As part of Apple’s unveiling of Declarative Device Management (DDM) at WWDC 2023, Apple announced that DDM management included the ability to manage software updates. Jamf Pro’s Blueprints leverages this capability to support managing software updates. Let’s see how this works using the following software update configuration as an example:

• Standard users can install Apple software updates
• Logged-in users will see all software update notifications
• OS updates will be automatically downloaded
• OS updates will be automatically installed
• Security updates will be automatically installed
• Rapid Security Response updates will be installed
• Rapid Security Response updates can be removed

For more details, please see below the jump.

As of Jamf Pro 11.18.0, there is not a Blueprints template available for creating blueprints which manage software updates so the blueprint will need to be configured manually. To do this, use the following procedure:

1. Log into Jamf Pro.

2. Select Blueprints

3. Click the Create blueprint button.

4. Give it a name when prompted and click the Create button. For this example, I’m using Software Update Settings.

5. You should see an unconfigured Blueprint. Scroll down in the list on the right-hand side of the browser window to locate the Software Update Settings component.

6. Click on the Software Update Settings component and drag the Software Update Settings component to the Declaration group section.

7. Mouse over the Software Update Settings component and you will see a Configure button appear.

Click the Configure button.

8. At this point, you will see all available Software Update settings which are available for all Apple platforms. To limit to only those options available for macOS, you can click the filter button and then select macOS. Once the desired filter(s) have been selected, click the Apply button.

9. To apply the following desired settings, select the following options:

• Standard users can install Apple software updates:

Select Enable for Allow standard users to install software updates

• Logged-in users will see all software update notifications:

Select Enable for Notification preference for updates scheduled by declarations

Once those options are selected, you’ll need to configure the Install actions and Rapid Security Response sections to achieve the following desired settings:

• OS updates will be automatically downloaded
• OS updates will be automatically installed
• Security updates will be automatically installed
• Rapid Security Response updates will be installed
• Rapid Security Response updates can be removed

To access the Install actions and Rapid Security Response sections, click their associated Configure buttons.

In the Install actions section, to apply the following desired settings, select the following options:

• OS updates will be automatically downloaded:

Select Always for Automatic installs of available updates

• OS updates will be automatically installed:

Select Always for Automatic downloads of available OS updates

Note: Selecting Always for Automatic installs of available updates will also automatically set Always for Automatic downloads of available OS updates.

• Security updates will be automatically installed:

Select Always for Automatic installs of available security updates

Once all choices have been made and verified, click the Update button.

You should now see the following items set to Always:

• Automatic installs of available updates
• Automatic downloads of available OS updates
• Automatic installs of available security updates

From there, scroll down to the Rapid Security Response section and click the Configure button.

In the Rapid Security Response section, to apply the following desired settings, select the following options:

• Rapid Security Response updates will be installed:

Select Allow for Rapid Security Response installation

• Rapid Security Response updates can be removed:

Select Allow for Rapid Security Response removal

Once all choices have been made and verified, click the Update button.

You should now see the following items set to Enabled:

• Rapid Security Response installation
• Rapid Security Response removal

10. Once all the settings choices have been made and verified, click the Save button.

11. At this point, you should have a blueprint which has all settings configured but where no target scope has been set. To scope this blueprint, go to the Scope section and click the Open button.

For this example, I’m selecting a static group named Managed Software Update Deployment Group. Once the desired smart and/or static groups have been set and verified for the scope, click the Save button.

12, Once everything has been configured, Jamf Pro should inform you that you have undeployed changes. Click the Deploy button to deploy the changes to the Macs you want to manage.

13. Once deployed, the Blueprints screen in Jamf Pro should show the newly-created Software Update Settings blueprint as being deployed.

You can also check on the managed device’s end by opening System Settings: General: Device Management, locating the MDM enrollment profile in the list of profiles and double-clicking on it. When you scroll to the bottom of the enrollment profile’s window, you should see a Device Declarations section.

If you’re deploying a software update configuration via Blueprints, you should see a Global Settings listing for Software Update in the Device Declarations section.

If you click on the Global Settings listing, you should see the details of the configuration.

You can also see the details of what’s configured in System Settings: General: Software Update.

In this case, you can click on the ( i ) button next to the Automatic Updates section and see the settings which have been applied.