Run Managed Patch task

The Run Managed Patch task automatically deploys verified third-party software updates for supported products via Munki client software. Optionally, you can also configure the task to prompt users to install Apple OS updates for unmanaged Apple devices not enrolled in Device Management for Apple.

To update the Apple OS version on your devices, see Update OS version on Apple devices.

To update App Store purchases on your devices, see App management.

We manually test and validate each patch in our repository to ensure it successfully installs and does not contain notable bugs. When we approve a patch as production-ready, its approval status changes from testing to production. When you add a Run Managed Patch task, the task defaults to install production patches only, but you can change that to install patches with a status of testing if required.

We update the following lists nightly with the latest software versions and current approval status:

• Real-time patch list: Last seven days of changes to the third-party repository.
• Third-party patch list: Complete list of third-party updates in Managed Patch repository.

If a vendor releases a critical patch, such as a security fix, the approval status may change to Moved to Production status more quickly to deploy the fix as soon as possible.

To get started with Run Managed Patch:

1. Review the Requirements for Run Managed Patch.
2. Add a Run Managed Patch task.

   We recommend you deploy two Run Managed Patch tasks.

   • Task 1 — Run while the user is logged in to deploy most patches and display the new behavior where an action is required. For example, this task installs patches for closed apps, patches that do not require a reboot, and prompts the user with System Preferences if we download a patch that does require reboot.

   • Task 2 — Run only when the user is logged out to deploy patches that cannot install with the user logged in. For example, this task installs third-party patches that do not require a reboot.

3. Run Managed Patch task on demand (optional).

To monitor and manage your Run Managed Patch tasks you can:

1. Add a Managed Patch Status script check to get alerts if a patch fails or remains pending.
2. View Run Managed Patch task results and status.
3. View the Managed Patch for Mac report to see the patches and their status on each device.
4. Disable a Run Managed Patch task.

Apple binary instability

There is industry reported instability in the binary used by Apple to perform patching of macOS (/usr/bin/softwareupdate). Where this instability occurs, it can leave the OS in a non-bootable (bricked) state.

The unstable behavior is not observed when the user triggers the update from System Preferences. Therefore, when the Managed Patch task finds a patch that requires a reboot, we open the Software Update preference pane and display a branded user notification prompting them to click Update Now.

To ensure the user performs this action, the Run Managed Patch task must be set to run while the user is logged in.

The following video shows the user notifications and the Software Update preferences pane where the user clicks Update Now: