Skip to main content
This guide applies to iOS devices, iPadOS devices, and Apple TV
This Library Item requires supervision.
Keeping the operating systems of a fleet of Apple devices up to date can be a lot of work if done interactively. Managed OS allows you to automate this work on your supervised devices without the need to send multiple MDM commands and prompts to users manually. Enable Managed OS for iOS, iPadOS, and tvOS, and Iru Endpoint will take care of the rest.

About Managed OS for iOS, iPadOS, and tvOS

Managed OS for iOS, iPadOS, and tvOS deploys and enforces OS updates across your fleet of supervised Apple mobile and TV devices. On iOS 17, iPadOS 17, and tvOS 17 and later, updates are delivered via Declarative Device Management (DDM). Iru handles:
  • Update detection: Iru monitors for available OS updates from Apple
  • Download and caching: Updates are automatically downloaded and cached on devices
  • User notification: Users are notified of pending updates with enforcement deadlines
  • Automatic installation: Updates are installed according to your configured schedule
  • Compliance monitoring: Iru tracks which devices have successfully updated
For how Rolling enforcement calculates the floor, how Enforce a Specific Version differs from Manually Enforce Minimum Version, notifications, and first-time fleet enforcement recommendations, see Understanding Managed OS for Apple Platforms.

Enabling Managed OS in your Library

Deploying and enforcing an OS version is as easy as adding a Managed OS Library Item to your Library and assigning it to a Blueprint. Follow the steps below. To add this Library Item to your Iru Endpoint Library, follow the steps outlined in the Library Overview article.

Enabling Multiple Managed OS Library Items

Iru Endpoint supports adding the same Managed OS to your Library multiple times. This is useful when it’s desired to configure differing settings for different Blueprints. For example, you can have Managed OS update devices automatically 1 week after Apple releases an update in one Blueprint, while having it do the same up to 3 months after the release in another. Labels are used to differentiate multiple copies of the same Managed OS (see the steps below). For how to set a Label on any Library Item, see Library Item Labels in Library Overview.

Configuring Managed OS

1

Enter a Label

Enter a Label to help differentiate this instance of Managed OS from others in your Library. These labels are not visible to end users, but are displayed throughout the Iru Endpoint Web App. See Library Item Labels in Library Overview for steps.
2

Assign to Blueprints

Assign to your desired Blueprints.
3

Configure Version Enforcement

Under Updates, select an option for Version Enforcement. Available options include the following:
Managed OS Version Enforcement options

Do Not Manage

This option will not manage OS updates.

Rolling enforcement

Select Within (1 day, 2 days, 1 week, 2 weeks, 3 weeks, 1 month, 2 months, or 3 months) of release and at a time for enforcement.
Managed OS for iOS, iPadOS, and tvOS Rolling enforcement Within and at settings

Manually Enforce Minimum Version

Specify the Minimum Version a device should be running and the Enforcement Deadline date by which users must update. No updates will be enforced if a device is already running an OS version greater than the specified minimum. You will also select an Enforcement Time.
Managed OS for iOS, iPadOS, and tvOS Manually Enforce Minimum Version settings

Enforce a Specific Version

Uses the same version selection dropdown and enforcement scheduling fields as Manually Enforce Minimum Version—select a Specific version, an Enforcement Deadline (on), and an Enforcement Time (at). Unlike Manually Enforce Minimum Version, this option enforces that exact OS version rather than a minimum floor.
Managed OS for iOS, iPadOS, and tvOS Enforce a Specific Version settings
For how each Version Enforcement option behaves after you save—including floors and user notifications—see Version Enforcement option behavior in Understanding Managed OS for Apple Platforms.
1

Configure Background Security Improvements Enforcement

Under Background Security Improvements Enforcement, choose whether to automatically enforce these updates when Apple makes them available. Options:
  • None: Background Security Improvements will not be enforced.
  • Automatically enforce: Choose the enforcement timeframe and local time for enforcement.
2

Set Background Security Improvements Enforcement Timeframe

Select an Enforcement timeframe for Background Security Improvements.
3

Configure Background Security Improvements Enforcement Time

Select an Enforcement Time, the time of day Background Security Improvements are enforced in the device’s local time zone.
4

Save the configuration

Click Save in the bottom right corner.
Background Security Improvements apply only to devices on the latest OS version; users must be on the latest OS before these updates can be enforced. Background Security Improvements use Declarative Device Management for enforcement. Automatically enforce under Background Security Improvements is separate from Rolling enforcement under Updates → Version Enforcement.

Passcode Considerations

At the enforcement deadline, on iOS and iPadOS devices with a passcode, the security architecture of iOS and iPadOS requires users to be prompted for the update and to enter their passcodes. On tvOS, and on iOS and iPadOS devices without passcodes, updates will be cached by Iru Endpoint and the update will be applied without user intervention at the enforcement deadline. For more details, see User Experience with Managed OS for iOS, iPadOS, and tvOS.

Understanding Managed OS for Apple Platforms

Understand how Managed OS enforcement works on Apple devices

User Experience with Managed OS for iOS, iPadOS and tvOS

What to expect when Managed OS updates run on your device

Declarative Device Management and Managed OS

About Apple DDM and Managed OS in Iru Endpoint

OS Update Strategies: OS Deferral Restriction and Managed OS

Compare different OS update management strategies

Delay and Enforce OS Updates

Configure OS update delays and enforcement policies