You're technically correct, the best kind of correct, but you essentially responded so someone saying "users have fears" with "respond with (maximum) violence!"
In the case of macOS updates, you could/should instead:
- inform users of the difference between feature updates and security updates
- show them how to install security updates rather than major version changes
- give them a short window after which they must at least upgrade to the latest security patch on whatever version of macOS they're running so that they can choose their own update time for minimal disruption
There's no need to silently break anyone's computer while they sleep, or shut it down while they're working. It's shameful to even expect employees to put up with that.
Unfortunately macOS didn't have an MDM profile to mandate installing updates within a certain timeframe. You can delay them up to xx days but not enforce them.
Not sure if this was fixed in the last 3 years because I moved away from Mac management. But it was a problem unless you used something like jamf which roll their own mechanism.
Intune only supports what Apple offers so they're was no options there
That's awful. Maybe I was wrong, and 'the reason' is security and policy tooling where user experience is an afterthought. :\\
I think there's a lot of room for improvement in this area but I don't see a lot of interest on the part of implementers or vendors. I think it's probably the usual incentives problem with enterprise software, which is tough.
Especially if they have valid concerns of degraded performance from past updates. That’s a recipe for an adversarial user-IT relationship and inevitably drives users to attempt their own, sometimes risky, work arounds.
Like developer experience roles, maybe security departments need specialist 'user experience', teams or ICs. I think there's fertile middle ground here between anarchy and the received wisdom on 'best practices'.
Hey, it's "better" to have your entire department/division/company grind to a halt because everyone's machines broke at the same time, rather than pockets of glitches that you can't quite explain, and you have to individually query each device's version number and patch level.
