When Apple surprises us with a security patch, the Internet goes wild. These patches range from new features and bug fixes to security updates, but the goal is always the same — it’s best to keep your Apple devices fully patched and up-to-date. Our automated management tools can help, but there are some things you should be aware of when it comes to updates on your Apple technology.
Trouble Running macOS Updates? There is a known bug whereby macOS updates (also known as patches) do not appear or don’t work. We have developed a fix: run the Software Update – Kickstart Process in MacManage.
Ongoing Communication is Key
Our automated patching tools will encourage your team to apply critical updates and restart. However, it’s essential to make them aware that they have to participate in this process (the alternative solution is unexpected force restarts — which nobody likes.)
Remind your team to look for “Nudge” prompts and take them seriously.
If you want to give your team an extra nudge — especially following fixes for zero-day vulnerabilities — then inform them that an update with critical vulnerability fixes is available and encourage them to run the updates as soon as possible. Below is a sample communication.
Share this with your team, edit as necessary, and remember you can track the status of your Apple devices with Vision-Bot.app.
SUBJECT: Apply Critical Software Update to Your Apple Devices
Apple recently released critical software updates for iOS, iPad OS, macOS, and watch OS. To keep your data safe, we recommend you apply these updates as soon as possible. The deadline to run these updates is one week from today.
Trouble Running macOS Updates? There is a known bug whereby macOS updates (also known as patches) do not appear. If you see an error or no updates, please run the Software Update – Kickstart Process in MacManage.
Contact the Ntiva Service Desk if you need any assistance.
For Macs, we leverage two auto-update mechanisms:
- A tool called “Nudge” prompts users to trigger updates when convenient. We set a due date for the update, and the reminder prompt appears twice daily. If the user lets the due date pass (usually one week from the first notification), the reminder prompt can no longer be dismissed. We begin nudging users a few days to a week after a patch has launched.
Although we can force-push updates to non-compliant devices if necessary, we risk surprising the user with a device restart, which could lead to data loss. Any Mac running a modern macOS in management can receive these notifications and commands. Here is the general process we follow when a macOS patch is released:
- Discover the patch has been published (Apple does not release patches on any set schedule or cadence).
- Test the patch ourselves and give it a week in public to confirm it contains no wildly nasty bugs.
- Update our patch definitions for Nudge update prompts with a due date of 7 days.
- A Software Update MDM Profile auto-checks, downloads, and prepares to install detected OS updates in the background. The MDM Profile will attempt to trigger the update the next time the user reboots.
iOS and iPadOS Updates
The device must be supervised for an iOS device to receive software updates. Supervision is required to enable more advanced management features — and often requires additional setup, so it's not yet common across many clients. Devices with supervision will display the SUPERVISED tag next to the device serial number in Vision-Bot:
Supervised iOS devices can have updates pushed to them. However, the chance of disrupting a user with a surprise restart is exceptionally high.
For unsupervised iOS devices, we cannot cache or trigger software updates, period. This limitation is why client communication is our most important tool for critical iOS updates.
The status of device updates can be tracked in Vision-Bot, and follow-up communications or enforcement can be handled case-by-case.
Also, when Apple releases a surprise patch, it doesn't mean everyone should apply it immediately. Apple has released patches in the past that proved to be problematic. They eventually removed the failed patch and issued a new one, but the process was very disruptive to many organizations and individuals. We recommend you allow our team of Apple specialists 24-48 hours to test and confirm the stability of a critical patch before applying patches to business-critical devices.