Run Managed Patch task for Apple

The Run Managed Patch task automatically installs verified third-party software updates for supported products using Munki client software. You can also prompt users to install Apple OS updates on unmanaged Apple devices not enrolled in Device Management for Apple.

To update the Apple OS version on your devices, see Update OS version on Apple devices.

To update App Store purchases on your devices, see App management.

Each patch in our repository is manually tested to confirm successful installation and to identify any notable bugs. When a patch is approved for production, its status changes from testing to production. By default, the task installs only production patches, but you can configure it to include testing patches.

We update the following lists nightly:

• Real-time patch list: Shows changes from the last seven days.
• Third-party patch list: Full list of updates in the Managed Patch repository.

If a vendor releases a critical patch, such as a security fix, its status may be accelerated to Moved to Production for faster deployment.

Recommended task setup

1. Review the Requirements for Run Managed Patch.
2. Add a Run Managed Patch task.

   We recommend deploying two Run Managed Patch tasks.

   • Task 1: Runs while the user is logged in. Installs most patches, including those for closed apps and patches that don’t require a reboot. If a patch requires a reboot, the task opens System Preferences and prompts the user to select Update Now.

   • Task 2: Runs only when the user is logged out. Installs patches that cannot be applied while the user is logged in. For example, this task installs third-party patches that do not require a reboot.

3. Run Managed Patch task on demand (optional).

Monitor and manage patch tasks

Use the following steps to monitor and manage patch tasks effectively:

1. Add a Managed Patch Status script check to receive alerts when a patch fails or remains pending.
2. View Run Managed Patch task results and status to track progress and identify issues.
3. View the Managed Patch for Mac report to see which patches are deployed and their status on each device.
4. Disable a Run Managed Patch task when patching is no longer required.

Reboot-sensitive patch handling on macOS

There is industry-reported instability in the Apple's patching binary (/usr/bin/softwareupdate). In rare cases, this can leave the OS in a non-bootable state.

This issue does not occur when users manually update through System Preferences.

To safeguard against this:

• When a patch requires a reboot, the task opens the Software Update pane and displays a branded notification prompting the user to select Update Now.
• To ensure this prompt appears, configure the Run Managed Patch task to run while the user is logged in.

The following video shows the user notifications and the Software Update preferences pane when the user selects Update Now: