Knowing the phases of Apple software update enforcement
Enforcing software updates using MDM involves five main components:
The MDM solution
The device
The user
The Apple Software Lookup Service
The Apple Software Update Catalog
Phase 1
The MDM solution regularly monitors the Apple Software Lookup Service for new releases. If one is detected, it uses the SupportedDevices key of the catalog and compares it to its list of managed devices to determine which devices the release is applicable to.
The MDM solution should also subscribe to the softwareupdate.* and device.operating-system.* status reports to automatically retrieve updates if any of those values change.
Phase 2
The MDM solution creates a com.apple.configuration.softwareupdate.enforcement.specific declaration with the detected version and defines the TargetLocalDateTime and optionally the DetailsURL according to the organizational requirements. The MDM solution then sends a push notification to the device to trigger the synchronization of declarations. For more information, see Integrating Declarative Management on the Apple Developer website.
Phase 3
After the declaration becomes active on a device, it reaches out to the Apple Software Update Catalog to retrieve the download URL and then begins to download the update if the requirements are met. The device then presents a notification to the user and returns the following to the MDM solution:
1. A softwareupdate.install-state value of waiting, which indicates the process to request the update has started.
2. A softwareupdate.install-state value of downloading, which indicates the update is being downloaded by the device.
If a content caching service is available to the device, it attempts to download the software update from the content cache.
After the device successfully downloaded the update, it prepares the software update for installation. After this process completes, a softwareupdate.install-state value of prepared is sent back to the MDM solution.
Phase 4
The device enters the notification period. Depending on when the installation is to occur, this notification may display different text and options.
Phase 5
In case the user hasn’t installed the update before the enforcement deadline, the device begins the installation and sends a softwareupdate.install-state value of installing back to the MDM solution. Before starting the installation, a Mac with Apple silicon contacts the MDM solution to retrieve the bootstrap token (if one is available).
If the update succeeds, the device restarts. If the update fails, a softwareupdate.install-state value of failed is sent. In either case, the device sends back a softwareupdate.failure-reason status report. If the update was successful, the count key has a value of 0.
Phase 6
The device then sends the following information back to the MDM solution. Depending on the update, not all these objects have return values.
StatusDeviceOperatingSystemVersion: A status report of the device’s operating system version.
StatusDeviceOperatingSystemBuildVersion: A status report of the device’s software build identifier.
StatusDeviceOperatingSystemSupplementalBuildVersion: A status report of the device’s operating system version and Rapid Security Response build identifier.
StatusDeviceOperatingSystemSupplementalExtraVersion: A status report of the device’s operating system’s Rapid Security Response identifier.
Phase 7
The MDM solution unassigns the declaration from the device and sends a push notification to the device to initiate the synchronization. After synchronizing, the device removes the declaration.
