0

Workspace ONE UEM – macOS & iOS Software Update Enforcement

Posted on by Roderik de Block

Introduction

One of the advantages of the Workspace ONE UEM Modern SaaS architecture (aka ModStack) is the ability to use Apple’s Device Declarations. Using Declarative Device Management profiles, Software Updates can now be enforced on endpoints..

In this blog I would like to show you how to configure this and also explain what the behavior is in the period before the Software Update is actually enforced.

Prerequisites: The Workspace ONE UEM tenant runs at least on version 2410 and Modern SaaS Architecture is enabled.

Configuring the profile

Navigate to “Resources –> Profiles –> Add Profile

 

Select “iOS or macOS”. In this example I am creating a Declarative Device Management profile for macOS.

Select “Declarative, Configuration and Device”

Give the profile a name and configure the “Software Update Enforcement” section. and fill out the Target OS Version, Target Local Date Time and the Details UR. Finally Save & Assign the profile to the Smart Group which containes your target devices.

End User Experience

The installed Device Declaration is visible within the Settings menu –> General –> Device Manager

 

End user will receive a notification

When the configured time is reached the Software update is fully downloaded and prepared the device is forced to restart and install the update. (More detailed information about the timelines is explained in the next section )

Understanding Apple’s Managed Software Update Timelines

Apple provides a flexible framework for managing software updates on supervised devices using Managed Software Updates. Admins can control when and how updates are presented to users by specifying deferral times. Here’s how the process unfolds based on the chosen delay period:

⏳ 30 Days – Maximum Flexibility

  • User Interface: Settings app

  • User Experience:

    • Update is shown as available.

    • The user sees two options:

      • Install: Begin update immediately.

      • Try Tonight: Schedule update for overnight installation.

📅 14 Days – Gentle Reminder

  • Notification Frequency: Once per day

  • User Experience:

    • A managed update is available.

    • The same two options are presented:

      • Install

      • Try Tonight

🕒 24 Hours – Prompt Action

  • User Interface: Settings app

  • User Experience:

    • Update is shown as available.

    • Only Install is available—no option to defer overnight.

🔔 1 Hour – Urgent Notification

  • Notification Frequency: Once per hour

  • User Experience:

    • Managed update is available.

    • User can only select Install.

⏱ Final Countdown – Forced Install

  • Status: Managed installation pending

  • Countdown Notifications:

    • 60 minutes remaining

    • 30 minutes remaining

    • 10 minutes remaining

    • 1 minute remaining

  • The update installs automatically once the timer ends.

 

What Happens When a Software Update Deadline is Missed?

Apple provides a structured and automated flow for managing missed software update deadlines across iOS, iPadOS, and macOS devices. Here’s how it works when a device misses the specified “Install by” date.

🧭 Enforcement Logic (Post-Deadline)

Once the enforcement date passes, the following steps are triggered:

  • Step 1 – Check Update Status:
    The system checks whether the update is already prepared.

  • Step 2 – If Not Prepared:
    The update is downloaded and then prepared.

  • Step 3 – If Already Prepared:
    The device schedules the update to be installed within 60 minutes.

  • Step 4 – Installation:
    The update is applied. If missed or interrupted again, the process is retried at the next opportunity when the device is powered on and connected to the internet.

🔐 Device Behavior per Platform

  • iOS / iPadOS:
    The user must enter their passcode (if set), unless it was recently entered.

  • macOS:

    • All open apps are force-closed (documents included).

    • The device restarts if required.

    • On Apple Silicon Macs, a bootstrap token (if available) is used to authorize the update. Otherwise, the user is prompted for credentials.

💡 Declarative Device Management in Action

A standout feature of Declarative Device Management (DDM) is device autonomy. Instead of the MDM server triggering updates manually, it declares a desired state, and the device ensures it reaches that state—even if the first attempt fails.

If the update couldn’t be enforced (e.g. due to:

  • Lack of internet,

  • Low battery,

  • Insufficient storage,

  • Or other blockers),

…the device will automatically retry once conditions allow.

When conditions are met:

  • The update is re-downloaded and prepared.

  • A notification informs the user that installation is overdue.

  • The device attempts installation again within 1 hour.

This loop continues until the update is successfully applied.

Additional information:

https://support.apple.com/en-gb/guide/deployment/depd30715cbb/web

https://community.omnissa.com/technical-blog/software-update-enforcement-for-ios-devices-in-workspace-one-uem-r72/

Roderik de Block

More Posts

Leave a Reply

Your email address will not be published. Required fields are marked *