One of the management options Jamf Pro provides is sending MDM commands or DDM declarations to managed Macs run macOS software updates automatically. For Macs, Jamf Pro includes this functionality in the Software Updates section under Computers. If you have not previously used the Software Updates functionality, by default it is turned off and needs to be enabled.

Once enabled, you should see a list of the smart and static computer groups set up on your Jamf Pro server. To set up a software update plan for one of those groups, click the desired group and then click Update 1 Selected.

Note: It’s possible to select multiple groups at once and set the same software plan for all selected groups.

Once the groups have been selected for update, you’ll be provided with the various options available. Four of these options use MDM commands and one will use a DDM declaration:

MDM commands:

• Download only
• Download and install
• Download, install and allow deferral
• Download, install, and restart

DDM declaration:

• Download and schedule to install

One reason it is important to know which use MDM commands and which use DDM declarations is that the MDM command method is supported on the following versions of macOS:

• macOS 10.11 and later

The DDM declaration method is supported on the following versions of macOS:

• macOS 14 and later

Note: The DDM declaration method works for Jamf Pro instances hosted in Jamf Cloud and does not work for on-premise Jamf Pro installations. If you are using an on-premise Jamf Pro installation, the Download and schedule to install option is grayed out and there is a note explaining that this method is only supported for Jamf Cloud-hosted environments.

You will also get various update options:

• Latest version based on device eligibility – This will download and install the latest version of macOS that the managed device can run.
• Latest major version – This will download and install the latest major version of macOS, like macOS 14.0 or macOS 15.0, if the managed device is running an earlier major version of macOS.
• Latest minor version – This will download and install the latest update to the major version macOS that the managed device is using, like updating a macOS 15.14.1 device to macOS 15.5
• Specific version – This will download and install the update for a specific macOS version, like macOS 15.4.1.

Note: The Specific version setting assumes that the version in question is still available from Apple’s software update feed. If it is not, then that version will not be downloaded or installed.

Managed software update plan behavior:

Something important to know about managed software update plans is that they were built to act like Jamf Pro’s functionality for sending out MDM commands via a mass action. You select the devices you wanted to apply the mass action to (or in this case, the software update plan) and Jamf Pro would send the commands out. When choosing a smart or static group and setting up a software update plan, the commands for that software update plan will be sent to only the devices in that group at that point in time.

If a device subsequently enters the smart group or static group in question, it will not receive the commands which had been previously sent out. Please note that this also means that leaving the smart or static group will not remove a previously applied software update plan.

For more details, please see below the jump.

Setting up managed software update plans:

For how this works, let’s run through an example workflow. For this example workflow, the following assumptions are being made:

1. The Jamf Pro instance sending the software update plan is hosted in Jamf Cloud.
2. The DDM declaration method is being used.
3. One Mac is being updated.
4. The Mac receiving the software update plan is running macOS Sequoia 15.4.1 and updating to the latest OS version the device can support (which in this case should be 15.5.0.)
5. The software update plan is being run at a time prior to May 24, 2025.

With these assumptions, my first step is selecting a group to apply the software update plan to. For this example, I’ve set up a static group named Managed Software Update Deployment Group and assigned one device to it.

1. From the list of groups in the Software Updates window, select the Managed Software Update Deployment Group static group.

2. Click the Update 1 Selected button.

3. Select the following option to choose the available DDM declaration method:

• Download and schedule to install

4. Choose a date by which the software update should apply.

5. Choose the OS version update option.

In this example, I am choosing the Latest version based on device eligibility option.

6. Once all choices have been made, verify that they are what is desired. Once verified, click the Apply button.

7. You should be notified how many devices have received the software update plan.

Once the software update plan has been deployed, you should be able to check in the computer inventory record for the device(s) and verify that they have received the software update plan.

For details, you can click the View event store link in the computer inventory record.

You can also check on the managed device’s end by opening System Settings: General: Device Management, locating the MDM enrollment profile in the list of profiles and double-clicking on it. When you scroll to the bottom of the enrollment profile’s window, you should see a Device Declarations section.

If you’re deploying a software update plan via DDM, you should see a listing for that software update plan in the Device Declarations section.

If you click on that listing, you should see the details of the plan.

From the user’s perspective, they should see a Notifications center notification appear with two available options:

• Details
• Update

When you click the Details button, you should see behavior similar to what’s shown below:

When you click the Update button, you should see behavior similar to what’s shown below:

Note: The video above has been edited to artificially reduce the amount of time the OS update took to run. Run time of the pre-edited video was 27 minutes 32 seconds.

Once the update has completed, you should be able to check in the computer inventory record for the device(s) and verify that they do not have an active software update plan.

You should also be able to check the history and verify whether the software update was successful or not. For details about the process, click the Details button.

Something that is important to know about the reporting is that when Jamf Pro deploys a software update plan which uses DDM declarations, it is doing two things:

1. Providing the software update plan to the managed devices.
2. Listening to what is reported back by the Mac.

Any reported errors which show up in Jamf Pro are coming back from macOS, so if macOS reports a failure on its end, that’s what Jamf Pro also reports. When Jamf Pro gets a failure message from a managed Mac, it stops listening at that point and does not pick up on any subsequent activity from that managed device for that software update plan. However, on the managed device side, macOS may retry running the software update process and subsequently succeed. This may lead to some results which seem paradoxical, where the managed device reports that the software update plan failed, but the managed device is separately reporting that it’s running the desired version of macOS.

The reporting that Jamf Pro gets back from the managed Mac may also not include a lot of information about the software update process. For example, here’s a report I received from a macOS VM which updated from 15.4.1 to 15.5.0. It does not include a lot of information about the update process itself but the report does include a VerificationResultEvent item, which tells Jamf Pro that the overall DDM software update process was successful.

Clearing existing managed software update plans:

As mentioned previously, managed software update plans function in a similar way to mass actions, where the commands for that software update plan will be sent to only the devices in that group at that point in time. Since it can be a challenge to track which devices may be affected once that plan has been deployed, it may be easiest to cancel all current software update plans and set up new ones when needed. To do this, use the procedure shown below:

1. Go to the Software Updates section.

2. Click the Use new feature toggle to turn the managed software update function off.

3. Jamf Pro will confirm that you want to turn the managed software update function off, along with a count of the devices that have software update plans currently applied. Click the Disable button to confirm.

4. Jamf Pro will clear all existing software update plans from managed devices.

5. The managed software update function will be turned off.

6. To turn the managed software update function back on, click the Enable button.

7. Jamf Pro will confirm that you want to turn the managed software update function on, along with a count of the devices that have software update plans currently applied. Click the Enable button to confirm.

8. The Software Updates section will again show a list of the smart and static computer groups set up on your Jamf Pro server.

Note: Turning the Software Updates functionality off and back on will clear all previously existing records of software update plans or those plans’ results. Jamf Pro will have no records of any previous software update plans at this point.

For more information on using Jamf Pro’s managed software updates, please see the documentation linked below:

• Updating macOS Using Managed Software Updates: https://learn.jamf.com/en-US/bundle/jamf-pro-documentation-current/page/Updating_macOS_Using_Managed_Software_Updates.html
• Troubleshooting Managed Software Updates in Jamf Pro: https://learn.jamf.com/en-US/bundle/technical-articles/page/Troubleshooting_Managed_Software_Updates_in_Jamf_Pro.html