You Might Not Need Jamf for This Anymore: macOS Update Control Arrives in Intune
TL;DR
- As of November 2022, Intune includes update policies for macOS in preview, found under the Devices section of the Endpoint Manager admin center.
- macOS update policies only apply to devices enrolled through Apple's Automated Device Enrollment running macOS 12 or later.
- Intune checks in with macOS devices roughly once every 8 hours, so the Update at next check-in option works on that interval.
- Update deferrals for macOS live in a separate configuration profile built from the settings catalog, not in the update policy itself.
- Pairing a minimum OS compliance policy with Conditional Access lets you block non-compliant Macs from company resources, not just nag them.
For years the honest answer to "can Intune patch Macs?" was no, which is why so many MSPs bolted Jamf or Addigy onto customer environments just to keep macOS current. That answer is changing. Microsoft has been steadily building out macOS management in Intune, and as of November 2022 you can manage macOS update policies directly from Endpoint Manager (currently in preview).
This guide covers the new update policies plus the surrounding pieces, deferral profiles, compliance policies, and monitoring, that together make Intune a credible patching story for Macs.
Check enrollment first: ADE devices only
Two requirements before any of this works:
- Devices must be enrolled through Apple's Automated Device Enrollment (ABM) (opens in new tab)
- macOS 12 or later
If your Macs came in through user-driven enrollment, the update policies will not reach them.
Where the new policy lives and what it can do
In the Endpoint Manager admin center, look under the Devices section for "Update policies for macOS":

Creating a profile presents these options:

Each update type lets you choose how the update gets applied. The available behaviors:
- Download and Install: download or install the update, depending on the current state.
- Download only: download the software update without installing it.
- Install immediately: download the software update and trigger the restart countdown notification.
- Notify only: download the software update and notify the user through the App Store.
- Install later: download the software update and install it at a later time.
- Not configured: no action taken on the software update.
You also configure the schedule on which updates apply:

If you have worked with Windows update rings, "update during scheduled time" will feel familiar: you pick the window of time when updates are allowed to run. For example:

Which behavior should you pick?
Three things worth knowing before you commit:
- Intune checks in with each macOS device about once every 8 hours. Choose "Update at next check-in" and that is the interval you are working with.
- Install immediately is the roughest option for the person at the keyboard, because it reboots the machine on a triggered countdown:

- Notify only, paired with a schedule window in the after hours of the business, covers most updates well: the machine patches overnight and the user still gets a prompt. We think that beats Download only for most fleets.
Add a deferral buffer with the settings catalog
First-release updates ship with bugs, which is why deferral periods are standard practice on Windows. You can do the same for macOS, but not inside the update policy. It takes a configuration profile.
Go to Devices > Configuration Profiles > select macOS > select Settings catalog as the profile type:

The settings picker exposes deferral install delays for a few settings:

This defers installs for major OS updates, minor OS updates, and non-OS updates independently. The Software Update section of the same settings picker holds another useful control: toggle automatic updates to false and they turn off, and the user is also blocked from flipping the setting back:

Make the OS version enforceable, not advisory
Update policies push patches; they do not stop an out-of-date Mac from touching company data. For that, set a compliance policy enforcing a minimum OS version across the org:

The catch: minimum version numbers go stale, so you will be updating these values periodically across all of your customers. We would argue you should be reviewing compliance policies on a recurring basis anyway, quarterly or semiannually. With compliance policies in place, Conditional Access can then block non-compliant devices outright, which turns your patching standard from a suggestion into a gate.
Confirm the updates are landing
Once a policy is configured, Devices > Monitor > Software Updates shows the statistics for updates pushed to macOS devices:

Microsoft's documentation for the feature: Manage macOS software update policies in Intune (opens in new tab).
Frequently asked questions
Which macOS update behavior interrupts users the least?
Notify only, paired with a schedule window outside business hours, updates the machine after hours while still giving the user a prompt. Install immediately interrupts the most because it reboots the Mac on a triggered countdown.
Can you defer macOS updates in Intune the way Windows update rings do?
Yes, through a configuration profile using the settings catalog. The deferral settings cover major OS updates, minor OS updates, and non-OS updates independently.
Where do you check whether macOS updates are actually landing?
Devices > Monitor > Software Updates in the Endpoint Manager admin center shows update statistics for macOS devices once a policy is in place.
Update policies drift just like every other control
A compliance policy that enforced macOS 12 last year quietly stops meaning anything. CloudCapsule rechecks device and tenant controls across every customer, so the baseline you set is the baseline that holds.
Run a free scan
Written by
Nick Ross
CEO · Microsoft MVP · Founder, T-Minus 365
Nick is not just a CEO, he's a respected thought leader and influencer in the MSP space. Tens of thousands of MSPs learn through his YouTube channel, T-Minus365. Nick has been honored as a three-time Microsoft MVP for his educational content; his expertise and influence are the backbone of our mission, ensuring that you are in the best hands when it comes to security.
Nick joined Pax8 in 2017, where he would ultimately oversee product management for PSA and Microsoft integrations. Following his tenure at Pax8, Nick has continued to demonstrate his leadership prowess as an executive at various MSPs, culminating in his most recent role at Sourcepass.
Nick holds a Bachelor's Degree in Business Management from Florida State University, as well as a Minor Degree in Entrepreneurship. In his free time, Nick is an avid hiker, reader, and fitness-junkie.


