Help Center
14 DAY FREE TRIAL
Search Close Search
Search result for "aa"
View all results

No Search Results

14 DAY FREE TRIAL
  1. Help Center
  2. Patches and Updates
  3. General

Category filter

How to Automate OS Update Installations for Security Compliance

Jump To

Overview

Operating System (OS) updates are the frontline of defense against modern cyber threats. Delaying patches leaves endpoints vulnerable to known exploits. Hexnode UEM enables IT administrators to manage, schedule, delay, and enforce OS updates across all major platforms, ensuring that all devices—whether in-office or remote—meet strict security compliance standards.

1. Platform-Specific Update Configurations

Hexnode uses different mechanisms to handle updates based on the operating system’s native architecture.

Windows (10/11)

Windows updates in Hexnode are managed via a combination of device policies (for end-user experience) and Hexnode’s dedicated Patch Management module (for actual deployment rules).

  • Update Preferences & Experience: Navigate to Policies > New Policy > Create a fully custom policy > Windows > Patches & Updates. Here, you configure Windows Update Preferences (defer feature/quality updates) and Windows Update End User Experience (set Active Hours, define update deadlines, and configure grace periods).
  • Automated Patch Deployment: To automatically scan, approve, and push specific OS updates or 3rd-party app patches, navigate to the Automate tab on the main portal dashboard. Under New Automation > Windows > Patches and Updates > Auto Patch, admins can define specific criteria (e.g., Severity, KB Number, CVE, Release Date) so that any patch meeting these conditions is automatically approved and deployed during designated maintenance windows.

Screenshot of the Hexnode UEM console showing the Automate tab on the main portal dashboard. After initiating a new automation for Windows, the Auto Patch feature is selected from the Patches and Updates category in the left-hand menu, displaying the configuration settings to Automate OS Update Installations for Security Compliance.

Apple Ecosystem (macOS, iOS, iPadOS, tvOS, visionOS)

Apple’s Declarative Device Management (DDM) is the modern standard for proactively enforcing updates across the entire Apple ecosystem, while standard MDM profiles handle delays.

  • Enforce via DDM: Navigate to Policies > New Policy > Create a fully custom policy > [iOS / Apple TV / visionOS ] > Patches and Updates > Patch Preferences. Using DDM, you can specify the exact Target OS Version and define the exact date and local time the update must be installed. The device acts autonomously to enforce it.

    • Screenshot of the Hexnode UEM console showing the Policies tab where a new fully custom policy is being created. For Apple platforms like iOS, Apple TV, or visionOS, the Patch Preferences option is selected from the Patches and Updates category in the left-hand menu, displaying options to Automate OS Update Installations for Security Compliance.

  • Delay/Defer Updates: If you need to test updates before users see them, you can defer them for up to 90 days within the same Patch Preferences policy.
  • macOS Automated Patch Management: Similar to Windows, admins can automate macOS app and OS updates based on severity or release date using the main Automate tab and selecting macOS as the platform.

Android Enterprise

For Android devices enrolled as Device Owner (Android Enterprise), background update behaviors are managed via security configurations.

  • Configure Update Behavior: Navigate to Policies > New Policy > Create a fully custom policy > Android > Security > OS Updates.
  • System Update Options: Click on System update settings and choose one of the following behaviors:
    • Update automatically: Automatically downloads and installs updates as soon as they become available.
    • Postpone update: Delays the installation of OS updates for a maximum of 30 days to allow for IT testing.
    • Update during inactive hours: Allows the admin to set a specific daily time window (e.g., 00:00 to 04:00) for updates when the device is not in use.

ChromeOS

  • Manage Updates: Navigate to Policies > New Policy > Create a fully custom policy > ChromeOS > Configurations > OS Update.

    • Screenshot of the Hexnode UEM console showing the Policies tab during the creation of a new fully custom policy for ChromeOS. The OS Update option is selected from the Configurations category in the left-hand menu, displaying settings to Automate OS Update Installations for Security Compliance.

  • Configurations: Hexnode allows granular control over ChromeOS updates. You can enable Auto Update, select a specific Auto-update target version, restrict automatic checks via Auto-update time restrictions, and even enable Peer-to-peer auto-update so devices share OS updates over the local network to save bandwidth.

Linux

  • Linux OS updates cannot be scheduled via a passive policy. Instead, they are executed via manual Remote Actions.
  • Navigate to Manage > Devices, select your Linux machines, click the Actions dropdown, and select Updates > Update OS. Hexnode will prompt you to choose your installation behavior, allowing you to select either Install all security updates (prioritizes only security patches), Install all critical updates (prioritizes security update patches) or Install all updates (comprehensive OS upgrades) before pushing the command to the endpoint.

2. Connecting Updates to Security Compliance

To enforce updates strictly, you must tie your OS version requirements to Hexnode’s Compliance Engine and Automations.

  • Define the Rule: Navigate to Policies > Compliance Policies > New Policy. Under the Advanced Settings section, configure the OS Version rules. Here you can set criteria such as OS version is equal to, less than, or greater than a set OS version. If a device violates this rule, Hexnode flags it as “Non-Compliant”.

    • Screenshot of the Hexnode UEM console showing the Policies tab. A new policy is being created within the Compliance Policies section, displaying the advanced settings where OS version compliance criteria are configured to help Automate OS Update Installations for Security Compliance.

  • Automate the Penalty: Go to the Automate tab and click New Automation.
    • Trigger: Select Activity > On Device Non-Compliance.
    • Action: Choose a logical penalty for the outdated device. You can send a notification directly to the device using the Broadcast Message remote action or restrict access by using the Lock Device remote action until the user updates it and regains compliance.

Best Practices

  • Staggered Rollouts: Deploy patches to a “Pilot Group” of test devices first to ensure no mission-critical business apps break before approving them for the entire organization.
  • Regular Compliance Audits: Frequently review your Compliance Policies and adjust your target minimum OS Version in the Advanced Settings to reflect the latest essential security patches.
Need more help?
Image of Raise a Ticket Raise a Ticket
Image of Ask Community Ask Community
Image of Chat With us Chat With us
Patches and Updates