Introduction
Install pending macOS updates on managed devices via automation. Use this action to keep macOS devices current on a schedule, push updates after new device enrollment, or enforce software update compliance across your macOS inventory.
Install macOS Updates
From the automation pipeline in edit mode, click + Add action and select Install macOS updates from the Security category. The action panel opens with two sections: Action type (pre-set to Install macOS updates) and Step configuration.
Configure Update Categories
Click Configure update categories to open the macOS patch management categories panel. This controls which types of updates Level installs and how each is timed.
Each category has two settings:
Timing β Either Update immediately or Delay installation.
Days β How many days to wait before installing (only active when Delay installation is selected).
How delay works: When you configure a category to Delay installation, Level skips any update in that category until it has been available for at least that many days. Once the window passes, the update installs automatically the next time the action runs β no manual approval required.
This is intentional. Many patch management tools require you to review and approve each update individually. Level's model: set a delay window that gives you time to hear about problems in the wild, then let updates roll automatically. For the vast majority of patches, the window passes quietly and they deploy without you ever touching them. For the rare problematic update, block it globally before the delay expires.
The available categories are:
Category | Description |
macOS updates | Security, stability, and minor version updates for macOS |
Updates | New feature, security, and stability updates for macOS applications and utilities |
π‘ TIP: Enable only the categories you want Level to manage. If you handle application updates through a separate process, leave Updates unchecked and manage only macOS updates here.
Reboot After Updates (When Required)
When enabled, Level reboots the device after updates install β but only if macOS signals a reboot is required. Updates that don't need a reboot won't trigger one.
β οΈ WARNING: This reboot happens without prompting the end user. Use this in combination with a maintenance window, or pair with the Notify User action beforehand if users may be active on the device.
Conditions
The Conditions section lets you restrict when this action runs based on device attributes or the outcome of a previous action. Expand the section to add conditions.
See Action Conditions for the full reference on condition types, operators, and values.
Additional Options
Expand Additional options for execution settings including action name, failure behavior, output variables, and retries.
See Actions Overview for the full reference on additional options available on every action.
FAQ
Does this action work on Windows or Linux? No. This action applies to macOS devices only. For Windows, use the Install Windows Updates action. For Linux, use the Install Linux Updates action.
What's the difference between the two categories? macOS updates covers the OS itself β security patches, stability fixes, and minor version updates. Updates covers macOS applications and utilities like Safari, XProtect, and system tools. Both can be configured independently with different timing delays.
What's the difference between "Update immediately" and "Delay installation"? Update immediately installs matching updates as soon as the action runs. Delay installation holds off for a set number of days from when the update was published β after that window, updates in that category deploy automatically without any manual approval. The delay gives you time to hear about issues and block a specific update if needed, without requiring you to review every patch individually.
Do updates install silently? Updates install silently in the background. If a reboot is required and Reboot after updates is enabled, the device reboots without a user prompt β pair with a Notify User action if users may be active.
What happens if there are no pending updates in a selected category? Level skips that category silently and continues. The action completes successfully even if nothing was installed.
What happens if the device is offline when the action runs? The action queues and resumes once the device comes back online.
Who can add or modify this action in an automation? Technicians with permission to edit automations in the relevant group. See Workspace β Permissions for access control configuration.