Add a Run Managed Patch task

You can add a Run Managed Patch automated task to one or more Mac devices to deploy verified third-party updates for supported products. You can schedule the task or run it on demand.

We recommend deploying two Run Managed Patch tasks.

Task 1: Runs while the user is logged in. Installs most patches, including those for closed apps and patches that don’t require a reboot. If a patch requires a reboot, the task opens System Preferences and prompts the user to select Update Now.
Task 2: Runs only when the user is logged out. Installs patches that cannot be applied while the user is logged in. For example, this task installs third-party patches that do not require a reboot.

Add and schedule a Run Managed Patch task

In the All Devices view go to the North-pane, and select one or more devices where you want to add the tas.
- Use Shift + left-click to select a range of devices.
- Use Control + left-click to select individual devices.
Right-click one of the selected devices and choose Task > Add.
- The Task option appears only if the selected devices use the same operating system.
In the Add Automated Task dialog under Maintenance, select Run Managed Patch, then select Next.
- Only tasks that match the selected devices' operating system are shown.
Enter a Descriptive Name, configure the parameters for the task and Select Next.
From the Select Frequency Method dropdown list, choose how often the task runs. Configure the Schedule Settings if needed, then select Next.
- Once per day: Select the days and time to run the task. To run the task weekly, select a single day.
- Once per day: Select the day of the month and the time to run the task.
- On check failure: Select the check failure that will trigger the task. If available, configure additional options in With these settings...
- Manual: Select to Run Automated Task On demand. The task runs in near real time and uploads results within a few minutes of completion.
Tasks run based on the local time of the device where the agent is installed.
Choose and set the frequency options:
- Run Task for a limited period: Select the start date and time, and the end date and time (available for once per day and once per month ).
- Set maximum permitted execution time: Enter the maximum number of days, hours, and minutes the task can run before it is canceled.
(Optional) Select Run task as soon as possible if schedule is missed (available for once per day and once per month frequencies).

This option respects the Run Task for a limited period setting and will not execute tasks outside of that window.

If you're adding the task on multiple devices, select Next, confirm the devices where you want to apply the task, and select Add Task.
The Run Managed Patch task is added to the selected devices and appears in the South-pane Tasks tab for each device. To view user actions related to the task, open the User Audit Report.

We recommend you Add a Managed Patch Status script check to monitor recent patch installations on Mac devices and receive alert notifications when a patch fails, is queued, or is pending.

Task parameters

Prompt user to install Apple updates
If an Apple update is found, the Software Update preference pane opens and a branded notification prompts the user to select Update Now.

To update Apple OS versions without user action, see Update OS version on Apple devices.
Testing
Installs patches as soon as they become available. These patches are not tested or verified.
Production
Installs only patches that have been tested and verified.
Command Line
Optional. Enter parameters to pass to the Munki client software.
Only run script if user is logged out
If enabled and a logged-in user is detected, the task queues until the user logs out. The user receives a notification that a task is waiting. After logout, the task runs.

If disabled, the task runs immediately. If a user is logged in, the task stops. It does not resume after logout.
Hide macOS notification when script is run
Runs the task silently without notifying the user.