Managed Patch for Mac

Managed Patch for Mac uses the Run Managed Patch task to automatically deploy verified third party updates for supported products via Munki client software.

The Run Managed Patch task does not deploy updates for App Store purchases. For information about App Store purchase updates, see Manage App Store purchases.

We manually test and validate each patch in our repository to ensure it successfully installs and does not contain notable bugs. When we approve a patch as production-ready, its approval status changes from testing to production. When you add a Run Managed Patch task, the task defaults to install production patches only, but you can change that to install patches with a status of testing if required.

We update the following lists nightly with the latest software versions and current approval status:

• Real-time Patch List: Last seven days of changes to the third-party repository
• Third Party Patch List: Complete list of third party updates in Managed Patch repository

If a vendor releases a critical patch, such as a security fix, the approval status may change to Moved to Production status more quickly to deploy the fix as soon as possible.

To get started with Managed Patch for Mac:

1. Review the Requirements for Managed Patch for Mac
2. Add a Run Managed Patch task

   We recommend you deploy two Run Managed Patch tasks.

   • Task 1 — Run while the user is logged in to deploy most patches and display the new behavior where an action is required. For example, this task installs patches for closed apps, patches that do not require a reboot, and prompts the user with System Preferences if we download a patch that does require reboot.

   • Task 2 — Run only when the user is logged out to deploy patches that cannot install with the user logged in. For example, this task installs third party patches that do not require a reboot.

3. Run Managed Patch task on demand (optional)

To monitor and manage your Run Managed Patch tasks you can:

1. Add a Managed Patch Status script check to get alerts if a patch fails or remains pending
2. View Run Managed Patch task results and status
3. View the Managed Patch for Mac report to see the patches and their status on each device
4. Disable a Run Managed Patch task

Apple binary instability

There is industry reported instability in the binary used by Apple to perform patching of macOS (/usr/bin/softwareupdate). Where this instability occurs, it can leave the OS in a non-bootable (bricked) state.

The unstable behavior is not observed when the user triggers the update from System Preferences. Therefore, when the Managed Patch task finds a patch that requires a reboot, we open the Software Update preference pane and display a branded user notification prompting them to click Update Now.

To ensure the user performs this action, the Run Managed Patch task must be set to run while the user is logged in.

The following video shows the user notifications and the Software Update preferences pane where the user clicks Update Now: