N-sight RMM: Apple OS Update commands via DMA

In 2023, there are only two ways to successfully update the operating system on Apple devices:

The default way is to get the end-user of the device to do it.  N-sight has long had an option to assist with this in our Run Managed Patch Automated Task

It used to be that this method could be scripted, but for the last 5 years or so – even before Apple officially deprecated the method – that has become increasingly unstable, and often times leads to a device that will not boot.

The other way is like anything else in Apple devices: if you want to do it for the user, you use mobile device management.  We are pleased to announce that N-able’s device management for Apple, built in to N-sight RMM, is now capable of issuing this software update command:

The command is also available for Mobile Devices: iPhones, iPads, and AppleTVs in the Mobile Devices tab:

There are up to 5 options in the command API:

  • Download or install the update, depending on the current state. This lets the OS decide which action it should take based on whether a user is logged in and working or its configuration.  This is the safest option and should be considered a default.
  • Download the software update without installing it.
  • Download the latest update and trigger the restart countdown: In iOS and tvOS, this will install a previously downloaded software update. In macOS it will download the software update and trigger the restart countdown notification via Notification Center.
  • Download the software update and notify the user through the App Store. This option is only available in macOS.
  • Download or install the latest update, force a restart if required: As it says, this will do the default action, but will make a restart mandatory.  This could result in data loss from unsaved work. This option is only available in macOS.

There are some important notes to know about these commands:

DMA can only send the command to the device.  It’s up to the device to obey the command.  Sometimes it won’t.  We expect that Apple’s APIs and implementation will improve as new OS version are released.  It’s already far more reliable on macOS Ventura than it was on previous macOS versions.  N-able is only supporting these commands on macOS 13 Ventura and iOS 16 or later.  

The commands may succeed on previous OS versions, but they will always download and install the latest full OS version.  For example, if you run the command on macOS 12 Monterey, it may or may not execute reliably, and if it does it will upgrade the device to macOS 13 Ventura.

The behavior of these commands can be modified via Configuration Profiles.  We will be adding UI for generating these configurations in a future release.  When macOS 14 is announced, you can prevent its install with a Software Update config profile.

A lot also depends on whether or not the device has been provisioned as Supervised.   Supervised devices, including those enrolled in DMA by way of Apple Business Manager/Apple School Manager automatic enrollment are far more likely to behave as desired.  Non-Supervised devices will likely require user input to complete the process.

In an upcoming release, we will add more detail to the Command History log to provide more detail on the response from the device about its updates.

In the future these commands will be more tightly integrated into N-sight and N-central’s Patch Management workflow.  The OS Update command in the DMA Commands menu will come to N-central in an upcoming release.

This entry was posted in N-sight. Bookmark the permalink.