macOS - Software Lifecycle - Intune Install macOS Updates

What the Intune macOS update deployment does

This Automox Worklet™ orchestrates macOS operating system updates through Microsoft Intune's Declarative Endpoint Management (DDM) and escrowed Bootstrap Token mechanisms. The Worklet evaluates endpoints tagged in Automox, matches them against your Intune tenant, and creates or updates DDM configuration policies to control the installation timing and deferral periods.

The Worklet requires an Azure App Registration with permissions to read endpoints, manage Intune policies, and write group memberships. During evaluation, it checks if matching endpoints exist in both Automox and Intune. During remediation, it contacts the Microsoft Graph API to deploy DDM policies that Intune clients enforce using the escrowed Bootstrap Token on each endpoint.

The Worklet supports customizable deferral periods (zero to ninety days) and installation times in 24-hour format. This allows you to schedule updates during maintenance windows specific to your organization.

Why deploy macOS updates through Intune DDM

Intune DDM provides a modern, agentless approach to managing macOS updates using endpoint-level capabilities rather than user-initiated processes. By integrating Automox tagging with Intune policy deployment, you gain unified control over macOS patching across heterogeneous endpoint environments where both MDM and IT automation layers exist.

The Worklet solves the problem of coordinating macOS updates across multiple management platforms. Instead of manually creating policies in Intune for each endpoint group, you define tags in Automox and the Worklet synchronizes those endpoint relationships into Intune policies. The escrowed Bootstrap Token allows Intune to perform system-level updates without requiring user elevation or prompt.

You benefit from scheduled update installation during specified maintenance windows, reducing the risk of unplanned disruptions. The deferral period allows users time to save work before the update begins, improving user experience while maintaining compliance schedules.

How Intune DDM macOS update deployment works

1. Evaluation phase: The Worklet queries the Automox API for endpoints tagged with the specified patch tag (default: "INTUNE"), then contacts Microsoft Graph API to verify that matching endpoints exist in your Intune tenant. If endpoints are found, remediation is triggered.

2. Remediation phase: The Worklet creates or updates an Azure AD group in your tenant based on the matching endpoints, then uses Microsoft Graph to create a DDM configuration policy in Intune that specifies the macOS update deferral period and installation time. Intune uses the escrowed Bootstrap Token on each endpoint to install the update at the scheduled time without user interaction.

Intune macOS update deployment requirements

• macOS 11 or later on target endpoints

• Endpoints enrolled in Microsoft Intune and synced with Automox

• Azure App Registration with Microsoft Graph API permissions: Endpoint.Read.All, DeviceManagementConfiguration.ReadWrite.All, DeviceManagementManagedDevices.ReadWrite.All, Group.ReadWrite.All, GroupMember.ReadWrite.All, and User.Read (delegated)

• Admin consent granted for Application-type permissions in your Azure tenant

• Organization secrets configured in Automox console: AX_AUTOMOX_API_KEY, AX_AUTOMOX_ORG_UUID, AX_INTUNE_TENANT_ID, AX_INTUNE_CLIENT_ID, and AX_INTUNE_CLIENT_SECRET

• Worklet policy scoped to a single endpoint (multiple endpoints may cause unintended behavior)

• Configurable parameters: PATCH_TAG (default: "INTUNE"), POLICY_NAME (default: "AUTOMOX MANAGED - macOS Update Policy"), AAD_GROUP_NAME (default: same as policy name), DELAY_DAYS (zero to ninety), INSTALL_TIME (24-hour format, default: "22:00")

Expected macOS update deployment state

After the Worklet completes successfully, an Azure AD group matching your policy configuration appears in your Intune tenant, and a DDM configuration policy deploys to matched endpoints. You can verify successful installation by checking the installed packages list or attempting to run the application. The policy remains active in Intune, enforcing the specified deferral period and installation time.

On each endpoint, the Intune client uses the escrowed Bootstrap Token to begin macOS update installation after the deferral period expires and at the specified installation time. You can verify successful deployment by checking Microsoft Graph or the Intune console for the created policy and group membership. The Worklet will report successful completion once the policy is created or updated in Microsoft Graph.

How to validate intune install macos updates changes

1. Run this Worklet on a pilot macOS endpoint and review evaluation output for intune install macos updates.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as WDK, return, exit.

4. Validate remediation effects from script operations such as WDK, return, cleanup, then rerun evaluation for compliance.