Guide for Apple IT: Mac Patch Management
It’s one thing for a Mac admin to distribute apps to users. It’s another thing to make sure those apps stay up to date.
Patch management isn’t just about making sure your users have the latest, greatest features in all their apps (though that is a pretty good reason in itself). Having an efficient patch management system is also a critical piece of your Mac security plan. If you aren’t deploying the latest versions of your organization’s apps, that software could be missing important stability or security updates, leaving them—and your organization—vulnerable.
If you need any convincing about the security imperative, go to the CVE (Common Vulnerabilities and Exposures) program and search for one of the apps your users rely on—Zoom, for example. That search will turn up a steady stream of discovered vulnerabilities in the conferencing app—many of them trivial, to be sure, but some of potential concern to Mac admins. Then, following our example, go to the Zoom release notes page. There you’ll see evidence of a steady stream of updates. Click on the release notes for any one of those and chances are you’ll see the phrase “security enhancements” in its list of fixes and improvements.
Depending on where you source your apps and how you distribute them, Mac patch management can be a simple hands-off process or a complex chore. In this guide, we’ll provide an overview of the challenges and some of the solutions for keeping your Mac apps up to date and safe.
(Note: This guide is about patch management for apps. Managing OS updates is a separate topic.)
Patching Apps from the App Store
If you acquire software from the App Store (via Apple Business Manager’s Apps and Books), deploying the latest versions of those apps is relatively straightforward—assuming, of course, that you’ve also connected your device management solution to Apple Business Manager. Apple does a good job keeping those apps up to date, and—because the capability is baked into the MDM spec—most device management solutions can automatically send those updates to enrolled devices whenever the new versions are ready.
Unfortunately, the App Store is missing some critical business titles, so it’s doubtful that you can satisfy all of your organization's software needs there. That’s when the patch-management picture gets a lot more complicated.
Manually Patching Non-App Store Apps
If you’ve already deployed an app through a channel other than the App Store, then patching it will follow much the same pattern: You acquire an installer for the latest version, then distribute it to your users. But there are some extra steps involved.
The first is to find out that a new version of the app has been released. Some apps have built-in alert mechanisms to tell users an update is available. (As an admin, you may see such notifications yourself, particularly if you maintain a test Mac set up with your org’s library of supported apps.) In other cases, you may need to monitor vendor communications or specialized news feeds.
You then need to know which of your devices have those updateable apps installed. Some device management solutions have built-in inventory services that will do the trick, and there are also dedicated tools such as osquery.
Once you know there’s an update and which devices need it, you need to implement it—meaning deliver the update to end-user devices and implement the install remotely. As with deploying apps in the first place, this raises a couple of important questions.
First, how does the app get installed? Simple ones might be bundled into a ZIP or DMG file. These applications can often just be copied from the bundle to the user’s Application folder. Other applications might install components all over the Mac and so have more complex installer packages. Some such packages can be used as they are, but others may require customization or repackaging to fit your environment.
Second, does the update need any additional configuration before or after it is installed? It's not uncommon for apps to need special licenses or organization-specific settings. Some might use configuration profiles to convey those settings, while others need pre- or post-install scripts.
One exception to this workflow: If the app that needs patching has its own built-in update mechanism. In that case, you may have to rely on users to do the updating. That means communicating, monitoring, and following up with them. Many end-users won’t know how to do the installation; some may lack the necessary privileges. If you’re trying to quickly deploy a critical security patch, this workflow is not ideal.
There are software tools that can help automate various parts of this process; there are also dedicated patch management services out there. For many admins, the device management solution they’re already using is a key helper.
At a minimum, that solution will be the mechanism by which you deploy updates to end-user devices. In Kandji, for example, you can use the Custom Apps feature to deliver and install updates.
Automated Patch Management
The process outlined above is how patch management has been done for years. But there is a better way: Automating the entire process, from determining who should get the update to delivering and installing it. Take, as an example, Kandji’s Auto Apps feature.
Auto Apps streamline patch management for Mac by pre-packaging, automatically updating, and hosting apps that aren’t available in the Mac App Store. The Auto Apps library contains some of the most common tools for business collaboration, development, and design, and is growing constantly.
To take advantage of Auto Apps, you just have to add the ones you want to deploy to a given Kandji Blueprint; Kandji will then take care of the patch management for you. Auto Apps also let you control how updates are enforced (either automatically or manually). You can create a timeline for updates, while still letting users delay installation until they are ready.
It’s much like deploying and maintaining apps from the App Store, but for titles that the Store doesn’t have.
About Kandji
Kandji makes Apple app deployment and patch management a breeze. It gives you complete visibility into the apps installed on your company’s devices, and it lets you deploy third-party apps in just a few clicks. From deployment to retirement, Kandji keeps your Apple devices safe, offering great features like pre-built security settings, one-click compliance, and plenty more.
See Kandji in Action
Experience Apple device management and security that actually gives you back your time.
See Kandji in Action
Experience Apple device management and security that actually gives you back your time.