Managing Software Updates with Declarative Device Management

By: Chris Cieszynski, Solutions Architect

After our prior article on year round beta testing, several readers reached out to ask for more information on best practices for managing software updates across their Apple fleet, and we couldn’t be more excited to talk about it! Read on to learn how Apple’s transition to declarative device management improves update performance and visibility for ALL Apple devices.

What Is Declarative Device Management?

Declarative Device Management is the future of Apple device management. With it, your device management (MDM) server no longer issues commands to devices in real time. Instead, it declares the desired state of the device, which asynchronously applies settings and reports its status back to the device management service. 

For software updates, the device management service declares the desired OS version, and devices automatically download, install, and report on progress, all without constant server polling. This saves bandwidth and reduces management overhead, making your update workflows more scalable and responsive. Legacy update commands still work, but will be removed in a future update. Currently, they coexist with update declarations, however declarations take priority over the legacy method.. 

Why It Matters for Schools

This approach is ideal for schools and other bandwidth-constrained environments. Supervised devices respond to your update policies automatically, and declarations handle update behavior even if students delay or ignore prompts. As an administrator, you gain accurate and timely status information without generating unnecessary traffic. When coupled with content caching, your school can update devices faster than ever before. 

Software Lookup Service and Automated Reporting

Apple provides an official resource, known as the Software Lookup Service, which lists all publicly available updates including Rapid Security Responses. It returns data like version numbers, build IDs, posting and expiration dates, and supported device models. MDM providers can query this service to determine which updates to offer or enforce per device.

Rather than polling devices constantly, your device management service subscribes to specific status reports via ManagementStatusSubscriptions. Devices will automatically send updates when key values change—such as current OS version, build version, update failures, or beta enrollment status. This gives your MDM real-time insight into the update status across your fleet.

About Software Update Configuration Keys

Starting with iOS 17, iPadOS 17, and macOS 14, admins can enforce a minimum OS version during device enrollment. If a device does not meet this minimum version, the MDM response causes the device to initiate an update before the setup process can continue. Once updated and rebooted, Setup Assistant resumes, and device enrollment can continue.

In iOS 18, iPadOS 18, macOS 15, and later, the com.apple.configuration.softwareupdate.settings declaration lets your MDM control update behavior such as:

  • Automatic download and install settings
  • Deferral periods (1–90 days)
  • Notification behavior
  • Rapid Security Response behavior

Multiple declarations merge intelligently, ensuring defined behavior wins across conflicting profiles.

Deferral and Enforcement Controls

Deferral settings let you delay offering updates or upgrades from 1 to 90 days. Admins can choose separate deferral windows for OS upgrades versus routine updates in macOS. Supervised devices obey your timing, ensuring testing windows aren’t interrupted.

If necessary, you can enforce a specific update by issuing a declaration with a target date and time. Devices will install by that deadline—even ahead of the deferral period. If the version is the same or older than the device’s current version, the system skips it automatically.

For macOS computers with Apple silicon, your device management service can escrow a bootstrap token in the Device Management Profile so that enforced updates install without requiring user credentials during restart.

How to Leverage declarative device management for Software Updates

  1. Ensure devices are supervised, which is required for declarative update policies.
  2. Check your MDM provider documentation to ensure that the developer has enabled support for automated reporting and declarative updates. 
  3. Configure your desired declarative software update settings within your device manangement service, including deferral and enforcement.
  4. For hands-free updates on Mac computers with Apple silicon, ensure your device management service is configured to request and escrow a bootstrap token. 
  5. As always, have a plan to pilot new operating system upgrades and major updates before broad rollout. 

The shift to Declarative Device Management offers your IT team a smarter, more efficient way to manage updates, and helps ensure devices are secure, compliant, and consistently running the expected software, all with minimal manual effort. Make a point of moving to declarative device updates as soon as possible. Don’t just upgrade your devices, upgrade your whole school year!

For more information, see the Apple Platform Deployment guide.


iOS iPadOS Technology Integration Mobile Device Management (MDM) Information Technology (IT) macOS

You might also like

Test Updates All Year Long with AppleSeed for IT

Learn how to enroll your organization in AppleSeed for IT to test critical software updates before they are made available to the public.
See more

WWDC 2025: New Tools for IT in Education

At WWDC25, we introduced a wide range of updates aimed squarely at helping IT teams manage Apple devices more efficiently, more securely, and with greater flexibility. For education, many of these changes represent major
See more

Apply to Apple Learning Coach

Learn about the Apple Learning Coach program, an online certification course training instructional coaches on getting more out of Apple technology.
See more
0 replies