Run Managed Patch

The Run Managed Patch task is one component of the patch solution for Macs. For more information, see Patch Management for Apple.

The Run Managed Patch task automatically installs verified third-party software updates for supported products using Munki client software. You can also prompt users to install Apple OS updates on unmanaged Apple devices not enrolled in Device Management for Apple.

To update the Apple OS version on your devices, see Update OS version on Apple devices.

To update App Store purchases on your devices, see App management.

Each patch in our repository is manually tested to confirm successful installation and to identify any notable bugs. When a patch is approved for production, its status changes from testing to production. By default, the task installs only production patches, but you can configure it to include testing patches.

We update the following lists nightly:

• Real-time patch list: Shows changes from the last seven days.
• Third-party patch list: Full list of updates in the Managed Patch repository.

If a vendor releases a critical patch, such as a security fix, its status may be accelerated to Moved to Production for faster deployment.

Reboot-sensitive patch handling on macOS

There is industry-reported instability in the Apple's patching binary (/usr/bin/softwareupdate). In rare cases, this can leave the OS in a non-bootable state.

This issue does not occur when users manually update through System Preferences.

To safeguard against this:

• When a patch requires a reboot, the task opens the Software Update pane and displays a branded notification prompting the user to select Update Now.
• To ensure this prompt appears, configure the Run Managed Patch task to run while the user is logged in.

The following video shows the user notifications and the Software Update preferences pane when the user selects Update Now:

Add and schedule a Run Managed Patch task

1. In the All Devices view go to the North-pane, and select one or more devices where you want to add the tas.
   • Use Shift + left-click to select a range of devices.
   • Use Control + left-click to select individual devices.
2. Right-click one of the selected devices and choose Task > Add.
   • The Task option appears only if the selected devices use the same operating system.
3. In the Add Automated Task dialog under Maintenance, select Run Managed Patch, then select Next.
   • Only tasks that match the selected devices' operating system are shown.

   

4. Enter a Descriptive Name, configure the parameters for the task and Select Next.

   

5. From the Select Frequency Method dropdown list, choose how often the task runs. Configure the Schedule Settings if needed, then select Next.

   • Once per day: Select the days and time to run the task. To run the task weekly, select a single day.
   • Once per day: Select the day of the month and the time to run the task.
   • On check failure: Select the check failure that will trigger the task. If available, configure additional options in With these settings...
   • Manual: Select to Run Automated Task On demand. The task runs in near real time and uploads results within a few minutes of completion.

   Tasks run based on the local time of the device where the agent is installed.

6. Choose and set the frequency options:

   • Run Task for a limited period: Select the start date and time, and the end date and time (available for once per day and once per month ).
   • Set maximum permitted execution time: Enter the maximum number of days, hours, and minutes the task can run before it is canceled.
7. (Optional) Select Run task as soon as possible if schedule is missed (available for once per day and once per month frequencies).

This option respects the Run Task for a limited period setting and will not execute tasks outside of that window.

8. If you're adding the task on multiple devices, select Next, confirm the devices where you want to apply the task, and select Add Task.

   The Run Managed Patch task is added to the selected devices and appears in the South-pane Tasks tab for each device. To view user actions related to the task, open the User Audit Report.

We recommend you Add a Managed Patch Status script check to monitor recent patch installations on Mac devices and receive alert notifications when a patch fails, is queued, or is pending.

Task parameters

• Prompt user to install Apple updates

  If an Apple update is found, the Software Update preference pane opens and a branded notification prompts the user to select Update Now.

  To update Apple OS versions without user action, see Update OS version on Apple devices.

• Testing

  Installs patches as soon as they become available. These patches are not tested or verified.

• Production

  Installs only patches that have been tested and verified.

• Command Line

  Optional. Enter parameters to pass to the Munki client software.

• Only run script if user is logged out

  If enabled and a logged-in user is detected, the task queues until the user logs out. The user receives a notification that a task is waiting. After logout, the task runs.

  

  If disabled, the task runs immediately. If a user is logged in, the task stops. It does not resume after logout.

• Hide macOS notification when script is run

  Runs the task silently without notifying the user.