Skip to main content
This guide applies to iOS, iPadOS, and tvOS devices
This Library Item requires supervision.
Keeping the operating systems of a fleet of Apple devices up to date can be a lot of work if done interactively. Managed OS allows you to automate this work on your supervised devices without the need to send multiple MDM commands and prompts to users manually. Enable Managed OS for iOS, iPadOS, and tvOS, and Iru Endpoint will take care of the rest.

About Managed OS for iOS, iPadOS, and tvOS

Managed OS for iOS, iPadOS, and tvOS allows you to automatically deploy and enforce OS updates across your fleet of Apple mobile and TV devices. Instead of manually managing OS updates, you can configure Iru Endpoint to handle the entire update process, including downloading, caching, and installing updates according to your specified schedule.

How It Works

Iru Endpoint manages iOS, iPadOS, and tvOS updates through MDM commands and device coordination. When you configure Managed OS, Iru handles the entire update lifecycle:
  • Update detection - Iru monitors for available OS updates from Apple
  • Download and caching - Updates are automatically downloaded and cached on devices
  • User notification - Users are notified of pending updates with enforcement deadlines
  • Automatic installation - Updates are installed according to your configured schedule
  • Compliance monitoring - Iru tracks which devices have successfully updated

Enabling Managed OS in your Library

Deploying and enforcing an OS version is as easy as adding a Managed OS Library Item to your Library and assigning it to a Blueprint. Follow the steps below. To add this Library Item to your Iru Endpoint Library, follow the steps outlined in the Library Overview article.

Enabling Multiple Managed OS Library Items

Iru Endpoint supports adding the same Managed OS to your Library multiple times. This is useful when it’s desired to configure differing settings for different Blueprints. For example, you can have Managed OS update devices automatically 1 week after Apple releases an update in one Blueprint, while having it do the same up to 3 months after the release in another. Labels are used to differentiate multiple copies of the same Managed OS (see the steps below).

Configuring Managed OS

1

Enter a Label

Enter a Label to help differentiate this instance of Managed OS from others in your Library. These labels are not visible to end users, but are displayed throughout the Iru admin interface.
2

Assign to Blueprints

Assign to your desired Blueprints.
3

Select Version Enforcement

On the configuration page, select an option for Version enforcement. Available options include:
  • Do Not Manage: This option will not manage OS updates.
  • Automatically Enforce New Updates: This option allows you to pick a default time frame in which new updates will be enforced. This time frame is calculated based on the date Apple released the update.
  • Manually Enforce Minimum Version: This option allows you to specify a minimum version of the OS that devices must be running, as well as the date by which users must update. Note: This minimum version determines whether Iru Endpoint should update the device. When updating, Iru Endpoint always installs the latest available version.
4

Configure Minimum Version

If you select Manually Enforce Minimum Version—which we recommend if it’s the first time you’re managing OS updates for your devices—you will see the Minimum Version option to select an OS version to check for before Iru Endpoint enforces an update.
5

Set Enforcement Deadline

Select an Enforcement deadline. This is the date by which the minimum OS version must be met or else an update will be enforced. Updates will be cached on user devices as soon as they are made available in Iru Endpoint.
6

Configure Enforcement Time

Select an Enforcement Time, which will be the exact time of day that the update is enforced; that enforcement time will be determined server-side based on the selected Enforcement Time Zone.
7

Select Time Zone

Select an Enforcement Time Zone to determine when to enforce the update.
8

Configure Background Security Improvements Enforcement

Under Background Security Improvements Enforcement, choose whether to automatically enforce these updates when Apple makes them available. Options:
  • None: Background Security Improvements will not be enforced.
  • Automatically enforce: Choose the enforcement timeframe and local time for enforcement.
9

Set Background Security Improvements Enforcement Timeframe

Select an Enforcement timeframe for Background Security Improvements.
10

Configure Background Security Improvements Enforcement Time

Select an Enforcement Time, which will be the exact time of day that Background Security Improvements are enforced; the enforcement will be determined server-side based on the previously selected Enforcement Time Zone.
11

Save the configuration

Click Save in the bottom right corner.
Background Security Improvements apply only to devices on the latest OS version; users must be on the latest OS before these updates can be enforced. Background Security Improvements use Declarative Device Management for enforcement.

Initial configuration recommendation

When you transition to using a Managed OS Library Item, there’s a danger of immediately causing an interruption for devices that aren’t already up to date. If this is your first time enforcing an OS version on your fleet, we recommend using the Manually Enforce Minimum Version option and setting the Enforcement deadline to at least 5 days later. This will prevent devices that are running older OS versions from being forced to update immediately to reach compliance.

Passcode Considerations

At the enforcement deadline, on iOS and iPadOS devices with a passcode, the security architecture of iOS and iPadOS requires users to be prompted for the update and to enter their passcodes. On tvOS, and on iOS and iPadOS devices without passcodes, updates will be cached by Iru Endpoint and the update will be applied without user intervention at the enforcement deadline. For more details, see User Experience with Managed OS for iOS, iPadOS, and tvOS.