One of the pain points we have be trying to work around is Safari, and XProtect updates via MDM moving to Declarative. Right now we have a blend of OS update and upgrades via Global Settings or Enforcement Specific Declaration. However, the non OS updates are stuck on MDM commands to install thus admins cannot control install time when using Global Settings with Auto Actions. With the full removal of MDM commands for updates how can we have a flavor of version control and install time with Safari vs. keep to latest and Auto Actions?
While installs of this kind may have been technically possible before under the previous MDM commands, specifying arbitrary additional products outside of a platform's OS using the "ProductKey" relied on information not trivially available and not currently published in our centralized Apple Software Lookup Service (available at https://gdmf.apple.com/v2/pmv):
We are aware of various techniques that may have existed in this space prior, but they generally relied on parsing undocumented data feeds - and in some cases even relied on retrieving the update(s) to parse metadata inside in an attempt to understand what OSes and on what devices they could potentially be successfully installed on - all before you could send the command.
For the case of XProtect updates, we would encourage you to consider the usage of the com.apple.configuration.softwareupdate.settings configuration using InstallSecurityUpdate configured to AlwaysOn in environments where it's desired that the latest XProtect updates are installed when they become available, rather than needing to create an entire scheduling lookup->mechanism just to stay on top of them.
If this is not sufficient for you or your customer's needs, please file a Feedback from your Developer account - including any additional details of what additional controls you're looking for here, or if there are compliance standards or requirements you're trying to meet or are aware of where this is insufficient. Once you've done this - or if you've already done this - feel free to mention the FB# in the thread.
Please file a separate Feedback via Feedback Assistant for the Safari management request, given that it's not currently covered within the available DDM configurations today.
