Can MDM schedule updates during off-hours?

Q1: How do we prevent Windows updates from automatically rebooting employee laptops during working hours?

The Use Case / Why: Corporate users frequently lose work or experience sudden slowdowns when Windows Update triggers a background installation, or a forced system restart mid-day. IT needs to guarantee a block of time where the OS remains completely uninterrupted.

The Hexnode Execution:

• Navigate to Policies > New Policy > Windows > Patches & Updates > Windows Update Experience and click Configure.
  • Enable Notifications during Active Hours.
  • Define the Start time and End time matching your organization’s standard working hours (e.g., 9:00 AM to 5:00 PM).
  • Set the Maximum range of active hours (up to 18 hours).

Windows will suppress all automated update reboots during this window, holding the payload until the user is safely offline.

Q2: Can we force critical Windows patches to install only during an exact overnight maintenance window?

The Use Case / Why: For servers, specialized workstations, or offices with strict operational schedules, updates cannot be left to chance. IT needs an exact, predictable enforcement window—such as Sunday at 2:00 AM—to run patches and clear restarts before Monday morning.

The Hexnode Execution: In the same Windows Update Experience policy, locate the Automatic update behavior dropdown and select Auto install and restart at specified time.

• Configure the Schedule frequency (e.g., Weekly, or Every Second Tuesday to align with Patch Tuesday).
• Set the exact Scheduled Install Day and Scheduled Install Time.

This forces the Windows Update agent to remain dormant until the precise off-hours window occurs.

Q1: How do we update dedicated Android kiosks or rugged field tablets without manual technician intervention?

The Use Case / Why: Field teams, retail associates, and warehouse workers rely on shared or kiosk-locked Android devices. Exiting kiosk mode manually on hundreds of devices to accept an OS update is operationally impossible. Updates must happen silently while devices sit on charging docks overnight.

The Hexnode Execution:

• Navigate to Policies > New Policy > Android > Enterprise > Security > OS updates and click Configure.
  • Change the System update settings dropdown to Update during inactive hours.
  • Specify your preferred maintenance window (e.g., 00:00 to 04:00).

The device will locally monitor its system time and automatically trigger the download and silent installation only within that precise window.

Admin Note: This automated, silent update logic requires devices to be enrolled as Device Owner via Android Enterprise.

Q1: How do we prevent users from manually updating their iPhones during the workday before we are ready?

The Use Case / Why: When Apple releases a major iOS update, eager employees often rush to download it during business hours. This consumes massive office bandwidth and risks breaking legacy corporate apps before IT has vetted the new OS.

The Hexnode Execution: You can hide the update from the user entirely. Navigate to Policies > New Policy > iOS / Apple TV > OS Updates.

• Configure the Delay visibility of software updates setting (up to 90 days).

This prevents the device from “seeing” the update during your testing phase. Once you are ready, you can lift the delay or use the DDM Software Update Preferences to deploy it.

Q1: How do we push massive macOS updates without saturating our office network bandwidth during the day?

The Use Case / Why: A major macOS upgrade can exceed 12 GB. If hundreds of MacBooks begin downloading this payload simultaneously at 10:00 AM, it can saturate office bandwidth and disrupt business operations. IT needs to split the process: download quietly in the background during the day, but install only at night.

The Hexnode Execution: This requires a coordinated two-step playbook in Hexnode:

• Pre-stage the download: Navigate to Policies > New Policy > macOS > Patches & Updates > Software Update Preferences. Check Automatically download new updates but uncheck “Automatically install OS updates.” This forces the Mac to pre-cache the package over time without running the installer.
• Schedule the off-hours execution: Go to the main Automate tab on the Hexnode dashboard. Create a new macOS Automation, locate the Updates section, and select Update OS.
  • Choose the Download and Install option.
  • Set the Execution time schedule to your preferred off-hours window.
• When the script runs at the scheduled time, the installation executes instantly because the file was already downloaded and cached locally.

Q1: Can we block ChromeOS devices from checking for updates during school or corporate hours?

The Use Case / Why: Chromebooks automatically fetch updates frequently. In environments like schools during testing or corporate call centers, a sudden update check and forced prompt can disrupt active sessions. IT needs to establish a strict “blockout period” during daytime hours.

The Hexnode Execution:

• Navigate to Policies > New Policy > ChromeOS > Configurations > OS Update and click Configure.
  • Ensure Auto Update is active.
  • Locate Auto-update time restrictions and define the exact hours when update checks are forbidden (e.g., block all checks between 08:00 and 17:00).
  • Optional: Configure Staging schedules within the same window to spread the deployment over a sequence of days (e.g., 20% of the fleet on day 1, 50% on day 3) to protect localized network infrastructure when the blockout ends.