Force macOS latest updates with DDM & Intune

15/04/2025

Apple uses Declarative Device Management for a while now, Apple's documentation explains this feature as "an update to the existing device management protocol that can be used in conjunction with existing MDM protocol capabilities. It allows the device to asynchronously apply settings and report status back to the MDM solution without constant polling." 

Great solution, right. Intune has settings for DMM, but there is something new added, read-on to find out.

New Settings Catalog settings

In March Microsoft has released new settings catalogs features for macOS in the Service release 2503 for Intune. One of this features is the option to control the Declarative Device Management (DDM) to force the latest update options. With these new settings you can control when the latest Software update is forced to install. There where already DDM settings in de settings catalog, but those setting control to update to a specific build.

See link below this post for the details of these new settings functions form the official Microsoft Documentation.

Configuration in Intune

To make use of these new settings, you must create a configuration policy in Intune with the settings catalog.

Home > Devices > macOS > Configuration > New Policy > Settings Catalog

Give the policy a logical name

Create Profile
Create Profile

In the Settings Picker, search for Declarative Device Management (DDM) and select Software Update Enforce Latest option.

Settings picker DDM
Settings picker DDM

You can control the following settings for the Software Update Enforce Latest:

  • Enforce Latest Software Update Version
  • Delay in Days
  • Install Time
DDM Software update enforce latest options
DDM Software update enforce latest options

Adjust the settings that is suitable for your organization and assign this to the desired group of users or devices, be sure to test these settings first on a smaller group.

User experience

When the setting is pushed to the masOS devices, the targeted user will receive a notification pop-up that the update will be installed at the giving time and date, depending on the settings you made in de policy.

Notification Pop-up
Notification Pop-up

When the user opens the Software update section in the settings, they will see an explanation when the update is installed. In this example the user has the option to install the update now or to wait for the forced install.

Software update settings
Software update settings

Recap

With the new settings catalog settings for macOS and the option to force the DDM updates, you can control how and when the latest updates for macOS are installed, This will keeps you macOS up to date. This is a perfect example on how Intune and macOS keeps on developing its integration.

Documentation

Microsoft documentation Whats new Intune: 
https://learn.microsoft.com/en-us/intune/intune-service/fundamentals/whats-new#configure-devices-to-stay-on-the-latest-os-version-using-declarative-device-management-ddm

Microsoft documentation Software update iOS macOS

https://learn.microsoft.com/en-us/intune/intune-service/protect/managed-software-updates-ios-macos

Apple Declarative Device Management:
https://support.apple.com/en-gb/guide/deployment/depb1bab77f8/web