Using Workspace ONE to Manage Operating System Updates on macOS Devices

Overview

Introduction

VMware Workspace ONE® UEM provides a comprehensive management solution for macOS devices, supporting operating systems version 10.15 and later. With the ability to manage Corporate-Dedicated, Corporate Owned, or Employee Owned (BYOD) devices, Workspace ONE UEM offers enterprises the flexibility to meet their employees’ needs at any level.

One area where organizations require a significant amount of flexibility and customization is managing OS updates and patches. Apple regularly releases minor updates for macOS that include feature enhancements, bug fixes, and security patches. Major OS updates, released less frequently, often contain new functionality, and in some cases, a completely new code base for the OS itself. Apple has included a Software Update utility within the OS that typically requires user intervention to initiate.

Using a device profile, Workspace ONE UEM provides administrators with the ability to configure Software Update utility settings, such as the following:

• How to install updates (manually or automatically)
• What updates to install (all or recommended only)
• How often to check for updates
• Restart behaviors (force restart, allow deferrals, max number of deferrals, and so on)

The Software Update utility does provide organizations with the ability to maintain updates and patches on their macOS devices. However, it is limited in two ways. First, it relies on end-user interaction when it comes to updates and patches being applied. Second, it does not provide administrators with the ability to control which specific updates and patches are applied to devices.

For example, if an organization is dependent on a specialized suite of software that requires a specific version of macOS be installed, administrators may wish to control the OS updates until the software can be validated on the updated platform. It might also be necessary to keep users from updating to the latest OS version as soon as the update is released. Workspace ONE UEM provides administrators with the granular control needed to ensure that devices are patched and updated to meet corporate standards.

Workspace ONE UEM includes macOS Update Management, which provides administrators with the granular control required for deploying macOS updates to devices. This framework utilizes native Apple MDM commands to schedule, download, and install OS updates, as well as configure specific settings, such as update priority and user deferrals.

Purpose of This Tutorial

This tutorial guides you through the process of configuring and deploying macOS updates to your devices. The process outlined within this document utilizes macOS Update Management in Workspace ONE UEM. The following tasks are discussed:

• Introduction to macOS Update Management
• Addressing how Workspace ONE UEM handles conflicting updates for macOS
• Creating a software update device profile to control the behavior of the macOS native Software Update utility
• Creating a smart group to use for assigning updates to macOS devices
• Configuring and assigning updates in Workspace ONE

Audience

This operational tutorial is intended for IT professionals and Workspace ONE administrators of existing production environments. 

Both current and new administrators can benefit from using this tutorial. Familiarity with macOS, XML, and basic scripting is assumed.

Knowledge of additional technologies such as VMware Workspace ONE® Intelligence and VMware Workspace ONE® UEM is also helpful.

Validation Environment

The content created for this operational tutorial used the following software and hardware versions for testing:

• Workspace ONE UEM version 2306
• Workspace ONE Intelligent Hub version 2303
• Apple macOS 12.6.3 (Update from 12.6.3 to 13.4)

macOS Update Management

Introduction

When administrators use macOS Update Management in Workspace ONE UEM, they can easily identify available macOS versions for their managed devices, and assign and publish both major and minor updates through the macOS Updates dashboard. The dashboard provides information on all available updates, such as version, release date, expiration date, and availability. These details are automatically pulled from Apple on a regularly scheduled cycle.

When assigning an update to an assignment group, administrators can configure the following options:

Setting	Description
Deployment Begins	This sets the date and time when the deployment will begin.
Install Action	The install action tells macOS how to install the update on the device. These options are discussed in more detail in the next section.
Priority	You can set the scheduling priority for downloading and preparing the update.
User Deferral	This setting allows you to enable user deferrals for the update, as well as configure the maximum number of allowed deferrals. NOTE: This option is only available if you select InstallLater as the Install Action.

Administrators can also monitor the deployment of updates for an individual device on that Updates tab of the device’s Details page in the Workspace ONE console. This tab shows all available updates for this specific device, as well as the status of any updates that are currently being deployed.

The following diagram explains the update execution process.

Figure 1: Update Execution Process

1. Devices are assigned to a new or existing assignment group. This group could be filtered in whatever manner is best for your organization. In this tutorial, you create a group that includes devices with a specified version of macOS installed. As devices are updated, they are automatically removed from the group. This is only one of many possible ways to assign devices. You should evaluate what works best for your organization.
2. A new assignment is created for a macOS update in the Update Management dashboard. One or more assignment groups can be assigned to the update. Administrators can configure several options for the assignment as are described later in this tutorial.
3. When the selected begin date and time are reached, Workspace ONE UEM begins sending the configured commands to devices.
   
   NOTE: The configured command is not immediately sent to devices. The command is issued as devices check in during the normal scheduled device information query. By default, this is every four (4) hours.
4. Depending on the configured commands, the update is downloaded and/or installed on the device.
5. If the update fails to download and/or install, Workspace ONE UEM re-issues the configured commands after twenty-four (24) hours.
6. If user deferrals are configured, the user can defer the update installation for a later time. When the configured maximum deferrals are reached, the update installs automatically and the device is restarted if required.

Available Install Actions

When you are assigning an update to a group of devices, you must define the action to be taken for the update. Apple offers several options in their MDM protocol, which macOS Update Management in Workspace ONE supports. These Install Actions give administrators control over how the update is downloaded and installed. It is important to understand the difference between the actions because each action can have a different impact on the end user. Some actions provide the end user with ability to control required device restarts, while others do not.

The available install actions are listed in the following table.

Install Action	Description
DownloadOnly	This action downloads the macOS update to the device without installing it.
Default	The Default action downloads or installs the update, depending on the current state.
InstallAsap	This action downloads the update to the device, and notifies the end user that the device will restart in 60 seconds. If the user is active on the device at the time, they can cancel the restart.
NotifyOnly	NotifyOnly downloads the update to the device and notifies the end user that it is ready for installation.
InstallLater	The InstallLater action downloads the macOS update to the device for later installation. If this option is selected, administrators have the additional option to set a maximum number user deferrals before the update is installed automatically.
InstallForceRestart	This action downloads the update and forces a restart if required. NOTE: The restart does not require user consent and could result in data loss.

NOTE: While these actions are clearly defined by Apple, the behavior of each may vary, depending on the combined selected action, macOS version on the device, and the device hardware. VMware strongly recommends that you test your desired commands on a small group of devices prior to deploying those commands to your entire device fleet.

Navigating the Device Update UI Screens

OS updates are managed through the Device Updates user interface in Workspace ONE UEM. This section of the tutorial provides a detailed explanation of the components of the interface and their function.

Device Updates List View

The Available Device Updates List View can be found in the Workspace ONE UEM console by clicking on Resources, then Device Updates, and selecting macOS. This section describes each column displayed.

Figure 2: Device Updates UI

1. Version – Indicates a macOS Update as discovered by the Workspace ONE UEM sync process with Apple’s product version lookup service.
   
   Release and Expiration Date - For each macOS update version, Workspace ONE displays the dates Apple made the update available to the public (for example, the Release Date). Workspace ONE also displays Apple's defined Expiration Date.
   
   Note: The Expiration Date displays the date that the update signature expires and devices no longer trust the update to apply it. Apple can expire the update earlier than this date for security or other reasons.
2. Update Status - The Update Status field denotes which macOS updates are Available or Not Available to deploy to devices.
   
   Note: If an update is marked as Not Available, it will not deploy to devices and Workspace ONE disables the ability to manage assignments for the update.
3. Assignments - For each macOS update version, Workspace ONE displays how many assignments have been defined for that update. Assignments consist of one or more Smart Groups configured to begin receiving an update-related command after a specific date and time.
   
   Note: The Assignments number does not necessarily equate to the number of smart groups assigned to the update.
4. Assignments Status – For each macOS update version, Workspace ONE displays whether that update has been Assigned to devices or Not Assigned. Additionally, if an administrator has paused an update, the update displays as Paused.
   
   Note: If an assignment is Paused, Workspace ONE discontinues bulk command operations against any current or pending assignments. Workspace ONE cannot cancel any commands which have already been delivered to assigned devices prior to pausing the update process.

Manage Assignments View

The Manage Assignments View provides administrators with the ability to create and prioritize update assignments within their environment.

Figure 3: Manage Assignments View

1. New Assignment – Administrators use this button to assign download and install commands for this specific macOS update to one or more smart groups.
2. Save Priority - Administrators use this button to save modifications to the priority they have set for assignments. Workspace ONE uses assignment priority to resolve schedule conflicts for devices in multiple assignments due to their Smart Group membership.
3. Priority Drag Zone – This user interface element provides a click-and-hold space for dragging and rearranging priority.
4. Deployment Start Date – The start date of each assignment is displayed for quick reference.
   
   Note: The deployment start date is the day and time when Workspace ONE begins queueing commands to devices. It does not necessarily mean all devices in the assignment get the command at that exact point in time. Factors that affect command delivery include batching (for large device counts), devices offline or powered off, network connectivity, and so on.
5. Deployment Mode - This column shows at a glance which command is being delivered to the devices in that assignment.

Device Details Update View

The Device Details Updates View is available by clicking Devices in the Workspace ONE UEM console, then selecting List View, and clicking a specific device. Click the tab called Updates. This tab displays any updates that the device is eligible to install. Administrators can use this tab to monitor the progress of currently assigned updates.

Figure 4: Device Details Updates View

1. Query Update Progress – This button queries the status of updates for this device.
2. Update Name and Version - This column shows all available update versions for the device.
3. Assigned – The Assigned column shows if an update has been assigned for deployment to this device.
4. Progress Reporting - Workspace ONE displays update progress as it is given from the device, including install status, and the date and time of the last device status update.

Understanding Assignment Conflict Resolution

Introduction

In Workspace ONE UEM, devices can have membership in many different assignment (or smart) groups. Arranging devices in multiple groups is key to flexibility when managing a fleet of devices with potentially overlapping use cases and needs. Additionally, Workspace ONE UEM's organization group structure allows configurations to be defined broadly across devices or more granularly (and potentially by delegated administrators). Because devices can exist in more than one smart group (and those smart groups existing at different levels in an organization group hierarchy), it is possible to assign a single device to more than one assignment for macOS updates. This section explains how Workspace ONE resolves conflicts with respect to macOS Update assignments.

Resolving Assignment Conflicts

An instance might occur where a device has multiple macOS update assignments that potentially conflict with each other. The macOS Update conflicts are resolved in the following order:

1. Most Recent Version Wins: The most recent macOS Update assigned to a device takes precedence.
2. Closest Organization Group Wins: If the same macOS Update is assigned at different levels in the Organization Group (OG) hierarchy, the assignment closest to the OG to which the device enrolled takes precedence.
3. Highest Priority Wins: If the same macOS device exists in multiple assignments for a single macOS Update in a single OG, the assignment with the highest priority takes precedence.

Each of the above scenarios is described in more detail below.

Most Recent Version Wins

Figure 5: The Most Recent Version Wins precedence

In this scenario, the device is enrolled in the Grandchild OG. A single macOS Update for 13.3 (A) has been assigned to the device at the Grandchild OG. A macOS Update for 13.4 (B) has been assigned at the Parent OG, as well as a macOS Update for 13.3 (C). In this case, Workspace ONE selects the update for 13.4 (B) because it contains the most recent macOS version assigned to the device (for example, macOS 13.4 is prioritized over macOS 13.3).

Closest Organization Group Wins

Figure 6: The Closest Organization Group Wins precedence

In this scenario, the device is again enrolled in the Grandchild OG. A single macOS Update for 13.4 (A) has been assigned to the device at the Child OG. A macOS Update for 13.4 (B) has been assigned at the Grandchild OG, and a macOS Update for 13.4 (C) is assigned from the Parent OG. Workspace ONE will prioritize the update for 13.4 from the Child OG (A) because it is the most recent macOS version assigned to the device, and because the assignment is made in the Organization Group closest in the hierarchy (Child vs. Parent) to where the device is enrolled (Grandchild).

Highest Priority Wins

Figure 7: The Highest Priority Wins precedence

Figure 8: Priority of new assignments

In this scenario, there are multiple macOS Update assignments (A and C) with the most recent macOS version, and both are in the same OG. One assignment is configured to only download the update (A), while the second assignment is configured to download and install the update as soon as possible (C). Workspace ONE chooses the assignment with the highest priority (A) and only sends the command to download the update.

Software Update Device Profile

The macOS Software Update Utility regularly checks for updates and can be configured to automatically download and install OS updates. However, if you plan to use Workspace ONE macOS Update Management, you might want to have more granular control over what updates are installed on your devices. For instance, you might want to bypass a specific update. You can manage automatic updates with a device profile in Workspace ONE UEM.

NOTE: This profile is not required to use macOS Update Management in Workspace ONE UEM. This section is provided as an optional step to show how administrators can maintain strict control over what updates get applied to their devices. Without this profile, administrators can still push updates to devices using macOS Update Management. This option enables administrators to keep users from downloading updates on their own through the Software Update Utility.

Create a Software Update Device Profile

To create a device profile that configures the Software Update Utility to not automatically check for updates:

1. On your desktop, double-click the Google Chrome icon.
2. Navigate to the VMware Workspace ONE UEM Console.
   
   For example, navigate to https://<WorkspaceONEUEMHostname> where WorkspaceONEUEMHostname is the host name of the Workspace ONE UEM console.
3. Enter your Username, for example, administrator.
4. Click Next. The Password text box is displayed.
5. Enter your Password, for example, VMware1! and click Login.
   
   Note: If you see a Captcha, be aware that it is case sensitive.
6. Select Resources, and then click Profiles & Baselines > Profiles.
7. From the Add dropdown menu, select Add Profile.
8. Select the Profile Platform by clicking macOS.
9. For the Context, select Device Profile.
10. Enter macOS Updates for the profile name.
11. Scroll down the list of payloads until you find Software Update, and click Add.
12. From the Install macOS Updates dropdown, select Don’t automatically check for updates. Notice that all other options become unavailable.
     
13. Click Next.
14. Scroll down to Assigned Groups, click the search box, and from the list of assignment groups that appear, select the appropriate group, such as All Devices (your@email.shown.here).
15. For the Assignment Type, select Auto.
16. Click Save and Publish.
17. Verify that you can now see your macOS Update device profile within the list on the Profiles window.

Assigning Updates to macOS Devices

Introduction

To deploy an update to macOS devices, you must create an assignment group to which to assign the update, and then assign the update in Workspace ONE UEM. This section guides you through the process of creating the assignment group and assigning the update.

For this tutorial, an update for macOS 13.4 is deployed to devices running macOS 13.0 or below. However, this process can be used for any combination of macOS operating system from version 12 and later.

Create a Smart Group for Device Updates

To target devices that are currently running macOS Monterey (12.6.x), you use a Smart Group within Workspace ONE UEM to assign the devices to the workflow. A Smart Group is a customizable group that allows you to group specific platforms, devices, and users together for the purpose of application, policy, profile, and provisioning assignment.

In this exercise, you create a Smart Group to be used to assign the update workflow. For this assignment group, you set the criteria to only include corporate devices running a macOS version below 13.0.0. This allows devices to automatically be removed from the assignment group after they receive the assigned update.

To create and configure the Smart Group:

1. In the Workspace ONE UEM console, select Groups & Settings.
2. Expand Groups and select Assignment Groups > Add Smart Group.
3. For the group name, enter macOS 13.4 Update.
4. From the list of available criteria, expand Ownership, click Selected, and ensure that Corporate is the only item with a check mark.
5. Expand Platform and Operating System, and from the drop down, select Apple macOS.
6. Change the condition to Less Than, and select macOS Ventura 13.0.0.
    
7. Click Save.

Assigning a macOS Update

You now need to assign and publish the appropriate update to the assignment group you just created. For this example, macOS 13.4 is assigned and published, but this process can be used for any version of macOS 12 and later.

To assign and publish the appropriate update to the newly created assignment group:

1. In the Workspace ONE UEM console, select Resources > Device Updates > macOS.
2. From the list of available macOS updates, click the radio button for macOS 13.4.
    
3. Click Manage Assignments.
4. If you already created assignments for this update, they are listed here. For this exercise, there should be no other assignments listed. Click New Assignment.
5. Enter the Assignment Name. For this exercise, enter macOS 13.4 Update Assignment.
6. Click the search box for Select Smart Group. From the list of assignment groups that appear, select the appropriate group. For this exercise, select the group you created earlier called macOS 13.4 Update(your@email.shown.here), and click Next.
7. To configure the Date that you want Workspace ONE to begin deploying the update, click the Calendar icon and select a date, such as June 14, 2023.
8. Enter the desired time that you want the update to begin, such as 12:00, and select AM or PM from the dropdown.
9. Click the dropdown labeled Install Action, and from the dropdown menu, select your preferred action. For this tutorial, select InstallAsap.
   
   NOTE: If you select the InstallLater action, an additional option to enable User Deferral appears, which you can enable to set the Maximum Number of Deferrals allowed.
10. Select the Priority for this update. This option configures the scheduling priority for downloading and preparing the requested update on the device. For this tutorial, leave this option as Not Configured.
    
    NOTE: This configuration only impacts macOS 12.3 and later devices.
     
11. Click Next.
12. In the macOS 13.4 – Assignments window, you have the option to configure Notification messages to be sent to users after successful download of the update, and after successful installation. For this exercise, leave these options disabled, and click Save.
     

To try this for yourself, check out this click-through demonstration that will guide you through the basic configuration of a macOS operating system update in Workspace ONE UEM.

Prioritizing Update Assignments

In many cases, administrators need to assign multiple Smart Groups to a single assignment to cover differing deployment scenarios. For instance, you might want to have updates installed automatically and the device restarted without user intervention for most of your device fleet. However, due to concerns that a restart might interrupt a sales presentation, you might also want to give the sales team more control over when their device restarts by providing them with the option to defer the update to a later time. In these scenarios, you need to create separate assignments that are configured differently.

However, there is the possibility that a device might be a member of more than one Smart Group, which could cause a conflict and result in the incorrect assignment being applied to a device. In Workspace ONE UEM, you can change the priority of assignments, allowing the assignment with the higher priority to be applied on devices with multiple assignments.

To get the desired result, perform the following steps:

1. In the Workspace ONE UEM console, select Resources > Device Updates > macOS.
2. From the list of available macOS updates, click the radio button for macOS 13.4.
    
3. Click Manage Assignments.
4. To change the priority of the assignments, click and hold the grab area next to the assignment you want to change, and drag the assignments to rearrange their order.
5. After you finish rearranging the assignments, click Save Priority to set the updated priority.
    
6. Click Close.

Pausing and Resuming Assignments

Within macOS Update Management in Workspace ONE UEM, administrators can pause and resume updates without having to modify the assignments. This allows administrators to maintain visibility as to the deployments to-date while having the ability to halt further deployments for troubleshooting purposes.

To pause and resume an update assignment:

1. To add an additional assignment, in the Workspace ONE UEM console, select Resources > Device Updates.
2. On the Device Updates List View, select macOS from the options at the top.
3. Select the row for the macOS update that you want to pause, and click Pause.
    
4. When prompted, confirm the action by clicking Pause, causing the Update Status to change to Paused.
5. To resume the macOS Update, select the row for the paused macOS update that you want to resume, and click Resume.
    
6. When prompted, confirm the action by clicking Resume, causing the Update Status to change to Assigned.

Summary and Additional Resources

Introduction

With Workspace ONE UEM, administrators can manage operating system updates to macOS devices. Administrators can automate the download and install actions, or granularly control those two steps independently. With these features, Workspace ONE UEM enables automated update cycles convenient to an organization's needs.

This operational tutorial provided steps to help you understand the UI screens, assign macOS updates to devices, and manage those updates. It also discussed how Workspace ONE UEM resolves assignment conflicts.

Additional Resources

For more information about Workspace ONE, explore the VMware Workspace ONE Activity Path. The activity path provides step-by-step guidance to help you level-up in your Workspace ONE knowledge. You will find everything from beginner to advanced curated assets in the form of articles, videos, and labs.

For more information on macOS, see Understanding macOS Management.

For additional understanding about macOS, see the following tutorials:

• Configuring Basic macOS Management
• Getting Started with Freestyle Orchestrator on macOS Devices
• Managing Updates with the macOS Updater Utility
• Distributing Scripts to macOS Devices
• Deploying a Third-Party macOS App

Changelog

The following updates were made to this guide:

Date	Description of Changes
08/07/2023	Guide was published.

About the Author and Contributors

This tutorial was written by:

• Michael Bradley, Senior Technical Marketing Architect, End-User-Computing Technical Marketing, VMware

Considerable contributions were made by the following subject matter expert:

• Paul Evans, Product Line Manager, End-User Computing, VMware

Feedback

Your feedback is valuable.

To comment on this paper, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.