Contact Us
Help Center Home > Patch Management > Create a DDM-Based macOS Patch Policy

Create a DDM-Based macOS Patch Policy

JumpCloud’s automated patch management now supports Apple’s Declarative Device Management (DDM), which improves the way your Macs stay secure and compliant. Unlike legacy MDM protocols, DDM uses a proactive approach where the server declares the desired operating system version, and the device applies these settings asynchronously. This results in improved performance and a more reliable update process over legacy MDM patch policies.

Important:
  • Legacy MDM patch policies will remain in your org but be deprecated later this year. We recommend migrating to DDM-based policies as soon as possible to avoid any potential interruptions. 
  • Applying legacy and DDM-based macOS patch policies simultaneously causes conflicts and unexpected behavior.

Features:

  • Major Upgrades - Control the rollout of significant OS versions and defer upgrades for up to 90 days after release. This allows you to test new operating systems on a pilot group before a company-wide rollout.
    • These are Apple’s major named operating systems that use a whole number integer for their versioning, for example macOS 26 Tahoe and macOS 15 Sequoia. 
  • Minor Updates - Control the rollout of routine security patches.
    • These updates are minor revisions of the existing OS version on the device. The version numbers include a decimal point, for example macOS 26.1.
  • Enforcement Deadlines - Set and enforce deadlines for updates. As deadlines approach, Macs manage compliance through escalating, non-dismissible reminders to users.
  • Policy Precedence - DDM patch policies take precedence over legacy configurations. Deferrals and automatic update settings defined by a DDM declaration override conflicting legacy patch policies.
  • User Experience - Customize the update experience by configuring how and when users receive notifications.

Note:
  • The Automatic macOS Updates policy described in this article is designed to always enforce the latest available OS version depending on your configured deferral settings.
  • If you want to manually enforce a specific target version using DDM, use the Software Update Enforcement policy instead.

Prerequisites:

  • This policy is supported on Macs running macOS 15 and later.
  • Apple Mobile Device Management (MDM) must be configured for your organization and Macs must be enrolled in JumpCloud MDM. See Set up Apple MDM
  • You must have Manager role permissions or higher to create and enforce a patch management policy. See Admin Portal Roles to learn more.

Considerations:

  • If you have existing custom legacy macOS patch policies, you must recreate them using DDM-based policies.
  • Updates are enforced using Apple’s SoftwareUpdateEnforcementSpecific DDM configuration, and settings are enforced using the SoftwareUpdateSettings DDM configuration. See Apple’s developer documentation for SoftwareUpdateEnforcementSpecific and SoftwareUpdateSettings to learn more.

Creating Default Patch Policies and Policy Groups

If your organization has not yet configured any macOS, Windows, or Linux patch management policies or policy groups, you can save time by loading a set of default policies and policy groups. These patch policies and groups allow you to enforce security patches on a large number of managed devices efficiently.

A policy group helps you quickly roll out preconfigured policies using deployment rings. Deployment rings are configured with standard defaults. The deployment ring names match these policy group names, and control how and when an update is applied:

  • Vanguard - Deploy automated upgrades inside your IT Department.
  • Early Adoption - Deploy automated upgrades to early adopters outside of IT.
  • General Adoption - Deploy automated upgrades to general users in your company.
  • Late Adoption - Deploy automated upgrades to remaining users in your company.
    Displays the available patch management rings, depicting Vanguard with the lowest deferral period, and Late Adoption with the highest.

To create default patch policies and policy groups:

Important:

If your data is stored outside of the US, check which login URL you should be using depending on your region, see JumpCloud Data Centers to learn more.

  1. Log in to the JumpCloud Admin Portal
  2. Go to Device Management > Policy Management.
  3. Click the Patch Management tab, then click the OS tab.
  4. If you haven’t yet configured a patch policy or patch policy group, click Load Default Policies & Policy Groups to create four out-of-the-box default policy groups. Each policy group contains three preconfigured deployment ring policies that are automatically bound to the group.
    If you haven't configured Patch Management, click Load Default Patch Policies & Policy Groups to populate the defaults.
  5. Review the preconfigured settings for the macOS default policies:
    • Defer Releases - The number of days to defer the availability of future major OS upgrades and minor OS updates. If you set the deferral length to be greater than the number of days since an update was released, this update will not be available. Any minor release older than 90 days will not be affected. The following settings control deferral:
      1. Defer Major OS Upgrades - Specifies how many days to defer a major OS upgrade after it's released. 
      2. Defer Minor OS Updates - Specifies how many days to defer a minor OS update after it’s released. 
      3. Defer System or Non-OS Updates - Specifies how many days to defer a non-OS update after it’s released. Examples of non-OS updates are a Safari update or an Xcode Command Line Tools update
    • Enforce Automatic Updates - The number of days that users have to install updates after they are available. The Allow Grace Period setting will apply to any updates available on a Mac at the time of policy application. If updates are not installed at the end of the grace period, JumpCloud forces the update via a DDM command. Valid values are 0-365 days, and the default is 30 days. 

Warning:

When the deferral periods and the deadline that you set in Step 5 expire, the policy forces updates to be automatically downloaded and installed as soon as the user's device comes online. If something unexpected happens and the update could not be installed, JumpCloud will try again based on Apple’s pre-determined criteria. 

Deployment Policy Ring Deferral Length in Days Installation Deadline in Days
macOS Vanguard 1 day 3 days
macOS Early Adopter 7 days 7 days
macOS Early Adopter 15 days 10 days
macOS Late Adopter 30 days 10 days

When selecting a policy, the Deferral Length in Days setting for minor update releases will apply to any future minor updates. 

  1. You can configure additional settings that are not preconfigured in the default policies:
    • Update Permissions -  Set the permission level required for Mac users to run updates.
    • Notifications - Set how users receive update notifications.
    • Recommended Cadence - Choose how the Mac shows software updates to the user.
  2. (Optional) Review your default policy groups and policies. The policies are automatically bound to the appropriate group.
    The list of default Policy Groups that are generated in the Admin Portal.
    For example, the Vanguard Ring Policy Group automatically contains these three preconfigured deployment ring policies:
    • iOS Vanguard Ring
    • Linux (Ubuntu) Vanguard Ring
    • MacOS Vanguard Ring
    • Windows Vanguard Ring

Tip:

If you already created default policies and groups, and later you create additional default policies or policy groups, an error does not appear. Instead, the existing default policies and policy groups will be used.

  1. (Optional) Select the policy you just created and select the Device Groups tab. Select one or more device groups where you'll apply this policy. For device groups with multiple OS member types, the policy is applied only to the supported OS.
  2. (Optional) Select Devices. Select one or more devices where you'll apply this policy.

Tip:

For this policy to take effect, you must specify a device or a device group in Step 8 or Step 9.

  1. Click Save.
  2. After the policy runs, you can view detailed results for a specific device:
    1. Go to Device Management > Devices.
    2. Select the Devices tab, then select the device.
    3. Select Policy Results, then click view to see more details. An Exit Code of 0 indicates that the policy ran successfully.
      The JumpCloud Policy Results of a successful Automatic macOS Software Updates patch management policy to a Mac.
  3. To delete a patch policy, select the checkbox next to the policy and click Delete. The policy is removed from the OS Patch Management list.

Creating an Automatic DDM-based macOS Updates Policy

You can also create your own policy without using the default patch policies covered in the previous section.

To create an Automatic macOS Updates policy:

  1. From the JumpCloud Admin Portal, go to Device Management > Policy Management.
  2. Click the Patch Management tab, then click the OS tab. Only OS patch policies appear in this tab.
  3. To create a new, custom Automatic macOS Updates Policy, click (+), then choose macOS - NEW.
    Clicking (+) to add a patch policy shows the list of available platforms, iOS, macOS, Linux, and Windows.

Note:
  1. (Optional) On the New Policy panel, enter a new name for the policy or keep the default. Policy names must be unique.

Next, configure General Settings:

  1. Defer Major OS Upgrades for _ Days - Enter the number of days (1-90) to delay the visibility of major macOS upgrades on your Macs after their official release. For example, if Apple releases an upgrade on December 1 and you defer it for 10 days, it will not be available on the device until December 11.
  2. Defer Minor OS Updates for _ Days -  Enter the number of days (1-90) to delay the visibility of minor OS updates on your Macs after their official release (for example, 15.1 to 15.2).
  3. Defer System or Non-OS Updates for _ Days - Enter the number of days (1-90) to delay the visibility of other system updates after their official release. 

Note:

Deferral periods let you control when new operating system updates become visible to your users. By deferring updates, you gain time to validate new versions on a pilot group of devices before rolling them out to your entire organization.

  • During the Deferral Period - The update is hidden. The device does not prompt the user to update, and the update does not appear in System Settings.
  • After the Deferral Period - The update becomes visible. Users can install it manually. If Enforce Automatic macOS Updates is enabled, the Grace Period countdown begins immediately.
  1. Select Enforce Automatic macOS Updates to have JumpCloud automatically enforce the latest OS version released by Apple after it becomes available (depending on your deferral and grace period settings).

Note:
  • When enabled, a new enforcement policy is programmatically initiated for every new version.
  • The enforcement countdown (Grace Period) begins only after any configured deferral period has ended.

After enabling Enforce Automatic macOS Updates, the following additional settings appear:

  1. Allow Grace Period of _ Days Before Automatic Installation - Enter the number of days (0-365) users have to install the update manually before it is forced.
  2. Local Device Time for Enforcement - Specify the time when the forced installation occurs after the grace period expires. This is required.
  3. (Optional) Details URL - Enter a URL (starting with http:// or https://) to display in System Settings. This link directs users to more information about software updates (for example, your company's intranet page, device use policy, or a link to Apple's documentation).

Important:

Macs must meet specific network, power, and disk space requirements to begin enforcing updates. See Apple’s Software update requirements to learn more. 

  1. Under Update Permissions, set the permission level required for users to run updates on Macs:
    • Select Allow Standard Users to enable non-admin users to install updates.
    • Select Only Administrators to require administrative privileges to install updates. 
  2. Under Notifications, set how users receive update notifications:
    • Select Show All Notifications to show users all software update enforcement notifications up to the deadline.
    • Select Notify One Hour Before Deadline to notify users of update enforcement only once before the deadline along with the subsequent restart countdown notification.

Note:

Notifications are delivered to users with increasing frequency as they approach the deadline based on Apple’s schedule. See Apple’s Enforce software updates to learn more. 

  1. Under Recommended Cadence, choose how the device shows software updates to the user:
    • Select Show All Versions to show all available updates.
    • Select Show Only Oldest Version to show only the lowest numbered update version.
    • Select Show Only Newest Version to show only the highest numbered update version.

Next, configure Automatic Actions:

Important:
  • Selecting Always Off for any of the following Automatic Actions prevents updates from being downloaded or installed automatically depending on the corresponding setting. This means users must manually download or install updates.
  • Certain combinations of these settings can result in policy failure. Jump to Understanding Invalid Automatic Actions Configurations.
  1. Under Download New Updates When Available, choose how users can control automatic downloads of available updates:
    • Select User Controlled to let users choose to enable or disable automatic downloads. Users can choose to download updates in System Settings. 
    • Select Always On to automatically download updates.
    • Select Always Off to disable automatic downloads, requiring user input.
  2. Under Install macOS Updates, choose how users can control automatic installation of available updates during the grace period. This setting doesn't apply to major upgrades or security improvements.
    • Select User Controlled to let users enable or disable automatic installation of updates. 
    • Select Always On to automatically install updates without user input.
    • Select Always Off to disable automatic installation, requiring user input. 
  3. Under Install Security Response and System Files, choose how users can control automatic installation of regular security updates that come bundled as part of standard OS updates.
    • Select User Controlled to let users choose to enable or disable automatic installation of security updates.
    • Select Always On to automatically install security updates.
    • Select Always Off to disable automatic installation of security updates.

Next, configure the Rapid Security Response (RSR) settings for Apple’s lightweight, out-of-band emergency patches that fix urgent vulnerabilities quickly:

  1. Under Offer RSRs for User Installation select whether to offer Rapid Security Responses for user installation. 
  2. Under Allow Users to Rollback RSRs select if the system allows users to roll back Rapid Security Responses.

Next, configure Beta Updates:

  1. Under Program Enrollment, select whether to allow or block OS beta enrollments.
    • Select User Allowed to let users manually enroll in any beta programs tied to their Apple ID.
    • Select Always On to force Macs to enroll in org-defined beta programs.
    • Select Always Off to prevent Macs from enrolling in any beta programs. Devices are forcefully unenrolled if they are already enrolled in any beta programs.
  2. Under Offered Program(s), enter the specific beta programs that you want to offer.
    1. Under Description, enter the readable name of the beta program.
    2. Under Token, enter the beta seeding service token from Apple Business Manager (ABM) or Apple School Manager (ASM).
  3. Next, go to the Devices tab to bind the policy to a device, or the Device Groups tab to bind it to a group of devices.
  4. Click Save.

Verifying Policy Application on Macs 

When patch policy declarations are delivered to Macs, they will appear in System Settings.

To verify that the policy has applied:

  1. On the Mac, go to System Settings > General > Device Management.
  2. Under Device (Managed), scroll to the bottom of the list and click MDM Enrollment Profile
  3. The MDM Enrollment Profile modal displays. Scroll to the bottom of the list. Under Device Declarations, Software Update appears if the policy has applied.
  4. Depending on your policy configuration and availability of updates on the Mac, the following declarations appear:
    • Global Settings displays the corresponding General Settings you configured in the JumpCloud Automatic macOS Updates policy. Click it to view details.
    • Required Software Update displays if you enabled the Enforce Automatic macOS Updates setting and an update is currently available on the Mac. Click it to view details.
      The MDM Enrollment Profile window in System Settings on a Mac with a patch policy successfully applied. Software Updates appears under Device Declarations > Software update.

Understanding Invalid Automatic Actions Configurations

When configuring Automatic Actions, you have the option to set the following settings to User Controlled, Always On, or Always Off:

  • Download New Updates When Available
  • Install macOS Updates
  • Install Security Response and System Files

Important:

Certain combinations of these settings can cause the policy to be rejected by the OS and generate an "Invalid global settings declaration" error.

Invalid Automatic Actions Configurations

The following table outlines configurations that result in policy failure:

Policy Setting: Download New Updates When Available Policy Setting: Install macOS Updates Reason for Rejection
User Controlled Always On Installation is forced, but downloading is not guaranteed.
Always Off User Controlled Users can install updates that the Mac is not permitted to download.
Always Off Always On Installation cannot be forced when downloading is disabled.
Back to Top

List IconIn this Article

Notebook IconLearn More

Get Started: Patch Management

Choose an OS Patch Management Policy

Create a DDM-Based iOS Patch Policy

Create a Mac Software Update Enforcement Policy

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case