Solutions
Device management
Remotely manage, and protect laptops and mobile devices.
Orchestration
Automate tasks across devices, from app installs to scripts.
Software management
Inventory, patch, and manage installed software.
Extend Fleet
Integrate your favorite tools with Fleet.
Customers
Stripe + Fleet
Stripe moved 10,000 Macs to Fleet, saving hundreds of thousands annually
Foursquare + Fleet
Foursquare quickly migrates to Fleet for device management.
Faire + Fleet
Faire secures Macs with CIS benchmarks and Fleet
What people are saying
Stories from the Fleet community.
Pricing
More
Enforce OS updates
{{articleSubtitle}}
Noah Talerman
Docs
REST API
Guides
Get a demo
Suggest an editEnforce OS updates
{{articleSubtitle}}
Noah Talerman
Enforce OS updates
Available in Fleet Premium
In Fleet, you can enforce OS updates on your macOS, Windows, iOS, and iPadOS hosts remotely using the Fleet UI, Fleet API, or Fleet's GitOps workflow.
For Apple (macOS, iOS, and iPadOS) hosts, Apple requires that the OS version is one from the list of available OS versions. The update will only be enforced if you use a version in that list.
Fleet UI
Head to the Controls > OS updates tab.
To enforce OS updates for enrolled macOS, iOS, or iPadOS hosts, select the platform and set a Minimum version and Deadline.
For Windows, select Windows and set a Deadline and Grace period.
macOS only: check "Update new hosts to latest" if you would like hosts to automatically update to the latest OS version during automatic (ADE) enrollment, regardless of the minimum version and deadline settings.
Fleet API
Use the modify team endpoint to turn on minimum OS version enforcement. The relevant payload keys in the mdm object are:
macos_updatesios_updatesipados_updateswindows_updates
GitOps
OS version enforcement options are declared within the controls section of a Fleet GitOps YAML file, using the following keys:
Apple (macOS, iOS, and iPadOS) end user experience
On macOS hosts, when a minimum version is enforced, end users see a native macOS notification (DDM) once per day. Users can choose to update ahead of the deadline or schedule it for that night. 24 hours before the deadline, the notification appears hourly and ignores Do Not Disturb. One hour before the deadline, the notification appears every 30 minutes and then every 10 minutes.
Certain user preferences may suppress macOS update notifications. To prevent users from being surprised by a forced update or unexpected restart, consider communicating OS update deadlines through additional channels.
On iOS and iPadOS hosts, end users will see a notification in their Notification Center after the deadline. They can’t use their iPhone or iPad until the OS update is installed.
If the host was turned off when the deadline passed, the update will be scheduled an hour after it’s turned on.
If you set a past date (ex. yesterday) as the deadline, the end user will immediately be prompted to install the update. If they don't, the update will automatically install in one hour. Similarly, if you set the deadline to today, end users will experience the same behavior if it's after 12 PM (end user local time).
Update new hosts to latest
You can require hosts that automatically enroll via ADE to update to the latest version before they enroll to Fleet (during Setup Assistant).
For iOS/iPadOS hosts, set a minimum version and deadline.
For macOS hosts, in Fleet, head to Controls > OS updates and check the Update new hosts to latest checkbox.
Windows end user experience
End users are encouraged to update Windows via the native Windows dialog.
| Before deadline | Past deadline | |
|---|---|---|
| End user can defer automatic restart | ✅ | ❌ |
If an end user was on vacation when the deadline passed, the end user is given a grace period (configured) before the host automatically restarts.
Fleet enforces OS updates for quality and feature updates. Microsoft provides documentation on types of Windows updates.
SOC2 Type 2
