados_updates
• windows_updates

Apple (macOS, iOS, and iPadOS) end user experience

On macOS hosts, when a minimum version is enforced, end users see a native macOS notification (DDM) once per day. Users can choose to update ahead of the deadline or schedule it for that night. 24 hours before the deadline, the notification appears hourly and ignores Do Not Disturb. One hour before the deadline, the notification appears every 30 minutes and then every 10 minutes.

Certain user preferences may suppress macOS update notifications. To prevent users from being surprised by a forced update or unexpected restart, consider communicating OS update deadlines through additional channels.

On iOS and iPadOS hosts, end users will see a notification in their Notification Center after the deadline. They can’t use their iPhone or iPad until the OS update is installed.

If the host was turned off when the deadline passed, the update will be scheduled an hour after it’s turned on.

If you set a past date (ex. yesterday) as the deadline, the end user will immediately be prompted to install the update. If they don't, the update will automatically install in one hour. Similarly, if you set the deadline to today, end users will experience the same behavior if it's after 12 PM (end user local time).

Update new hosts to latest

You can require hosts that automatically enroll via ADE to update to the latest version before they enroll to Fleet (during Setup Assistant).

For macOS hosts, in Fleet, head to Controls > OS updates and check the Update new hosts to latest checkbox.

For iOS/iPadOS hosts, set a minimum version and deadline. New iOS/iPadOS hosts will always update to the latest version (not the minimum version specified). On already enrolled hosts, updates are only enforced if the host is below the minimum version.

Windows end user experience

End users are encouraged to update Windows via the native Windows dialog.

If an end user was on vacation when the deadline passed, the end user is given a grace period (configured) before the host automatically restarts.

Fleet enforces OS updates for quality and feature updates. Microsoft provides documentation on types of Windows updates.