This guide applies to macOS, iOS, iPadOS, and tvOS
About Managed OS
Managed OS deploys and enforces OS updates across your fleet of Apple devices. Updates are delivered via Declarative Device Management (DDM) on supported versions. Which OS version a device receives when it updates depends on Version Enforcement: Rolling enforcement and Manually Enforce Minimum Version install the latest Iru-approved update; Enforce a Specific Version enforces the OS version you select. For configuration steps, see Configuring Managed OS for macOS or Configuring Managed OS for iOS, iPadOS, and tvOS.Version Enforcement
Under Updates, choose how OS updates are enforced. Rolling enforcement and Manually Enforce Minimum Version set a minimum version floor; Enforce a Specific Version targets an exact OS version by a deadline.| Option | Sets a floor? | OS version installed | Key configuration fields |
|---|---|---|---|
| Do Not Manage | No | No Managed OS enforcement | — |
| Rolling enforcement | Yes (from Apple’s release date) | Latest Iru-approved version | Within (1 day, 2 days, 1 week, 2 weeks, 3 weeks, 1 month, 2 months, or 3 months) of release, at |
| Manually Enforce Minimum Version | Yes (admin-set minimum) | Latest Iru-approved version | Minimum version, Enforcement Deadline, Enforcement Time |
| Enforce a Specific Version | No (exact target) | Selected Specific version | Specific version, Enforcement Deadline, Enforcement Time |
Shared enforcement behavior
- When DDM is in use, enforcement uses the device’s local time zone.
- When a new update is available in Iru Endpoint, it is cached on devices as soon as possible. After the update is cached, users are notified leading up to enforcement. On macOS, the Iru menu app displays rounded days (for example, if an update will be enforced in 7.6 days, 8 days is displayed).
- Rolling enforcement and Manually Enforce Minimum Version install the latest Iru-approved OS version (shown in the upper-right corner of the Library Item). Enforce a Specific Version enforces the OS version you selected.
Do Not Manage
Iru Endpoint does not enforce an OS version. On macOS, this option cannot be used with Continuously Enforce, since that also sets upgrade schedule and conditions.Rolling enforcement
New OS updates are enforced automatically after release. You configure:- Within: How long after release (1 day, 2 days, 1 week, 2 weeks, 3 weeks, 1 month, 2 months, or 3 months) of release
- at: The time of day the update is enforced
Manually Enforce Minimum Version
You set the minimum OS version and an Enforcement Deadline (plus Enforcement Time). No update is enforced if a device is already above the minimum. Use this for critical security updates or to align the fleet to a version by a date. Devices below the minimum receive the latest Iru-approved OS version when they update.Enforce a Specific Version
Uses the same version selection dropdown and enforcement scheduling fields as Manually Enforce Minimum Version: select a Specific version, an Enforcement Deadline, and an Enforcement Time. Unlike Manually Enforce Minimum Version, this option enforces that exact OS version on your deadline rather than treating it as a minimum floor. Use this when you need all devices on a particular version by a fixed date.Background Security Improvements
In the same Library Item you can configure Background Security Improvements (lightweight security updates from Apple). Automatically enforce under Background Security Improvements is separate from Rolling enforcement under Updates → Version Enforcement. For configuration steps, see Configuring Managed OS for macOS or Configuring Managed OS for iOS, iPadOS, and tvOS.macOS: Installation Options
macOS Managed OS also lets you choose how major macOS upgrades are offered:- Continuously Enforce: Iru Endpoint initiates an upgrade on Mac computers running older versions, or users can upgrade on their own.
- Install on-demand from Self Service: The upgrade is not pushed; users install it from Self Service when ready. Use different copies of the same Managed OS Library Item with different labels to offer this in some Blueprints and continuous enforcement in others.
- Managed OS does not support downgrading macOS.
- Do not block the Software Update System Settings pane; doing so is not compatible with Managed OS and can produce unexpected behavior.
iOS, iPadOS, and tvOS: Supervision
Managed OS for iOS, iPadOS, and tvOS requires supervision.
Recommendations
- First time enforcing an OS version on your fleet: Use Manually Enforce Minimum Version and set the Enforcement Deadline at least 5 days later so users get advance notifications. For UI steps, see Configuring Managed OS for macOS or Configuring Managed OS for iOS, iPadOS, and tvOS.
- Rolling enforcement and immediate update requirements: If Apple has not released an update within your selected window (e.g. Within 2 weeks of release), all out-of-date devices may immediately be required to update and restart.
- Software Update Library Items: If you use Managed OS, turn off automatic download of updates in any Software Update Library Items used in the same Blueprint to avoid conflicts with caching. On macOS, see also Deployment Considerations in Managed OS for macOS Compatibility and Installation Mechanisms.
Labels
Use labels to tell copies of the same Managed OS apart when you add it to your Library more than once. See Library Item Labels in Library Overview.Related Articles
Configure Managed OS for macOS
Configure Managed OS updates for Mac computers
Configure Managed OS for iOS, iPadOS and tvOS
Configure Managed OS updates for iOS, iPadOS, and tvOS devices
Managed OS for macOS Compatibility and Installation Mechanisms
Understand compatibility and installation mechanisms for Managed OS on macOS
Understanding Issues with Managed OS for macOS
Understand how Managed OS works with DDM and macOS when troubleshooting updates
Declarative Device Management and Managed OS
About Apple DDM and Managed OS in Iru Endpoint
macOS Managed OS User Experience
What to expect when Managed OS updates run on your Mac
User Experience with Managed OS for iOS, iPadOS and tvOS
What to expect when Managed OS updates run on iOS, iPadOS, and tvOS devices