How we manage macOS updates and upgrades with datajar.mobi

The way macOS was kept up to date changed in 2020 with the release of macOS Big Sur (11.x) and the introduction of Apple Silicon. Since then, there have been no fully automated methods of updating macOS, and therefore, some user interaction will need to take place to complete the task.

To explain how we manage macOS updates and upgrades first, let us define the common terms around this process:

macOS Updates (Minor)	macOS Upgrades (Major)
Incremental update within the same major version (e.g. macOS Sequoia 15.0.1 → macOS Sequoia 15.3.1). Typically includes security fixes, bug fixes, and minor feature enhancements. Smaller download size, also called a Delta update.	Movement to a new major version (e.g. macOS Sonoma → macOS Sequoia). Complete operating system replacement. Introduces significant new features and changes. Requires full macOS installer (11-14GB in size).

Volume Ownership

On Apple silicon Macs, there is a security concept called "Volume Ownership." This means that a particular user on the Mac has special permissions to manage certain system tasks.

The first user to set up an account on a Mac becomes the primary Volume Owner.

Volume Owners can:

• Approve macOS updates and upgrades
• Change security settings for how the Mac starts up
• Erase all Content and Settings data on the Mac

The first user gets a "Secure Token," which makes them a Volume Owner. A Secure Token also allows a user to generate a key for and unlock FileVault (disk encryption).

Some tasks, like changing security settings, require being both a Volume Owner and an Administrator. Others, like approving minor macOS updates, only need Volume Ownership.

The easiest way to tell if you're a Volume Owner on a Mac is to try approving a macOS update:

1. Go to System Settings > General > Software Update.
2. If you can click "Update Now" or "Install," you’re likely a Volume Owner.
3. If it asks for Administrator credentials and your credentials work, you're both an Administrator and a Volume Owner.

Bootstrap Tokens

This hidden security token on the Mac ensures that macOS updates and upgrades can be installed remotely, even if no user is logged in.

Bootstrap Tokens are automatically generated and escrowed to Jamf Pro when you create a user account in the Setup Assistant or log in via Jamf Connect.

All Apple Silicon Macs enrolled with datajar.mobi should have a Bootstrap Token, but this may not be the case in some circumstances.  If so, this can be fixed, please raise a ticket.

macOS Update and Upgrade methods

There are two main ways to update or upgrade a Mac: Manually or via MDM command. 
Below is a table showing the authorisation levels needed for different user types to install macOS updates and upgrades:

User Type		Minor macOS Updates	Major macOS Upgrades
Standard	A local user who is not an admin	❌	❌
Admin	A local any user who is an administrator	❌	❌
Standard (Volume Owner)	Any local any user who is not and administrator but was the first user created	✅	❌
Admin (Volume Owner)	Any local any user who is an administrator and was the first user created	✅	✅
MDM command (Bootstrap Token)	Commands sent from datajar.mobi or Jamf Pro	✅	✅

 

User-initiated Updates and Upgrades

This will work best for 1:1 Macs where the user is the Volume Owner and lab Macs where the local admin (ladmin) is the Volume Owner.  These can be performed without raising a ticket to dataJAR.

Goto: System Settings > General > Software Update.

There will be various options available. In the example above, the user's Mac is running macOS Sonoma 14.7.2, but a new major version of macOS is available. 

If the user wants to perform a major macOS upgrade, they should click the "Upgrade Now" button.

If the user only wants to perform a minor macOS update, they should use the "More Info..." link in the "Also Available" section, which will take them to a screen like the one below to run the minor update:

In either case, the user will be prompted to enter their user account password when they proceed. Depending on their User Type, they will see the prompts for their credentials from macOS. 

A ✅ is beside the users whose credentials will work:

	◄ Minor macOS Update prompt User Types who will see this prompt: Standard Standard (Volume Owner) ✅ Admin Admin (Volume Owner) ✅
	◄ Major macOS Upgrade prompt Users Types who will see this prompt: Standard Standard (Volume Owner) Admin Admin (Volume Owner) ✅

Once authorised, a macOS installer will begin downloading. Follow the onscreen instructions from there:

MDM initiated Updates and Upgrades

These will work best for where the organisation wants to cache and/or apply a mass update or upgrade or set a scheduled deadline by which an update or upgrade should be enforced*.

Below are the Update Type options that work best via MDM:

Update Type	Explanation	Use case
Download Only	Only download the software update to the device without installing it.	Allows an organisation to stage updates for later installation.
Download and install	Downloads the update and initiates the installation process automatically.	Allows an organisation to stage updates for later installation or proceed with immediate installation.
Download and schedule to install	Schedule a specific date and time for the update to install automatically * (only supported for computers with macOS 14 or later).	It provides more control over update timing than the other options, making it useful for coordinating updates across an organization while minimizing disruption to end users.
Download, install, and restart	Automatically update the OS and force restart on the selected device.	Due to its intrusive nature in forcing a restart, this option should be used with caution or mainly on lab Macs.

When the above MDM commands are used for either an update or upgrade, users may see a popup asking for their local account password. The Bootstrap Token pre-approves all users on the Mac, allowing the user to approve the update or upgrade for that session only.

Scheduled Updates and Upgrades

This feature is new for Macs running macOS Sonoma (14.0) or later.  

A future deadline time and date is chosen and sent to Mac(s) via MDM. The Mac will notify the user progressively until the deadline date, at which point the Mac will enforce the update or upgrade on the user's Mac.  See below for how this flows:

User Notifications

	An example of a notification a user will see if Download and schedule to install is chosen.  Users can install it later using the Options button up until the deadline.
	An example of a notification a user will see if a scheduled installation is past its deadline date.The Mac will begin installing at the specified time.
	An example of a notification a user will see if Download, install, and restart is chosen. The Mac will begin installing after 60 seconds force-quitting any open apps.

Considerations

• These commands are performed manually by raising a ticket to dataJAR.
• The commands can only be sent out during dataJAR's business support hours.

User Experience for automatic updates

The user experience follows Apple's default behaviour in the same way as if the computer was unmanaged. If users open System Settings > General > Software Update > Automatic Updates, they will see all the options below enabled and locked:

While fully automated updates and upgrades of macOS aren't possible, some updates, such as Safari, XProtect definitions, and other background configuration updates, do install automatically.

Considerations

• If an update requires a restart, users will receive a notification that updates are available and are prompted to install or delay the update.
• If the computer is left logged in and connected to mains power, it will try to automatically log the user out and install the update between 02:00 and 04:00 or another time when the Mac is not in use.  The Mac will figure out when the best time to do this by learning user usage patterns over time.

Software Update deferrals

Some organisations prefer a period of testing before pushing a minor or major macOS release.  Apple allows us the following control over when updates and upgrades are presented to the user:

Deferral Period

• Updates can be deferred up to 90 days from Apple's release date.  Other time periods in days are 1, 7, 30 and 60.
• During the deferral period, updates won't appear as available in System Settings > General Software Update.

Update Types That Can Be Deferred

• Major OS upgrades (e.g., macOS 14 to 15)
• Minor OS updates (e.g., 15.0 to 15.1)
• App and non-OS updates (refers only to Mac App Store apps)

Considerations

• Update and upgrade commands pushed via remote MDM commands will temporarily bypass software update deferral restrictions, meaning dataJAR can still push critical updates on request when needed without changing general restriction settings.
  
• Deferrals prevent users from seeing update prompts and available updates in System Settings until the deferral period expires.
• Rapid Security Responses don’t adhere to the managed software update deferral. Because they apply only to the latest minor operating system version, if that update is deferred, the Rapid Security Response is also effectively deferred.
• If users have already seen an update prompt before the profile managing updates is deployed, the prompt may persist.

Troubleshooting

Things that can prevent a Mac from updating:

• Less than 35GB of space remaining (varies by update size)
• Less than 30% battery power (laptops only)
• Not being plugged into power when the installation action takes place (laptops specifically)
• Users have applications open that interrupt a graceful logout, such as prompting them to save an open document in Microsoft Word.
• The Mac not being online to receive the update command
• The Mac shut down while the update/upgrade command was executing
• The update/upgrade command times out due to network conditions

On Apple Silicon in particular:

• No Volume Owner - The first user to log in with a Secure Token becomes a Volume Owner. Any user (standard or admin) with a SecureToken is a Volume Owner
• No Bootstrap Token - Prevents remote updates via MDM.

Considerations

• Updates may take time to begin as the Mac negotiates with Apple's software update servers. The timing varies based on network conditions and server load.
• If you encounter issues with installing software updates for macOS after taking into account the above, please follow the steps in this article: https://support.apple.com/en-gb/HT212526

If you continue to have problems updating your Mac(s), please submit a ticket, to us, and we will be happy to assist.

Further information

• Update macOS on a Mac
• If an error occurs while updating or installing macOS
• Mac models with the Apple T2 Security Chip 
  
• Mac models with the Apple Silicon Chip 
• Manage macOS updates with Mobile Device Management (MDM) 
  
• Installing and enforcing software updates for Apple devices 
• Use Secure Token, Bootstrap Token and Volume ownership in deployments