Maintaining control over which operating systems are installed on which devices, and then keeping those OSes up to date, is a core responsibility for any Apple admin.
Keeping operating systems updated protects against security threats, maintains compatibility with hardware and software, and provides a better experience for end-users.
Apple releases OS updates on a regular, aggressive, cadence. That cadence can keep Apple admins busy, making sure their fleets are fully and continually updated. The update process requires admins to test new OSes, to be sure they won’t introduce any incompatibility or instability to the environment. The tested OS must then be deployed and installed on endpoints. And admins need some way to confirm that those updates—including those that required some user intervention—were, in fact, applied.
No wonder that when we recently surveyed Apple admins (who were not Kandji customers), more than 30 percent of them identified OS updates as one of their top pain points.
To allow for seamless deployment of updates, Kandji released the first version of Managed OS, focusing on macOS devices, in April 2020, allowing admins to schedule and enforce OS updates across their Mac fleets—they could “set it and forget it,” and Managed OS would do the rest. We followed that in August 2022 with Managed OS support for iOS, iPadOS, and tvOS. And now we’re releasing the next generation of Managed OS.
The New Managed OS
In this major revision, we rebuilt the core architecture of Managed OS to optimize performance and reliability, while also fulfilling feature requests from customers.
A Rebuilt Core
The orchestration and scheduling engine for Managed OS is entirely new—and we really mean “entirely”: The new version shares not a single line of code with our original implementation.
Starting with a completely blank slate let us challenge some of our previous assumptions. It also let us account for some newly discovered edge cases and to truly optimize for performance and reliability. And while the rebuild took longer than we originally anticipated, taking that extra time ensured that the results were what we and Kandji customers wanted.
One big result of this update: The core of Managed OS has been moved from the Kandji Agent to the Kandji server. That frees up the Agent to focus on other business-critical tasks—such as enforcing parameters, FileVault key rotations, and Auto App updates—without interruption.
Improvements Across the Board
You will notice the improvements we’ve made immediately. For instance, upon the enrollment of a new device, Managed OS will wait for its bootstrap token (if necessary) before initiating any actions that would otherwise fail. Once that token is received, Managed OS will check for—and enforce if appropriate—any updates right away. The status of those updates is checked and reported in Kandji every 3 minutes; changes are visible to admins in both the Library Item status in Kandji and the command history on a device record.
Previously, OS updates were visible to users only five days ahead of the scheduled enforcement window. Now updates are visible as soon as they are available in Kandji and have been cached on devices. This means users have more time to update their devices before being forced to do so, minimizing later disruptions.
When the final 30 minutes of the enforcement window is reached, the Kandji server now uses our highly scalable real-time communication (RTC) platform to notify the Agent to prompt the user to update or upgrade. Status updates based on what is happening on the device—such as whether or not a Mac has sufficient battery—are provided back to the Kandji server.
We’ve also built special notifications for the Agent to help remediate updates that might be stalled before the installation fails. In testing, we discovered instances in which the status reported back to Kandji no longer accurately reflected the actual update process. Previously, such discrepancies would result in a failed installation. Our new approach attempts to resolve these issues before such failures.
These enhancements to Managed OS build on improvements we’ve made to the Kandji Agent in the past few months, including a fallback mechanism for users if an update fails to install. (Those users are now directed to System Settings or Preferences to complete the process; the Library Item status details inform admins of when this happens.)
We’ve also relaxed the timing of when applications are force-closed, so even if an update takes longer than expected, users can still use their devices while the update is prepared in the background. As long as the user installs the update before the enforcement time runs out, their apps will reopen as normal following restart. (If the user doesn't install the update before the enforcement timer runs out, Kandji will force quit all open apps; those won’t reopen automatically after the update or upgrade completes and the user logs back in.)
The new version of Managed OS is now live in all Kandji tenants worldwide, and no action is required by admins to implement it: As long as the applicable operating system Library Items are configured, Kandji will take care of the rest.
Getting Ready for DDM
At WWDC 2023, Apple announced that iOS 17, iPadOS 17, and macOS Sonoma would support managing software updates with Declarative Device Management (DDM), as well as enforcing a minimum OS version during device setup with Automated Device Enrollment (ADE).
We’re incredibly excited about Apple’s DDM announcements, which integrate seamlessly with Managed OS and will be available soon in Kandji. In addition to supporting DDM, Managed OS will soon also include the ability to enforce Rapid Security Response (RSR) updates on a customized schedule.
Kandji was the first MDM vendor to market with support for actively managing supervised devices via DDM. Since then, we’ve continued to expand that support, turning it on for all eligible devices earlier this year. Admins can also already enforce a minimum OS version during ADE enrollment using the setting in the ADE Library Item.
Kandji is the Apple device management and security platform that empowers secure and productive global work. With Kandji, Apple devices transform themselves into enterprise-ready endpoints, with all the right apps, settings, and security systems in place. Through advanced automation and thoughtful experiences, we’re bringing much-needed harmony to the way IT, InfoSec, and Apple device users work today and tomorrow.