Software Update settings declarative configuration for Apple devices
Use the Software Update settings configuration to enforce software updates at a certain time. For more information, see Use device management to deploy software updates.
The Software Update settings configuration supports the following:
Minimum supported operating system versions and channels: iOS 18, iPadOS 18, Shared iPad device, macOS 15 device.
Requires supervision: Yes, except the following: Enforcement keys, beta testing
OfferProgramskeys.Supported enrollment methods: Device Enrollment, Automated Device Enrollment.
AutomaticActions dictionary keys
The AutomaticActions dictionary offers the keys shown below (default is Allowed and not required).
Key | Type | Merge behavior | Description | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Enum | The last value from the list: Allowed, AlwaysOn, AlwaysOff. | Specifies whether automatic downloads and preparation of available updates only (not upgrades and Rapid Security Responses) can be controlled by the user:
| ||||||||
| Enum | The last value from the list: Allowed, AlwaysOn, AlwaysOff. | Specifies whether automatic installation of available operating system updates only (not upgrades and Rapid Security Responses) can be controlled by the user:
| ||||||||
(macOS only) | Enum | The last value from the list: Allowed, AlwaysOn, AlwaysOff. | Specifies whether automatic installation of available security updates can be controlled by the user:
| ||||||||
In case multiple declarations include a value for the same key, the last value in the following list applied by any of those declarations takes precedence: Allowed, AlwaysOn, AlwaysOff.
RapidSecurityResponse dictionary keys for iOS, iPadOS, and macOS
The RapidSecurityResponse dictionary contains the keys shown below (default is True and not required).
Key | Type | Merge behavior | Description | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Boolean | Logical AND operation of the values | If false, Rapid Security Responses aren’t offered for user installation. This defines whether Rapid Security Responses are automatically installed on user’s devices. | ||||||||
| Boolean | Logical AND operation of the values | If false, Rapid Security Response rollbacks aren’t offered to the user. This controls whether users have the option to remove a Rapid Security Response. | ||||||||
Independent of the Enable key, Rapid Security Responses can still be installed with the com.apple.configuration.softwareupdate.enforcement.specific declaration.
Deferrals dictionary keys for iOS, iPadOS, and tvOS
The Deferrals dictionaries offer different keys to configure the behavior depending on the platform (no defaults, not required).
Key | Type | Merge behavior | Description | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Integer 1–90 | Maximum number of days | Specifies the number of days to defer a software update. When set, software updates and upgrades appear only after the specified delay, following the release of the software update or upgrade. | ||||||||
| Enum | The last value from the list: All, Oldest, Newest | Specifies how the device shows software upgrades to the user. When a software update and upgrade is available, the device behaves as follows:
| ||||||||
Both CombinedPeriodInDays and RecommendedCadence can be used in combination. For example, if RecommendedCadence is set to Oldest and CombinedPeriodInDays is set to 30, a user sees only software updates for the oldest release after 30 days of their publishing date.
Deferrals dictionary keys for macOS
Key | Type | Merge behavior | Description | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Integer 1–90 | Maximum number of days | Specifies the number of days to defer a software upgrade on the device. When set, software upgrades appear only after the specified delay, following the release of the software upgrade. | ||||||||
| Integer 1–90 | Maximum number of days | Specifies the number of days to defer a software update only (not a software upgrade or Rapid Security Response) on the device. When set, software updates appear only after the specified delay, following the release of the software update. | ||||||||
| Integer 1–90 | Maximum number of days | Specifies the number of days to defer non-operating system updates. When set, updates appear only after the specified delay, following the release of the update. | ||||||||
An additional key is available in macOS to determine whether both standard users and local administrators can perform an update or upgrade (the default behavior), or determine whether administrative permissions are required (default is True and not required).
Key | Type | Merge behavior | Description | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Boolean | Logical AND operation of the values | If true, a standard user can perform updates and upgrades. If false, only administrators can perform updates and upgrades. | ||||||||
Notifications key
The Notifications key changes the default notification behavior to show only a notification 1 hour before the enforcement time and the restart countdown (default is True and not required).
Key | Type | Merge behavior | Description | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Boolean | Logical AND operation of the values | If true, the device shows all software update enforcement notifications. If false, the device only shows notifications triggered one hour before the enforcement deadline, and the restart countdown notification. | ||||||||
Managing beta software updates
On unsupervised iPhone or iPad devices, only the OfferPrograms array can be used to allow users to manually enroll into beta programs the organization has subscribed to. The beta dictionary offers the following keys (not required):
Key | Type | Default | Merge behavior | Description | |||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Enum | Allowed | The last value from the list: Allowed, AlwaysOn, AlwaysOff | Specifies whether beta program enrollment can be controlled by the user in the software update settings user interface:
| |||||||
| Array | — | Unique union of all values | An array of beta programs allowed on the device. This key needs to only be present if the | |||||||
| Dictionary | — | First configuration applied | The device automatically enrolls in this beta program. This key needs to be present only if the | |||||||
In addition to sending the name of the program, the OfferPrograms and RequireProgram options require that the token of the beta program be sent to the device. This token is used with Apple to verify eligibility and receive an updated software update configuration.
To allow users to enroll using their personal Apple Account or Managed Apple Account, a device management service can set the ProgramEnrollment key to Allowed. This allows users to enroll into any program available to their account and additionally into any beta program specified by the OfferPrograms array. Each Program dictionary in the OfferPrograms array needs to consist of the following keys (all strings, all required):
Key | Description | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| A human-readable description of the beta program. | ||||||||||
| The seeding service token that the device management service is part of for the organization. This token is used to enroll the device in the corresponding beta program. | ||||||||||
If an organization wants to allow users to participate without the need to sign in, they can set the ProgramEnrollment key to AlwaysOn. In this case users are offered all programs listed in the OfferPrograms array. They can also automatically enroll devices into a beta program using a combination of ProgramEnrollment set to AlwaysOn and defining the beta program that the device needs to be enrolled into with the RequireProgram dictionary. The RequireProgram dictionary requires the following keys (all strings):
Key | Description | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| A human-readable description of the beta program. | ||||||||||
| The seeding service token that the device management service is part of for the organization. This token is used to enroll the device in the corresponding beta program. | ||||||||||
In case an organization wants to prevent users from enrolling, they can set the ProgramEnrollment key to AlwaysOff. This also unenrolls the device from any beta program that it was already manually or automatically enrolled in.
Note: Each device management service developer implements these settings differently. To learn how various Software Update settings are applied to your devices and users, consult your developer’s device management service documentation.