Operating system update management for enrolled devices

Therefore, the following is claimed: 1. A non-transitory computer-readable medium embodying program instructions executable in at least one computing device that, when executed by the at least one computing device, cause the at least one computing device to: publish, to an agent application on a client device enrolled in a management service, a deployment profile comprising a setting that specifies at least one restriction associated with download or installation of software updates by a subset of client devices comprising the client device; receive, from the agent application, an identification of a software update available for the client device; provide software update metadata associated with the software update to an administrator console associated with the management service based on a query for the software update, wherein the software update metadata is received as part of a synchronization with an operating system update service; receive, in the administrator console associated with the management service, a specification of the subset of client devices to apply the software update; and in response to an input being received in the administrator console, direct the agent application of at least one client device in the subset of client devices to install the software update based on identifying the deployment profile as being applicable to the at least one client device in an instance in which the deployment profile has been published. 2. The non-transitory computer-readable medium of claim 1 , wherein the at least one computing device is further directed to: obtain, from a software update service, metadata associated with the software update. 3. The non-transitory computer-readable medium of claim 1 , wherein the specification is according to a user group. 4. The non-transitory computer-readable medium of claim 1 , wherein the setting specifies a particular type of software update that requires an administrator approval before installation of the particular type of software update on the at least one client device. 5. The non-transitory computer-readable medium of claim 4 , wherein the input specifies the administrator approval. 6. The non-transitory computer-readable medium of claim 1 , wherein the software update comprises an update to a software component of the at least one client device. 7. A system, comprising: at least one computing device; and program instructions executable in the at least one computing device that, when executed, cause the at least one computing device to: publish, to an agent application on a client device enrolled in a management service, a deployment profile comprising a setting that specifies at least one restriction associated with download or installation of software updates by a subset of client devices comprising the client device; receive, from the agent application, an identification of a software update available for the client device; provide software update metadata associated with the software update to an administrator console associated with the management service based on a query for the software update, wherein the software update metadata is received as part of a synchronization with an operating system update service; receive, in the administrator console associated with the management service, a specification of the subset of client devices to apply the software update; and in response to an input being received in the administrator console, direct the agent application of at least one client device in the subset of client devices to install the software update based on identifying the deployment profile as being applicable to the at least one client device in an instance in which the deployment profile has been published. 8. The system of claim 7 , wherein the program instructions, when executed, further direct the at least one computing device to: obtain, from a software update service, metadata associated with the software update. 9. The system of claim 7 , wherein the specification is according to a user group. 10. The system of claim 7 , wherein the setting specifies a particular type of software update that requires an administrator approval before installation of the particular type of software update on the at least one client device. 11. The system of claim 10 , wherein the input specifies the administrator approval in the administrator console. 12. The system of claim 10 , wherein the program instructions, when executed, further direct the at least one computing device to cause, in the administrator console, a display of an approval status corresponding to the administrator approval. 13. The system of claim 7 , wherein publishing the deployment profile to the agent application on the client device causes the agent application to delay or prevent installation of the software update. 14. The system of claim 7 , wherein the software update comprises an update to a software component of the at least one client device. 15. A computer-implemented method, comprising: publishing, to an agent application on a client device enrolled in a management service, a deployment profile comprising a setting that specifies at least one restriction associated with download or installation of software updates by a subset of client devices comprising the client device; receiving, from the agent application, an identification of a software update available for the client device; providing software update metadata associated with the software update to an administrator console associated with the management service based on a query for the software update, wherein the software update metadata is received as part of a synchronization with an operating system update service; receiving, in the administrator console associated with the management service, a specification of the subset of client devices to apply the software update; and in response to an input being received in the administrator console, directing the agent application of at least one client device in the subset of client devices to install the software update. 16. The computer-implemented method of claim 15 , further comprising: obtaining, from a software update service, metadata associated with the software update. 17. The computer-implemented method of claim 15 , wherein the specification is according to a user group. 18. The computer-implemented method of claim 15 , wherein the setting specifies a particular type of software update that requires an administrator approval before installation of the particular type of software update on the at least one client device. 19. The computer-implemented method of claim 15 , wherein publishing the deployment profile to the agent application on the client device causes the agent application to delay or prevent installation of the software update. 20. The computer-implemented method of claim 15 , further comprising: synchronizing the software update metadata with the operating system update service based on a predefined interval.