Run Managed Patch
Script Type: Bash
Installing updates can ensure the smooth running of the computer and provide protection by patching any discovered security vulnerabilities.
The Run Managed Patch task automatically deploys verified Apple OS and third-party updates for supported products (not including Mac App Store purchases).
Pre-release, the updates go through the vendor's own QA process. As a safeguard to ensure these updates successfully install and do not contain any notable bugs, the Mac Agent team manually test and verify all patches before it approves them for production via the Managed Patch task.
The Mac Agent team performs approximately a week of testing before approving a patch as production-ready. However, when a vendor releases a critical patch, for example, to fix a security hole, the patch may move to production faster. Depending on its criticality, the patch may immediately move to production to deploy the update and plug the hole as quickly as possible.
The Task output contains its success status.
For information about adding Automated Task to devices, see Manage Automated Tasks.
We recommend you install the Managed Patch Status Script Check (either 24x7 Check or Daily Safety Check), which queries the device to return information on the most recent Managed Patch installations. This script alerts if patch installs have failed, or where pending (queued) patches require user log out. To add this check, see: Manage 24x7 or Daily Safety Checks.
Beginning with macOS 11 Big Sur, Apple does not publish updates to a traditional catalog URL so it is no longer possible to cache deprecated updates into a separate catalog and provide a testing buffer.
The Run Manage Patch task works with macOS 11 Big Sur and later versions, but it only provides the latest patches made available by Apple.
Apple Binary Instability
Due to industry reported instability in the binary used by Apple to perform patching of macOS (/usr/bin/softwareupdate), including security updates and Safari, we changed the behavior of the Run Manage Patch task. Where this instability occurs, it can leave the OS in a non-bootable (bricked) state.
As the unstable behavior is not observed when the user triggers the update from System Preferences, when the Run Manage Patch task runs and finds an Apple patch requiring a reboot needs to be installed, we no longer attempt the scripted installation that may lead to a non-bootable Mac.
Instead, we open the Software Update preference pane and display a branded notification to the user asking them to click the Update Now button.
To ensure the user performs this action, the Run Managed Patch task must be set to run whilst the user is logged in.
As a best practice, we recommend setting up two Run Managed Patch tasks on each Mac.
The first task runs while the user is present (logged in), to do most patches and display the new Apple behavior where an action is required. For example, installs third-party patches for apps that are closed, install Apple patches that do not require a reboot, and prompt the user with System Preferences if we download an Apple patch that does require reboot.
The second task runs only when the user is logged out, to do updates that cannot be installed with the user present. For example, installs all third-party patches, install Apple patches that do not require a reboot.
|Apple Updates||Include Apple patches. Where selected we will turn off Apple's built-in automatic updating.|
|Testing||Install patches as soon as they become available (not tested or verified)|
|Production||Only install tested and verified patches|
|Only run script if user is logged out||When enabled, we check the computer and if we discover a logged-in user, we queue the task until they have logged out. The logged-in user receives a notification to make them aware that a task is waiting for them to log out. Once they log out the task runs.
If deactivated, the Task runs, installs what it can and if we discover a logged-in user it stops. If the user then logs out of the computer expecting the task to continue, this will not take place as the task has already exited.
|Hide macOS notification when script is run||Enables you to run the task without notifying the user|
Managed Patch For Mac
Use the Managed Patch For Mac Report to view the patches on each device and their status.
The following repositories are maintained and updated nightly with the latest versions of the software.