Skip to main content
This guide applies to Mac computers

About Managed OS for macOS

Managed OS for macOS deploys and enforces macOS updates across your fleet of Mac computers. Updates are delivered via Declarative Device Management (DDM). You can offer major macOS upgrades on-demand from Self Service or have them enforced automatically.
  • Managed OS does not support downgrading macOS.
  • Do not block the Software Update System Settings pane; doing so is not compatible with Managed OS and can produce unexpected behavior.

Installation options

Choose how upgrades for a major version of macOS are offered:
  • Continuously Enforce — Iru Endpoint initiates an upgrade on Mac computers running older versions, or users can upgrade on their own.
  • Install on-demand from Self Service — The upgrade is not pushed; users install it from Self Service when ready. Use different copies of the same Managed OS Library Item with different labels to offer this in some Blueprints and continuous enforcement in others.
Managed OS always installs the latest update for the selected major version of macOS.

Version enforcement

Under Upgrades, select how the minimum macOS version (“floor”) is enforced.

Do Not Manage

Iru Endpoint does not enforce a macOS version. This option cannot be used with Continuously Enforce, since that also sets upgrade schedule and conditions.

Automatically Enforce New Updates

New macOS updates are enforced automatically after release. You configure:
  • Time frame — How long after release (e.g. 1 day, 1 week, 2 weeks, 1 month)
  • Enforcement Time Zone and Enforcement Time — When the update is enforced
The floor is calculated from Apple’s release date. Iru Endpoint always installs the latest Iru-approved version (shown in the upper-right corner of the Library Item). After the installer is cached, users are notified and see a countdown in the Iru menu app (rounded to whole days). When DDM is in use (macOS Sonoma and later), enforcement uses the device’s local time zone; Enforcement Time Zone in the Library Item applies only to upgrades from macOS 13 and earlier.

Manually Enforce Minimum Version

You set the minimum macOS version and an Enforcement Deadline (plus Enforcement Time Zone and Enforcement Time). No update is enforced if a Mac is already above the minimum. Use this for critical security updates or to align the fleet to a version by a date. Mac computers below the minimum receive the latest Iru-approved macOS when they update.

Background Security Improvements

In the same Library Item you can configure Background Security Improvements (lightweight security updates from Apple). For steps, see Configuring Managed OS for macOS.

Recommendations

  • First time enforcing: Use Manually Enforce Minimum Version and set the deadline at least 5 days later so users get advance notifications.
  • Automatically Enforce New Updates: If Apple has not released an update within your time frame (e.g. 2 weeks), all out-of-date Mac computers may immediately be required to update and restart.
  • Software Update Library Items: If you use Managed OS, turn off automatic download of updates in any Software Update Library Items used in the same Blueprint to avoid conflicts with caching.

Labels

You can add the same Managed OS version to your Library multiple times for different Classic Blueprints or Assignment Map nodes. Use labels to differentiate copies; labels are not visible to end users but appear throughout the Iru admin interface. For configuration steps, see Configuring Managed OS for macOS.

Managed OS for macOS Compatibility and Installation Mechanisms

Understand compatibility and installation mechanisms for Managed OS on macOS

Understanding Issues with Managed OS for macOS

Understand how Managed OS works with DDM and macOS when troubleshooting updates

Declarative Device Management and Managed OS

About Apple DDM and Managed OS in Iru Endpoint

macOS Managed OS User Experience

What to expect when Managed OS updates run on your device