Control OS Updates device policy

The Control OS Updates device policy lets you deploy:

  • The latest OS updates to supervised iOS devices.

    For devices running iOS 10.3 and later, the Control OS Updates policy works on supervised devices. For devices running a version earlier than iOS 10.3, the Control OS Updates policy works on devices that are both supervised and DEP-enrolled.

  • The latest OS and app updates to DEP-enrolled macOS devices running macOS 10.11.5 and later.

  • The latest OS updates to supervised Samsung SAFE devices.

    For Samsung SAFE devices, XenMobile sends the Control OS Updates policy to Secure Hub, which then applies the policy to the device. The Manage > Devices page shows when XenMobile Server sends the policy and when the device receives the policy.

To add or configure this policy, go to Configure > Device Policies. For more information, see Device policies.

iOS settings

Image of Device Policies configuration screen

  • OS update options: Both of the options download the latest OS updates to supervised devices according to the OS update frequency. The device prompts users to install updates. The prompt is visible after the user unlocks the device.
  • OS update frequency: Determines how frequently XenMobile checks and updates the device OS. The default is 7 days.

macOS settings

Image of Device Policies configuration screen

  • OS update options: Both of the options download the latest macOS updates according to the OS update frequency. You can choose to install the updates or notify the user through the App Store that updates are available.
  • OS update frequency: Determines how frequently XenMobile checks and updates the device OS. The default is 7 days.

Get status for iOS and macOS update actions

For iOS and macOS, XenMobile doesn’t deploy the Control OS Updates policy to devices. Instead, XenMobile uses the policy to send these MDM commands to devices:

  • Schedule OS Update Scan: Requests that the device performs a background scan for OS updates. (optional for iOS)
  • Available OS Updates: Queries the device for a list of available OS updates.
  • Schedule OS Update: Requests that the device performs macOS updates, app updates, or both. Thus, the device OS determines when it should download or install the OS and app updates.

The Manage > Devices > Device details (General) page shows the status of scheduled and available OS update scans, and scheduled macOS and app updates.

Image of Device details screen

For more details about the status of update actions, go to the Manage > Devices > Device details (Delivery Groups) page.

Image of Device details screen

For details such as available OS updates and the last installation attempt, go to the Manage > Devices > Device details (Properties) page.

Image of Device details screen

Image of Device details screen

Samsung SAFE settings

Samsung Enterprise FOTA, also referred to as E-FOTA, lets you determine when devices get updated and the firmware version to use. To use E-FOTA:

  1. Create a Samsung MDM License Key device policy with the keys and license information you received from Samsung. For more information, see Samsung MDM license key device policy.
  2. Create a Control OS Updates device policy to enable Enterprise FOTA.

    Image of Device Policies configuration screen

    • Enable Enterprise FOTA: Set to On.
    • Enterprise FOTA License Key: Select the Samsung MDM License Key device policy name.

Android Enterprise settings

Image of Device Policies configuration screen

  • System update policy. Determines when system updates occur. Automatic installs an update when it is available. Windowed installs an update automatically within the daily maintenance window specified in the Start time and End time. Postpone allows a user to postpone an update for up to 30 days.
    • Start time. The start of the maintenance window, measured as the number of minutes (0 - 1440) from midnight in the device local time. Default is 0.
    • End time. The end of the maintenance window, measured as the number of minutes (0 - 1440) from midnight in the device local time. Default is 120.
  • Control Enterprise FOTA. Enables you to control updates to Samsung devices that use the Samsung Enterprise Firmware-Over-the-Air (FOTA) service. For Android Enterprise devices running Samsung Knox 3.0 or later. Default is Off.
  • Enterprise FOTA license key. When Control Enterprise FOTA is On, Enterprise FOTA license key lets you specify the license key to use for Samsung FOTA updates. For Android Enterprise devices running Samsung Knox 3.0 or later. Defaultis None. The key can be set using the Samsung MDM license key device policy. See Samsung MDM license key device policy.