Manage patches for Apple computers

The Apple patching workflow in N-central provides a simplified deployment experience, stronger credential protection, and support for Apple Silicon volume ownership requirements.

Patch management in N-central is enabled by default. When a device is managed, N-central automatically runs detection scans to identify missing patches. You do not need to create patch policies, assign licenses, or deploy patch‑related configuration items to begin detection. From this point forward, you can install patches manually or automate deployment by using policies. To monitor results, review patch installation outcomes in the Completed Patches tab.

This workflow helps you:

Enable patching for the required devices.
Confirm that devices are enrolled and required components are reporting correctly.
Configure interactive restart controls so users can manage reboot timing.
Monitor device compliance, where patch status is shown as Pending, Installed, or Failed.
Review patch outcomes on the Completed Patches tab.

Supported platforms: macOS on Intel and Apple Silicon (M1, M2, M3, and later).

Apple patch workflow

Apple patch deployment follows this sequence:

Apple computers automatically detect available patches.

On Intel‑based device, patches can be installed immediately.
On Apple silicon devices, Apple requires volume ownership to install operating system patches. You must provide volume owner credentials to the N-central patch engine.

You initiate patch deployment on Apple computers.
N-central installs patches according to the schedule you configure.
If a restart is required, N-central prompts the end user based on your configured restart settings.
Installation completes after the device restarts.

Before you begin

Agent and components: Verify that the agent is installed and working on the device.
Apple Silicon prerequisite (M1, M2, and later): Operating system updates on Apple Silicon computers must be authorized by a volume owner. N-central uses stored volume owner credentials to authenticate OS updates.

Without valid volume owner credentials, OS patching fails during installation on Apple Silicon computers. A volume owner is the first account that sets up the device or an account explicitly granted ownership later. For more information, see the official Apple documentation on volume ownership.

Why is volume ownership required

Apple requires a dedicated local account with volume ownership to perform system‑level actions on macOS. macOS restricts command‑line access for installing operating system and security updates, and only users explicitly trusted by Apple can modify the system volume.

Command‑line patching tools must run under a macOS user account that has permission to change the system volume. Standard service accounts and background processes do not have this permission by default, particularly on Apple silicon devices.

This requirement is part of Apple’s security model. It helps protect the integrity of macOS, prevents unauthorized or silent system changes, and ensures that all privileged actions are traceable and approved, even when they are initiated by device management or patching solutions.

Configure Apple Silicon volume owner credentials

Configure volume owner credentials for Apple Silicon computers for patch management.

macOS enforces strict security controls on Apple Silicon computers. To perform system‑level actions—such as operating system and security patching via the command line—a trusted local user known as a volume owner is required.

N-able Patch Management relies on volume owner credentials to securely invoke the macOS command‑line interface (CLI) and install patches in a way that complies with Apple’s security model.

Step 1. Check whether a volume owner already exists on the computer

Before configuring N‑able Patch Management, confirm whether the computer already has a volume owner account.

A volume owner is a local user account that macOS explicitly authorizes to modify the system volume. Without a volume owner, macOS blocks all CLI‑based operating system and security patching attempts.

If a valid volume owner already exists and the username and password are known, you can reuse this account and proceed directly to Step 3: Configure volume owner credentials in N-able Patch Management.
If no volume owner exists, or if the credentials are unknown or unavailable, you must create a new volume owner first. See Step 2: Create a volume owner account on the computer (if required).

Step 2: Create a volume owner account on the computer (if required)

If the computer does not have a usable volume owner, create a new local administrator account on the computer and grant it volume ownership. This must be done locally on the device and in accordance with Apple’s security requirements.

After creating the account:

Securely record the username and password. These credentials are required by N‑able Patch Management.
The credentials only need to be set once, unless they change on the device.

Step 3: Configure volume owner credentials in N-able Patch Management

Before managing Apple Silicon computers, configure the volume owner credentials so N-able Patch Management can use the macOS CLI to apply operating system and security updates.

You only need to configure these credentials once per device or device group, unless the credentials change.

To configure volume owner credentials:

Go to View> Assets.
On the Assets page, select Set volume ownership from the Actions dropdown.
In the Set Volume Ownership permissions dialog, enter the volume owner username and password.
Select Set volume owner permissions.

All credentials are encrypted and transferred using a secure internal mechanism.
On the Assets page, the Apple patch icon shows a green status only after an installation attempt confirms that the provided credentials are valid.

Step 4: Verify volume ownership status and patching behavior

After the credentials are set, the volume ownership status is visible in N-able Patch Management through both the Assets page and the patch status icon for the device.

The volume owner status appears as Missing at first. This is expected behavior because N‑able Patch Management cannot verify the credentials until it attempts a macOS patch installation.

After a patch installation runs:

If the credentials are correct and accepted by macOS, the patch installs successfully and the volume ownership status updates to show the credentials are valid and working.
If the credentials are incorrect, the patch fails and Invalid credentials appears in the Failed Patches view. The volume ownership status does not update.

Volume ownership is validated only after a patch installation attempt, not when the credentials are entered.

Further information from Apple

For Apple’s official explanation of volume ownership, including why it is required and how it is enforced on Apple Silicon computers, see Volume ownership on Apple Silicon Macs in Apple’s deployment documentation:

Deploy and install Apple patches

Use Apple patch management to control how updates are deployed to Apple computers, including Apple silicon devices. This page covers Apple‑specific requirements and behavior.

For general deployment and installation steps, see Manage patches for devices.

Darwin OS filter for Apple patching: macOS devices are identified under the Darwin operating system type. When filtering patches for Apple operating system updates, include the Darwin filter to ensure macOS-related patches are displayed.

Apple computers require a restart for operating system updates to take effect. For details about setting restart prompts, deferrals, and messages, see Manage device restarts.

Manage device restarts

Patch installation on Apple computers often requires one or more system restarts to complete installation.

macOS updates are installed during a restart. Restarting devices is required to keep them secure and up to date.

Although restarts occur as part of the patch deployment workflow, restart behavior is managed separately to minimize disruption for end users. When you deploy patches to Apple computers, N-central displays additional restart options described here.

Interactive restart options allow end users to:

View pending restarts after patch installation.
Delay a restart if needed.
Restart the device at a convenient time.

To set the device restart options:

Under Asset reboot in the Schedule Installation dialog, select one or more of the following:
- Show reboot dialog to user (recommended): Allows users to control when the device restarts.
  When you enable Show reboot dialog to user, the options are displayed to the end user only after the patch download completes and is ready to install. Download time varies by device and depends on the device’s network speed, so there may be a delay before the options appear.
- If you select Show reboot dialog to user, configure the options that appear in the dialog:
  - Reboot countdown timer: Select No timer to force the restart to occur immediately.
  - Add option to cancel reboot.
  - Add option to snooze reboot. If snooze is enabled, specify:
    - Snooze timer to set the delay duration.
    - Snooze count to set how many times the user can delay the restart.

This behavior applies after patches are deployed. After you configure restart settings, return to Manage patches for devices to complete the deployment.