Skip to main content
This guide applies to Mac computers
Managed OS is a feature in Iru Endpoint that allows an admin to specify a minimum OS version a supervised Mac must be running, and can enforce updating to the latest version if that minimum version is not met. This is all done with a simplicity similar to our Auto Apps feature.

About Managed OS Compatibility and Installation Mechanisms

Managed OS compatibility and installation mechanisms determine how OS updates are delivered and installed on Mac computers. Understanding these mechanisms helps ensure successful update deployment and troubleshooting.

How It Works

Iru Endpoint uses different installation mechanisms depending on the macOS version and update type:
  • Software Update - Standard Apple Software Update mechanism
  • Install Assistant - Full OS installer for major version updates
  • Rapid Security Response - Quick security patches without full OS updates
  • Background updates - Automatic updates for system components
Managed OS for macOS compatibility varies by Mac computer architecture and macOS version, and different installation mechanisms are used.

Mac computers with Apple Silicon

Current macOS VersionmacOS Monterey (12) Minor UpdatesmacOS Monterey (12) Major UpgradesmacOS Ventura (13) Minor UpdatesmacOS Ventura (13) Major UpgradesmacOS Sonoma (14) Minor UpdatesmacOS Sonoma (14) Major Upgrades
12.0.1+MDM CommandsMDM CommandsMDM Commands
13.0+MDM CommandsMDM Commands
14.0+DDM

Mac computers with Intel

Current macOS VersionmacOS Monterey (12) Minor UpdatesmacOS Monterey (12) Major UpgradesmacOS Ventura (13) & Sonoma (14) Minor UpdatesmacOS Ventura (13) & Sonoma (14) Major Upgrades
12.0.1+MDM Commandsstartosinstall CLIMDM Commandsstartosinstall CLI
13.0+MDM CommandsMDM Commands
14.0+DDM

Mac computers upgrading to macOS Monterey or later

Mac computers can have a macOS Monterey or macOS Ventura upgrade enforced with Iru Endpoint. Mac computers with Apple silicon will be upgraded using MDM commands. Intel-based Mac computers enforce the upgrade by locally caching the full installer and executing the startosinstall binary.
For Mac computers with Apple silicon, Iru Endpoint uses the ScheduleOSUpdate MDM command with the InstallASAP install action once the user starts the upgrade or the enforcement timer reaches zero. Because macOS handles the download and install of the upgrade in the same action, there can potentially be long delays and user wait times. Note that macOS also does not provide user-visible progress during the process — the Mac will simply restart when ready.

All Mac computers, macOS 12 or later

Every Mac computer running a macOS version of 12 or later uses MDM commands or DDM (Declarative Device Management) to download and install macOS updates. For more information on DDM, please see our Declarative Device Management and Managed OS support article.

Caching Considerations

If a Mac computer already has an update cached (either by the user caching the update via System Preferences, the softwareupdate CLI, or automatic downloads being enabled via the Software Update Library Item), macOS may not accurately report this state to Iru Endpoint. As a result, Iru Endpoint interprets multiple non-progressing downloads or failures as an indicator that the update is already cached. This process currently takes three hours, after which the Kandji Agent will move to enforce the update under that assumption.

What Kind of macOS Updates Can I Manage?

With Managed OS for macOS, Iru Endpoint allows you to enforce a minimum OS version. This supports updates (such as 14.2.1 to 14.3) and macOS upgrades (such as macOS Ventura to macOS Sonoma).
This feature does not support downgrading macOS versions, and does not support supplemental updates offered to macOS versions prior to macOS Monterey.

Deployment Considerations

Managed OS for macOS is not compatible with blocking the Software Update System Preferences pane via any method, and can produce unexpected behavior.
If you choose to use the Automatically Enforce New Updates option, the enforcement schedule is based on the release date of an update from Apple. For example, if you set the timeline to 2 weeks, but Apple hasn’t released a new update in the last 2 weeks, at the next check-in, the Kandji Agent would begin enforcing the latest available update because it’s more than 2 weeks old. As a result, all of your out-of-date Mac computers would show the 30-minute countdown and require users to update and restart. For that reason, if this is your first time enforcing a minimum macOS version on your fleet, Iru Endpoint strongly recommends using the Manually Enforce Minimum Version option and setting the enforcement deadline to at least 5 days away. That way, users with out-of-date Mac computers will start receiving update notifications 5 days before the enforcement deadline versus right away. To learn more about configuring Managed OS, follow our configuration guide.
To avoid potential conflicts with the pre-downloading and caching of an update in Iru Endpoint before enforcement, if you’re using Managed OS, we strongly recommend that you disable the automatic download of updates in any Software Update Library Items used in a Blueprint where Managed OS is also used.
To learn more about Managed OS, please see our other support articles: Configuring Managed OS for macOS User Experience with Managed OS for macOS Understanding Common Managed OS for macOS Errors