Fleet logo
Menu An icon indicating that interacting with this button will open the navigation menu.
Device management + MDM Observability + scripting, monitoring Software management + CVEs, usage, app library Integrations
Get started Built-in checks Raw data Tutorials & guides API SUPPORT Chat Contribute Release notes "Why is Fleet on my computer?" Get your license
Stories
What people are saying News Ask around Take a tour COMPANY Origins   (Fleet & osquery) The handbook Logos/artwork Why open source?
Pricing Try it yourself
{{thisPage.meta.articleTitle}}
search

Enforce OS updates

{{articleSubtitle}}

| The author's GitHub profile picture

Noah Talerman

Share this article on Hacker News Share this article on LinkedIn Share this article on Twitter
Docs Docs REST API REST API Guides Guides Talk to us Talk to us

Enforce OS updates

{{articleSubtitle}}

| The author's GitHub profile picture

Noah Talerman

Enforce OS updates

Available in Fleet Premium

In Fleet, you can enforce OS updates on your macOS, Windows, iOS, and iPadOS hosts remotely using the Fleet UI, Fleet API, or Fleet's GitOps workflow.

Turning on enforcement

Fleet UI

  1. Head to the Controls > OS updates tab.

  2. To enforce OS updates for macOS, iOS, or iPadOS, select the platform and set a Minimum version and Deadline.

  3. For Windows, select Windows and set a Deadline and Grace period.

Fleet API

Use the modify team endpoint to turn on minimum OS version enforcement. The relevant payload keys in the mdm object are:

  • macos_updates
  • ios_updates
  • ipados_updates
  • windows_updates

GitOps

OS version enforcement options are declared within the controls section of a Fleet GitOps YAML file, using the following keys:

End user experience

macOS

When a minimum version is enforced, end users see a native macOS notification (DDM) once per day. Users can choose to update ahead of the deadline or schedule it for that night. 24 hours before the deadline, the notification appears hourly and ignores Do Not Disturb. One hour before the deadline, the notification appears every 30 minutes and then every 10 minutes.

If the host was turned off when the deadline passed, the update will be scheduled an hour after it’s turned on.

For macOS devices that use Automated Device Enrollment (ADE), if the device is below the specified minimum version, it will be required to update to the latest available version during ADE before device setup and enrollment can proceed.

iOS and iPadOS

End users will see a notification in their Notification Center after the deadline when a minimum version is enforced. They can’t use their iPhone or iPad until the OS update is installed.

For iOS and iPadOS devices that use Automated Device Enrollment (ADE), if the device is below the specified minimum version, it will be required to update to the latest available version during ADE before device setup and enrollment can proceed.

Available macOS, iOS, and iPadOS versions

The Apple Software Lookup Service (available at https://gdmf.apple.com/v2/pmv) is the official resource for obtaining a list of publicly available updates, upgrades, and Rapid Security Responses. Make sure to use versions available in GDMF; otherwise, the update will not be scheduled.

Windows

End users are encouraged to update Windows via the native Windows dialog.

Before deadline Past deadline
End user can defer automatic restart

If an end user was on vacation when the deadline passed, the end user is given a grace period (configured) before the host automatically restarts.

Fleet enforces OS updates for quality and feature updates. Read more about the types of Windows OS updates in the Microsoft documentation here.

macOS (below version 14.0)

End users are encouraged to update macOS (via Nudge).

Nudge window

> 1 day before deadline < 1 day before deadline Past deadline
Nudge window frequency Once a day at 8pm GMT Once every 2 hours Immediately on login
End user can defer
Nudge window is dismissible