Deploying OS Updates with Systems Manager
Cisco Meraki Systems Manager can deploy operating system updates to Apple devices on either an individual device basis or in bulk via a command on the Devices List. This will allow administrators to have the latest OS Update and conveniently update the entire fleet of managed devices with just a few clicks.
OS Updates are available for Supervised iOS, iPadOS, tvOS, and macOS devices. The use of Supervision is required because OS Updates are designed to function on company-owned devices.
Apple devices in Single App Mode must exit Single App Mode to install the OS Update.
iOS and iPadOS devices prompt the user to install the OS update after unlocking their device. To avoid this behavior so no end user intervention is required: a Clear Passcode command can be sent via SM. The Clear Passcode command will also clear locally stored Face ID or Touch ID settings.
OS Update Actions and Requirements (Apple)
The following OS Update Installation Actions are available to customize the experience for OS Update installations on Apple devices. For more information on the OS Update settings for Apple devices, please review the Apple documentation.
|
Action |
Minimum supported operating systems |
Description |
|||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
Install ASAP |
iOS 9 iPadOS 13.1 macOS 10.11 tvOS 12 |
In iOS, iPadOS and tvOS, install a previously downloaded software update or upgrade. In macOS, download the software update or upgrade and trigger the restart countdown notification. |
|||||||||
|
Default |
iOS 9 iPadOS 13.1 macOS 10.11 tvOS 12 |
Download or install the update or upgrade, depending on the current state. MDM administrators can check the |
|||||||||
|
Install & Force Restart |
macOS 11 |
Perform the default action, and then force a restart if the update requires it. An upgrade always requires it. This may result in data loss. |
|||||||||
|
Install Later |
macOS 10.11 |
Download the software update or upgrade and install it at a later time. |
|||||||||
|
Notify Only |
macOS 10.11 |
Download the software update or upgrade and notify the user. |
|||||||||
|
Download Only |
iOS 9 iPadOS 13.1 macOS 11 tvOS 12 |
Download the software update or upgrade without installing it. |
|||||||||
Updating on a Per-Client Basis
Updates can be deployed to individual iOS clients via a Live Tool on the Client Details Page:
The OS Version will display all the OS Updates available for the device. Choose the desired version to install.
Select the Install Action to customize how the OS will install the update. Set the Priority as high to install the OS update as fast as possible. See above "OS Update Actions and Requirements" section for more information on these actions and their requirements.
Note: Meraki Systems Manager will scan all devices several times a day for their available OS versions. This is how Systems Manager knows which updates can be applied to which device. If you want to manually issue a new available OS Update scan (so Systems Manager can know about a new update) send the Refresh Details command or simply wait for the next automatic scan.
Updating Multiple Devices
Multiple devices can be updated at the same time via the Command dropdown on the Devices List page. Select the clients which you wish to update and select Install available OS updates from the Command drop-down menu:
After bulk selecting devices, you will have the options to customize the OS Update commands based on the OS type inside the Install available OS updates navigation menu (below). This allows there to be different OS Updates deployed at the same time for macOS, iOS, iPadOS, and tvOS. Choose the OS Version, Install Action, and Priority based on your specific needs. For more information on how each OS will handle these updates, please review the Apple documentation.
The OS Version will display all the OS Updates available for all the devices selected. This allows the admin to push different OS update settings to different device types. Choose the desired version to install.
Select the Install Action to customize how the OS will install the update. Set the Priority as either High or Low. See above "OS Update Actions and Requirements" section for more information on these action settings and their requirements.
On iOS and iPadOS, the Install ASAP action can only be used if the device previously downloaded an OS update. The columns OS Update Version and OS Update Status can be be used to view the if OS update has finished downloading on device. See the "Viewing OS Update status" section below for more information.
Viewing OS Update status
The current OS Update scan information are triggered periodically for all managed devices. To manually refresh a device's OS Update state and scan, use the Refresh Details command.
After a Refresh Details command, the device's Activity Log will show raw logging of OS Update scans and OS Update status, and the latest OS Update status will be reported to Dashboard. This same scan is also ran periodically throughout the day.
The following columns can be added to the SM Device's list to help track OS update status: OS Update Version, OS Update Status, OS, OS Build, Full OS
In this above state, the iPadOS device is currently on iPadOS 16.4.1 and is 54% of the way finished downloading iPadOS 17.
In this above state, the iPadOS device is currently on iPadOS 16.4.1 and is finished downloading the update for iPadOS 17. In this state, the OS Update Install Action as Default or Install ASAP can be used to trigger the device to update to iPadOS 17.
Delaying OS Updates
On iOS 11.3+, macOS 10.13.4+, and tvOS 12.2+ it is possible to delay (defer) available OS update prompts to the end user for up to 90 days. This is configured in the 'Restrictions' payload found in Systems Manager > Manage > Settings. For more information on how the Apple OS will handle displaying the OS Updates while deferring an OS Update restriction is applied, please review Managing iOS and iPadOS software updates and upgrades in the Apple documentation.
Rapid Security Response
Use the Restrictions profile to customize the way Rapid Security Response OS Updates are displayed on Apple devices. Find the settings inside the Security and privacy section of the Restrictions profile. For more information on these settings, please review the Apple documentation.
Allow Rapid Security Response Install: To disable the responses.
Allow Rapid Security Response Removal: To block the user from being able to undo the responses.
Security Policy for Minimum OS Version
Security Policies in Meraki Systems Manager can be used to detect OS versions and report compliant or violating status of your own custom minimum require OS rules. This will allow you to take automated action and alerts based on device's compliance status. Please see the Security Policy documentation for more information.
