11-05-2021

What Software Does Mac Use To Deploy Software Updates

Adobe flash player is a special app on Mac. How to update Flash Player on Mac. 2 minutes to read it. If the App Store on your Mac displays no more updates, then your macOS version and all applications are already up to date.

-->

Applies to: Configuration Manager (current branch)

The software update deployment phase is the process of deploying software updates. No matter how you deploy software updates, the site:

  • Adds the updates to a software update group
  • Distributes the update content to distribution points
  • Deploys the update group to clients

After you create the deployment, the site sends an associated software update policy to targeted clients. The clients download the software update content files from a content source to their local cache. Clients on the internet always download content from the Microsoft Update cloud service. The software updates are then available for installation by the client.

Tip

If a distribution point isn't available, clients on the intranet can also download software updates from Microsoft Update.

Note

Unlike other deployment types, software updates are all downloaded to the client cache. This is regardless of the maximum cache size setting on the client. For more information about the client cache setting, see Configure the client cache for Configuration Manager clients.

If you configure a required software update deployment, the software updates are automatically installed at the scheduled deadline. Alternatively, the user on the client computer can schedule or initiate the software update installation prior to the deadline. After the attempted installation, client computers send state messages back to the site server to report whether the software update installation was successful. For more information about software update deployments, see Software update deployment workflows.

There are three main scenarios for deploying software updates:

Typically, you start by manually deploying software updates to create a baseline for your clients, and then you manage software updates on clients by using an automatic or phased deployment.

Note

You can't use an automatic deployment rule with a phased deployment.

Use

Manually deploy software updates

Select software updates in the Configuration Manager console and manually start the deployment process. You typically use this method of deployment to:

What

What Software Does Mac Use To Deploy Software Updates Update

  • Get clients up-to-date with required software updates before you create automatic deployment rules that manage monthly deployments

  • Deploy out-of-band software updates

The following list provides the general workflow for manual deployment of software updates:

  1. Filter for software updates that use specific requirements. For example, provide criteria that retrieves all security or critical software updates that are required on more than 50 clients.

  2. Create a software update group that contains the software updates.

  3. Download the content for the software updates in the software update group.

  4. Manually deploy the software update group.

For more information and detailed steps, see Manually deploy software updates.

Note

  • Starting on April 21, 2020, Office 365 ProPlus is being renamed to Microsoft 365 Apps for enterprise. For more information, see Name change for Office 365 ProPlus. You may still see references to the old name in the Configuration Manager console and supporting documentation while the console is being updated.
  • When manually deploying Office 365 client updates, find them in the Office 365 Updates node under Office 365 Client Management of the Software Library workspace.

Automatically deploy software updates

Configure automatic software updates deployment by using an automatic deployment rule (ADR). This method of deployment is common for monthly software updates (typically known as 'Patch Tuesday') and for managing definition updates. You define the criteria for an ADR to automate the deployment process. The following list provides the general workflow to automatically deploy software updates:

  1. Create an ADR that specifies deployment settings.

  2. The site adds the software updates to a software update group.

  3. The site deploys the software update group to the clients in the target collection.

First, determine your automatic software update deployment strategy. For example, create the ADR to initially target a collection of test clients. After you verify the test group successfully installed the software updates, add a new deployment to the rule. You could also change the targeted collection in the existing deployment to one that includes a larger set of clients. Consider the following behaviors when deciding upon the strategy to use:

  • You're able to modify the properties of the software update objects that the ADR creates.

  • The ADR automatically deploys software updates to clients when you add them to the target collection.

  • When you or the ADR adds new software updates to the software update group, the site automatically deploys them to the clients in the target collection.

  • Enable or disable deployments at any time for the ADR.

After you create an ADR, add additional deployments to the rule. This action helps you manage the complexity of deploying different updates to different collections. Each new deployment has the full range of functionality and deployment monitoring experience.

Each new deployment that you add:

  • Uses the same update group and package, which the ADR creates when it first runs
  • Can target a different collection
  • Supports unique deployment properties including:
    • Activation time
    • Deadline
    • User experience
    • Separate alerts for each deployment

For more information and detailed steps, see Automatically deploy software updates

Deploy software updates in phases

Starting in version 1810, create phased deployments for software updates. Phased deployments allow you to orchestrate a coordinated, sequenced rollout of software based on customizable criteria and groups.

For more information, see Create phased deployments.

-->

Applies to: Configuration Manager (current branch)

Use an automatic deployment rule (ADR) rather than adding new updates to an existing software update group. Typically, you use ADRs to deploy monthly software updates (also known as 'Patch Tuesday' updates) and for managing Endpoint Protection definition updates. If you need help to determine which deployment method is right for you, see Deploy software updates.

Create an automatic deployment rule (ADR)

Automatically approve and deploy software updates by using an ADR. The rule can add software updates to a new software update group each time the rule runs, or add software updates to an existing group. When a rule runs and adds software updates to an existing group, the rule removes all updates from the group. It then adds to the group the updates that meet the criteria you define.

Warning

Before you create an ADR for the first time, verify that the site has completed software updates synchronization. This step is important when you run Configuration Manager with a non-English language. Software update classifications are displayed in English before the first synchronization, and then displayed in the localized languages after software update synchronization completes. Rules that you create before you sync software updates might not work properly after synchronization because the text string might not match.

Process to create an ADR

What Software Does Mac Use To Deploy Software Updates 2017

  1. In the Configuration Manager console, go to the Software Library workspace, expand Software Updates, and select the Automatic Deployment Rules node.

  2. In the ribbon, click Create Automatic Deployment Rule.

  3. On the General page of the Create Automatic Deployment Rule Wizard, configure the following settings:

    • Name: Specify the name for the ADR. The name must be unique, help to describe the purpose of the rule, and identify it from others in the Configuration Manager site.

    • Description: Specify a description for the ADR. The description should provide an overview of the deployment rule and other relevant information that helps to differentiate the rule from others. The description field is optional, has a limit of 256 characters, and has a blank value by default.

    • Template: Select a deployment template to specify whether to apply previously saved ADR configurations. Configure a deployment template containing multiple common update deployment properties that you can use when creating additional ADRs. These templates save time and help to ensure consistency across similar deployments. Select from one of the following built-in software update deployment templates:

      • The Patch Tuesday template provides common settings to use when you deploy software updates on a monthly cycle.

      • The Office 365 Client Updates template provides common settings to use when you deploy updates for Office 365 Pro Plus clients.

        Note

        Starting on April 21, 2020, Office 365 ProPlus is being renamed to Microsoft 365 Apps for enterprise. If your ADRs rely on the 'Title' property, you'll need to edit it starting June 9, 2020. Microsoft 365 Apps Update - Semi-annual Channel Version 1908 for x64 based Edition (Build 11929.50000) is an example of the new title. For more information on modifying your ADRs for the title change, see Update channels for Microsoft 365 Apps. For more information about the name change, see Name change for Office 365 ProPlus.

      • The SCEP and Windows Defender Antivirus Updates template provides common settings to use when you deploy Endpoint Protection definition updates.

    • Collection: Specifies the target collection to be used for the deployment. Members of the collection receive the software updates that are defined in the deployment.

    • Decide whether to add software updates to a new or existing software update group. In most cases, choose to create a new software update group when the ADR runs. If the rule runs on a more aggressive schedule, you might choose to use an existing group. For example, if you run the rule daily for definition updates, then you could add the software updates to an existing software update group.

    • Enable the deployment after this rule is run: Specify whether to enable the software update deployment after the ADR runs. Consider the following options for this setting:

      • When you enable the deployment, the updates that meet the rule's defined criteria are added to a software update group. The software update content is downloaded as necessary. The content is copied to the specified distribution points, and the updates are deployed to the clients in the target collection.

      • When you don't enable the deployment, the updates that meet the rule's defined criteria are added to a software update group. The software update deployment content is downloaded, as necessary, and distributed to the specified distribution points. The site creates a disabled deployment on the software update group to prevent the updates from being deployed to clients. This option provides time to prepare to deploy the updates, verify the updates that meet the criteria are adequate, and then enable the deployment.

  4. On the Deployment Settings page, configure the following settings:

    • Use Wake on LAN to wake up clients for required deployments: Specifies whether to enable Wake On LAN at the deadline. Wake On LAN sends wake-up packets to computers that require one or more software updates in the deployment. The site wakes up any computers that are in sleep mode at the installation deadline time so the installation can initiate. Clients that are in sleep mode that don't require any software updates in the deployment aren't started. By default, this setting isn't enabled. Before using this option, configure computers and networks for Wake On LAN. For more information, see How to configure Wake On LAN.

    • Detail level: Specify the level of detail for the update enforcement state messages that are reported by clients.

      Important

      When you deploy definition updates, set the detail level to Error only to have the client report a state message only when a definition update fails. Otherwise, the client reports a large number of state messages that might impact site server performance.

      Note

      The Error only detail level does not send the enforcement status messages required for tracking pending reboots.

    • License terms setting: Specify whether to automatically deploy software updates with associated license terms. Some software updates include license terms. When you automatically deploy software updates, the license terms aren't displayed, and there isn't an option to accept the license terms. Choose to automatically deploy all software updates regardless of an associated license term, or only deploy updates that don't have associated license terms.

      • To review the license terms for a software update, select the software update in the All Software Updates node of the Software Library workspace. In the ribbon, click Review License.

      • To find software updates with associated license terms, add the License Terms column to the results pane in the All Software Updates node. Click the heading for the column to sort by the software updates with license terms.

  5. On the Software Updates page, configure the criteria for the software updates that the ADR retrieves and adds to the software update group.

    • The limit for software updates in the ADR is 1000 software updates.

    • If needed, filter on the content size for software updates in automatic deployment rules. For more information, see Configuration Manager and simplified Windows servicing on down level operating systems.

    • Starting in version 1910, you can use Deployed as an update filter for your automatic deployment rules. This filter helps identify new updates that may need to be deployed to your pilot or test collections. The software update filter can also help avoid redeploying older updates.

      • When using Deployed as a filter, be mindful that you may have already deployed the update to another collection, such as a pilot or test collection.

    • Starting in version 1806, a property filter for Architecture is now available. Use this filter to exclude architectures like Itanium and ARM64 that are less common. Remember that there are 32-bit (x86) applications and components running on 64-bit (x64) systems. Unless you're certain that you don't need x86, enable it as well when you choose x64.

    Note

    Windows 10, version 1903 and later was added to Microsoft Update as its own product rather than being part of the Windows 10 product like earlier versions. This change caused you to do a number of manual steps to ensure that your clients see these updates. We've helped reduce the number of manual steps you have to take for the new product in Configuration Manager version 1906. For more information, see Configuring products for versions of Windows 10

  6. On the Evaluation Schedule page, specify whether to enable the ADR to run on a schedule. When enabled, click Customize to set the recurring schedule.

    • The start time configuration for the schedule is based on the local time of the computer that runs the Configuration Manager console.

    • The ADR evaluation can run as often as three times per day.

    • Never set the evaluation schedule with a frequency that exceeds the software updates synchronization schedule. This page displays the software update point sync schedule to help you determine evaluation schedule frequency.

    • To manually run the ADR, select the rule in the Automatic Deployment Rule node of the console, and then click Run Now in the ribbon.

    • Starting in version 1802, ADRs can be scheduled to evaluate offset from a base day. For example, if Patch Tuesday actually falls on Wednesday for you, set the evaluation schedule for the second Tuesday of the month offset by one day.

      • When scheduling evaluation with an offset during the last week of the month, if you choose an offset that continues into the next month, the site schedules evaluation for the last day of the month.

  7. On the Deployment Schedule page, configure the following settings:

    • Schedule evaluation: Specify the time that Configuration Manager evaluates the available time and installation deadline times. Choose to use Coordinated Universal Time (UTC) or the local time of the computer that runs the Configuration Manager console.

      • When you select Client local time here, and then select As soon as possible for the Software available time, the current time on the computer running the Configuration Manager console is used to evaluate when updates are available. This behavior is the same with the Installation deadline and the time when updates are installed on a client. If the client is in a different time zone, these actions occur when the client's time reaches the evaluation time.

    • Software available time: Select one of the following settings to specify when the software updates are available to clients:

      • As soon as possible: Makes the software updates in the deployment available to clients as soon as possible. When you create the deployment with this setting selected, Configuration Manager updates the client policy. At the next client policy polling cycle, clients become aware of the deployment and the software updates are available for installation.

      • Specific time: Makes software updates included in the deployment available to clients at a specific date and time. When you create the deployment with this setting enabled, Configuration Manager updates the client policy. At the next client policy polling cycle, clients become aware of the deployment. However, the software updates in the deployment aren't available for installation until after the configured date and time.

    • Installation deadline: Select one of the following settings to specify the installation deadline for the software updates in the deployment:

      • As soon as possible: Select this setting to automatically install the software updates in the deployment as soon as possible.

      • Specific time: Select this setting to automatically install the software updates in the deployment at a specific date and time. Configuration Manager determines the deadline to install software updates by adding the configured Specific time interval to the Software available time.

        • The actual installation deadline time is the displayed deadline time plus a random amount of time up to two hours. The randomization reduces the potential impact of clients in the collection installing updates in the deployment at the same time.

        • To disable the installation randomization delay for required software updates, configure the client setting to Disable deadline randomization in the Computer Agent group. For more information, see Computer Agent client settings.

    • Delay enforcement of this deployment according to user preferences, up to the grace period defined in client settings: Enable this setting to give users more time to install required software updates beyond the deadline.

      • This behavior is typically required when a computer is turned off for long time, and needs to install many software updates or applications. For example, when a user returns from vacation, they have to wait for a long time as the client installs overdue deployments.

      • Configure this grace period with the property Grace period for enforcement after deployment deadline (hours) in client settings. For more information, see the Computer agent section. The enforcement grace period applies to all deployments with this option enabled and targeted to devices to which you also deployed the client setting.

      • After the deadline, the client installs the software updates in the first non-business window, which the user configured, up to this grace period. However, the user can still open Software Center and install the software updates at any time. Once the grace period expires, enforcement reverts to normal behavior for overdue deployments.

  8. On the User Experience page, configure the following settings:

    • User notifications: Specify whether to display notification in Software Center at the configured Software available time. This setting also controls whether to notify users on the clients.

    • Deadline behavior: Specify the behaviors when the software update deployment reaches the deadline outside of any defined maintenance windows. The options include whether to install the software updates, and whether to perform a system restart after installation. For more information about maintenance windows, see How to use maintenance windows.

      Note

      This applies only when the maintenance window is configured for the client device. If no maintenance window is defined on the device, the update of the installation and restart will always happen after the deadline.

    • Device restart behavior: Specify whether to suppress a system restart on servers and workstations if a restart is required to complete update installation.

      Warning

      Suppressing system restarts can be useful in server environments, or when you don't want the target computers to restart by default. However, doing so can leave computers in an insecure state. Allowing a forced restart helps to ensure immediate completion of the software update installation.

    • Write filter handling for Windows Embedded devices: This setting controls the installation behavior on Windows Embedded devices that are enabled with a write filter. Choose the option to commit changes at the installation deadline or during a maintenance window. When you select this option, a restart is required and the changes persist on the device. Otherwise, the update is installed, applied to the temporary overlay, and committed later.

      • When you deploy a software update to a Windows Embedded device, make sure the device is a member of a collection that has a configured maintenance window.

    • Software updates deployment re-evaluation behavior upon restart: Select this setting to configure software updates deployments to have clients run a software updates compliance scan immediately after a client installs software updates and restarts. This setting enables the client to check for additional updates that become applicable after the client restarts, then installs them during the same maintenance window.

  9. On the Alerts page, configure how Configuration Manager generates alerts for this deployment. Review recent software updates alerts from Configuration Manager in the Software Updates node of the Software Library workspace. If you're also using System Center Operations Manager, configure its alerts as well.

  10. On the Download Settings page, configure the following settings:

    • Specify if clients should download and install the updates when they use a distribution point from a neighbor or the default site boundary groups.

    • Specify if clients should download and install the updates from a distribution point in the site default boundary group, when the content for the software updates isn't available from a distribution point in the current or neighbor boundary groups.

    • Allow clients to share content with other clients on the same subnet: Specify whether to enable the use of BranchCache for content downloads. For more information, see BranchCache. Starting in version 1802, BranchCache is always enabled on clients. This setting is removed, as clients use BranchCache if the distribution point supports it.

    • If software updates are not available on distribution point in current, neighbor or site boundary groups, download content from Microsoft Updates: Select this setting to have intranet-connected clients download software updates from Microsoft Update if updates aren't available on distribution points. Internet-based clients always go to Microsoft Update for software updates content.

    • Specify whether to allow clients to download after an installation deadline when they use metered internet connections. Internet providers sometimes charge by the amount of data that you send and receive when you're on a metered connection.

    Note

    Clients request the content location from a management point for the software updates in a deployment. The download behavior depends upon how you've configured the distribution point, deployment package, and the settings on this page.

  11. On the Deployment Package page, select one of the following options:

    • Select a deployment package: Add these updates to an existing deployment package.

    • Create a new deployment package: Add these updates to a new deployment package. Configure the following additional settings:

      • Name: Specify the name of the deployment package. Use a unique name that describes the package content. It's limited to 50 characters.

      • Description: Specify a description that provides information about the deployment package. The optional description is limited to 127 characters.

      • Package source: Specifies the location of the software update source files. Type a network path for the source location, for example, serversharenamepath, or click Browse to find the network location. Create the shared folder for the deployment package source files before you proceed to the next page.

        • You can't use the specified location as the source of another software deployment package.

        • You can change the package source location in the deployment package properties after Configuration Manager creates the deployment package. If you do, first copy the content from the original package source to the new package source location.

        • The computer account of the SMS Provider and the user that's running the wizard to download the software updates must both have Write permissions to the download location. Restrict access to the download location. This restriction reduces the risk of attackers tampering with the software update source files.

      • Sending priority: Specify the sending priority for the deployment package. Configuration Manager uses this priority when it sends the package to distribution points. Deployment packages are sent in priority order: high, medium, or low. Packages with identical priorities are sent in the order in which they were created. If there's no backlog, the package processes immediately regardless of its priority.

      • Enable binary differential replication: Enable this setting to use binary differential replication for the deployment package. For more information, see Binary differential replication.

    • No deployment package: Starting in version 1806, deploy software updates to devices without first downloading and distributing content to distribution points. This setting is beneficial when dealing with extremely large update content. Also use it when you always want clients to get content from the Microsoft Update cloud service. Clients in this scenario can also download content from peers that already have the necessary content. The Configuration Manager client continues to manage the content download, thus can utilize the Configuration Manager peer cache feature, or other technologies such as Delivery Optimization. This feature supports any update type supported by Configuration Manager software updates management, including Windows and Office updates.

      Note

      Once you select this option and apply the settings, it can no longer be changed. The other options are greyed out.

  12. On the Distribution Points page, specify the distribution points or distribution point groups to host the software update files. For more information about distribution points, see Distribution point configurations. This page is available only when you create a new software update deployment package.

  13. On the Download Location page, specify whether to download the software update files from the internet or from your local network. Configure the following settings:

    • Download software updates from the internet: Select this setting to download the software updates from a specified location on the internet. This setting is enabled by default.

    • Download software updates from a location on the local network: Select this setting to download the software updates from a local directory or shared folder. This setting is useful when the computer that runs the wizard doesn't have internet access. Any computer with internet access can preliminarily download the software updates. Then store them in a location on the local network that's accessible from the computer that runs the wizard. Another scenario could be when downloading content that is published through System Center Updates Publisher or a third-party patching solution. The WSUS content share on the top-level software update point can be entered as the network location to download from, such as serverWsusContent.

  14. On the Language Selection page, select the languages for which the site downloads the selected software updates. The site only downloads these updates if they're available in the selected languages. Software updates that aren't language-specific are always downloaded. By default, the wizard selects the languages that you've configured in the software update point properties. At least one language must be selected before proceeding to the next page. When you select only languages that a software update doesn't support, the download fails for the update.

  15. On the Summary page, review the settings. To save the settings to a deployment template, click Save As Template. Enter a name and select the settings you want to include in the template, then click Save. To change a configured setting, click the associated wizard page and change the setting.

    • The template name can consist of alphanumeric ASCII characters as well as (backslash) or ' (single quotation mark).

  16. Click Next to create the ADR.

After you complete the wizard, the ADR runs. It adds the software updates that meet the specified criteria to a software update group. Then the ADR downloads the updates to the content library on the site server and distributes them to the configured distribution points. The ADR then deploys the software update group to clients in the target collection.

Add a new deployment to an existing ADR

After you create an ADR, add additional deployments to the rule. This action helps you manage the complexity of deploying different updates to different collections. Each new deployment has the full range of functionality and deployment monitoring experience.

What Software Does Mac Use To Deploy Software Updates Free

Process to add a new deployment to an existing ADR

  1. In the Configuration Manager console, go to the Software Library workspace, expand Software Updates, select the Automatic Deployment Rules node, and then select the desired rule.

  2. In the ribbon, click Add Deployment.

  3. On the Collection page of the Add Deployment Wizard, configure the available settings similarly as the General page of the Create Automatic Deployment Rule Wizard. For more information, see the previous section on the Process to create an ADR. The rest of the Add Deployment Wizard includes the following pages, which also match detailed descriptions above:

    • Deployment Settings
    • Deployment Schedule
    • User Experience
    • Alerts
    • Download Settings

What Software Does Mac Use To Deploy Software Updates Download

Deployments can also be added programmatically using Windows PowerShell cmdlets. For a complete description of using this method, see New-CMSoftwareUpdateDeployment .

For more information about the deployment process, see Software update deployment process.

What Software Does Mac Use To Deploy Software Updates 2017

Next steps