Add a Run Managed Patch task

You can add a Run Managed Patch automated task on one or more Mac devices to automatically deploy verified third-party updates for supported products. You can schedule when the task will occur or you can run it on demand.

We recommend you deploy two Run Managed Patch tasks.

  • Task 1 — Run while the user is logged in to deploy most patches and display the new behavior where an action is required. For example, this task installs patches for closed apps, patches that do not require a reboot, and prompts the user with System Preferences if we download a patch that does require reboot.

  • Task 2 — Run only when the user is logged out to deploy patches that cannot install with the user logged in. For example, this task installs third-party patches that do not require a reboot.

To add and schedule a Run Managed Patch task:

  1. In the All Devices view North-pane, select one or more devices where you want to add the task (use Shift and left-click to choose a range of devices or Control and left-click for specific machines).
  2. Right-click one of the selected devices and select TaskAdd.

    The selected devices must use the same operating system for the Task option to display.

    The Add Automated Task dialog displays.

  3. Select Run Managed Patch under Maintenance and click Next.

    Only tasks for the selected devices' Operating System are displayed.

  4. Enter a Descriptive Name, configure the parameters for the task and click Next.

  5. Use Select Frequency Method to choose the frequency, select the Schedule Settings if required, and select Next.
    ChoiceAction
    Once per daySelect the days to run the task and the time to run the task each day.

    Select one day to run the task weekly.

    Once per monthSelect the day of the month to run the task and the time to run the task on that day.
    On Check FailureSelect which Check failure will trigger the task to run, and select or enter additional settings if they are available in With These Settings...
    ManualSelect Manual to Run Automated Task On demand. The task runs in near real-time and uploads the results within a few minutes of the task completing.

    Tasks run based on the local time of the computer where the Agent is installed.

  6. Configure the frequency options:
    ChoiceAction
    Run Task for a limited period

    (available for Once per day and Once per month )

    		Select the Start Date and Start Time, and the End Date and End Time.
    Set maximum permitted execution time

    (available for all frequencies)

    		Enter the maximum Days, Hours, and Minutes of run time before the Task is canceled.
  7. Optionally, you can select Run task as soon as possible if schedule is missed (available for Once per day and Once per month frequencies).

    8. Run task as soon as possible if schedule is missed adheres to the Run Task for a limited period selection and will not execute tasks outside of that window.

  8. If you are adding the task on multiple devices, select Next, confirm the devices where you want to apply the task and select Add Task.

    The Run Managed Patch task is added to the device(s) and it displays in the South-pane Tasks tab for each device. View the User Audit Report to see the user actions for adding the task.

    9. We recommend you Add a Managed Patch Status script check to view the most recent Managed Patch installations to Mac devices, and to receive alert notifications when a patch fails, is queued, or is in a pending state.

Task parameters

Parameter Description
Prompt user to install Apple updates If an Apple update is found, we open the Software Update preference pane and display a branded user notification prompting them to click Update Now to install the update.

To update Apple OS versions without user action, see Update OS version on Apple devices.
testing Install patches as soon as they become available (not tested or verified).
production Only install tested and verified patches.
Command Line Enter options to pass on to the Munki client software (optional).
Only run script if user is logged out If this option is enabled and a logged-in user is detected, the task queues until they have logged out. The logged-in user receives a notification that a task is waiting for them to log out. After they log out the task runs.

If this option is disabled, the task runs, installs what it can and if a logged-in user is detected, it stops. If the user then logs out, the task does not continue to run because it has already exited.

Hide macOS notification when script is run Run the task without notifying the user.