Guide for Apple IT: Mac Patch Management

Posted on April 14, 2020

As security breaches become more sophisticated, having a swift, reliable, and automated Mac patch management solution for your company devices is a must. This is especially true if you're using a lot of custom apps (that is, apps that aren’t listed in the App Store), which can get pretty tedious to keep up to date.

In this guide, we’re going to take a look at Mac patch management, exploring the biggest challenges it poses for IT and seeing what solutions exist to streamline the process.

Here’s a quick overview of the topics we’ll cover:

  • The Biggest Challenges with Patch Management for Mac
  • Leveraging MDM (Mobile Device Management) for Mac Patch Management
  • Mac Patch Management for Different Types of Apps

 

The Biggest Challenges with Patch Management for Mac

With apps and books that come directly from Apple Business Manager (formerly VPP, Volume Purchase Program), businesses don’t have to worry too about patch management. (Note: VPP has since been replaced with Apple Business Manager, but we’ll use both terms here). However, when it comes to custom apps — which aren’t listed in the Mac App Store and must be downloaded from developer sites — it isn’t as easy.

To get right to the point, patch management for Mac isn’t just a hassle — it’s also a security concern. If your custom apps aren’t up-to-date, important stability or security updates for them could be missing from your company devices, leaving them vulnerable.

For example, take a look at one of the CVE (Common Vulnerabilities and Exposures) entries listed for Zoom. Older versions of this popular conferencing app have documented security vulnerabilities that can be exploited to hijack calls and potentially take action on the Mac running Zoom.

Zoom has since released an update that addresses this issue, but without a swift and reliable patch management strategy, a lot of Mac devices could have remained vulnerable much longer than they should have.

As we’ll cover in more depth next, some MDM (mobile device management) solutions have built-in patch management capabilities to identify and automate patches. This can shoulder a bit of the Mac patch management burden, but it still requires a lot of hands-on work to set up and maintain. Meanwhile, our team at Kandji has built a truly streamlined patch management solution that we’ll break down later.

If you aren’t using an MDM for patch management, then you probably fall in one of three camps, or a mix of them:

  1. You rely on Mac App Store Apps: As far as using apps from the Mac App Store goes, there isn’t much patch management to worry about; Apple does a great job keeping these updated. But when the time comes (and it will come, especially as you scale) to use custom apps and manage versioning on a lot of company devices — things will get messy.
  2. You rely on manual patch management: Because you aren’t leveraging an MDM and custom apps aren’t automatically updated (like Mac App Store apps are), patch management has to be done manually. If this is how you keep your apps up to date, then you know firsthand how time-consuming it can be, especially if you have a lot of apps and company devices to look after.
  3. You rely on monolithic imagining: Maybe you’re still using (shudder) monolithic imaging. In that case, you might want to check on its vitals (see: Is imaging dead?). For the uninitiated, this is a practice that involves building a Mac with all of the relevant software and settings in place, and then applying the disk image of that Mac’s boot drive to other Mac devices. This isn’t an ideal alternative to Mac patch management  solution, especially in the modern IT environment.

 

Using an MDM for Patch Management for Mac

So, completely manual Mac patch management is a hassle, but what makes leveraging MDM solutions any easier? Some MDM solutions have their own built-in patch management capabilities to do things like:

  • Take inventory of the app versions on your company devices.
  • Determine when new releases are available.
  • Create a package for the new update and deploy it.

While this is better than conducting completely manual patch management across all company devices (or imaging them), at the end of the day, it still requires a lot of effort on your part to build out processes, packages, and deploy them. So, it’s not really a solution as much as it is a step in the right direction.

And beyond that, you still need to figure out if the custom app needs:

  • Notification whitelisting to enable silent installs — without the user being notified.
  • Kernel Extension (KEXT) whitelisting to make sure that end users don’t receive prompts to approve Kernel Extension access.
  • PPPC (Privacy Preferences Policy Control) to let apps access protected user and system resources without prompting the users for approval.

Most MDM patch management solutions can’t do this, so while they take us a bit closer to a more streamlined patch management for Mac strategy, it’s still not as hassle-free and intuitive as it could to be. What’s the better option? We’ll dive into that next.

 

Mac Patch Management for Different Types of Apps

As we briefly discussed earlier, different types of apps have different requirements in terms of patch management. While apps directly from Apple Business Manager will keep themselves up to date with little need for intervention, custom apps require a lot more work. In this section, we’ll explore why — and introduce a new game-changer: Kandji’s Auto Apps.

1. Apple VPP Business Apps / Apple Business Manager Apps

Whenever possible, sticking with Apple VPP apps (now Apps and Books from Apple Business Manager) is ideal. Apple does a great job taking care of these, and most MDMs, like Kandji, can automatically send commands to update the apps once new versions are ready. This is about as light as the load can get when it comes to patch management for Mac.

mac patch management apple business manager

Image Source: apple.com/business

That said, just going with Apple VPP apps (now Apps and Books from Apple Business Managerblo) won’t give you a very large selection. While there are some great business apps available through Apple Business Manager, it’s unlikely that your company will find everything it needs there — especially as it scales. We’ve made something that will help.

2. Auto Apps

While Apple does a great job automatically updating Apple VPP apps (now Apps and Books from Apple Business Manager) without disrupting the user experience, managing and deploying third-party applications is another story. If you’ve ever tried to manage an app that didn’t come directly from Apple Business Manager (VPP), then you know what we mean. And that's why our team at Kandji built Auto Apps into our Apple MDM solution.

What are Auto Apps?

In a nutshell, Auto Apps streamline patch management for Mac by pre-packaging, automatically updating, and hosting apps that aren’t available in the Mac App Store. We’ve already loaded over 20 of the most common business apps into our Auto App Library, and we’re adding more every month based on our customers’ feedback.

To take advantage of Auto Apps, you just have to select which ones you want to use, and then Kandji will govern the patch management for you. That means you don’t have to spend another moment manually managing patches and updates. Auto Apps also give you control over how updates are enforced (either automatically or manually).

Auto Apps - mobile-3

There’s also a great “Add to Dock” feature that comes into play when your users uninstall an app. Add to Dock will notice that the app was uninstalled and then reinstall it and re-add it in the dock on the next check-in.

And remember how tedious managing whitelisting and Privacy Preferences Policy Control (PPPC) was with other MDM solutions? With Auto Apps, you can have peace of mind knowing every single app includes notification whitelisting, kernel Extension (KEXT) whitelisting, and PPPC as needed — so you can achieve truly silent installation.

3. Custom Apps

Custom apps pose the most challenges out of these three types of apps. If you’re using a custom app for your company devices and Kandji doesn’t have an Auto App for it, then you’ll have to rely on built-in MDM Mac patch management strategies, like the one we talked about earlier. This is definitely better than completely manual patch management, but it still isn’t ideal. To explain why, let’s take a look at what custom apps are and how they work with MDM.

What are Custom Apps?

A lot of users are surprised that popular business apps like Zoom and Google Chrome aren’t listed in the Mac App Store.

mac apple patch management

Image Source: developer.apple.com

Why not? Here’s the quick version (for a more in-depth discussion, see the “What are Custom Apps” section in our guide to app deployment for macOS):  Unlike iPad or iPhone, the Mac developed over years without an app store of its own. Whenever a user needed a program, an installation disc would be used to get it — and today you can just go onto the developer’s website and download an installer package.

Since many Mac users had been getting their apps directly from developers for years, they simply kept doing it, even after Apple introduced the Mac App Store.

The Challenge with Custom Apps

Because custom apps aren’t verified by Apple, as they would if they were listed in the Mac App Store, they pose a few issues.

The most obvious issue is safety. Because custom apps don’t come verified and vetted, it’s really important to make sure they’re safe. To make this easier, Apple made App Notarization required as of macOS Catalina, which scans for malicious content and code-signing issues, and Gatekeeper to check for notarization tickets.

Whenever a user tries to open the custom app, they receive a prompt informing them that the app has been downloaded from the internet and to verify that they’d really like to open it. While this doesn’t remove the threat of downloading some kind of malicious content, it does help the user make an informed decision.

is an app downloaded from the internet custom apps mac 1

Image Source: developer.apple.com

Another challenge with custom apps is availability. As we discussed earlier, the Mac App Store just doesn’t have a selection as broad as the App Store for iPhone and iPad. Since a lot of business apps can’t reliably be found on the Mac App Store, accessing and maintaining them requires more effort. 

To this end, Apple is working on a feature that might help: Project Catalyst.

What’s Project Catalyst

Essentially, Project Catalyst aims to automatically develop macOS versions of iOS apps using an automated process. First announced in macOS Catalina, Project Catalyst won’t be finished any time soon. However, even though it’s still in development, it’s a promising new feature that could have significant implications for app development and deployment.

project catalyst apple mac app store

Image source: TechCrunch.com

How does it work? Basically, Project Catalyst gives developers the ability to use a new Xcode development kit to translate their iPhone or iPad apps into Mac apps. The idea here is that automating the development process will encourage developers to get their apps into the Mac App Store.

This is great news for IT administrators. As more apps enter the Mac App Store, patch management for Mac will get a lot easier. That means IT won’t have to worry as much about downloading installers from developer websites and keeping up with updates manually. However, until Project Catalyst’s goals are realized, Mac patch management remains tricky.

That said, the best path forward is adding custom apps to your MDM solution’s library and using Kandji’s Auto Apps wherever possible.

Some Real-World Examples of Catalyst

As Project Catalyst progresses, a lot of the current challenges with Mac patch management will be reduced, simply because we’ll have more apps to use from the Mac App Store. For a real-world example of this, we can look to Jira.

Jira is a popular Cloud project management app from Atlassian. The developers, as early adopters of Project Catalyst, took their iPhone app and ported it over to macOS. Before this, Mac users could only use the Jira web browser app — but thanks to Catalyst, now there’s a native Mac Store App.

The same can be said for Twitter. While there was a time when Twitter had a Mac and an iPhone app that shared the same codebase, the two ultimately diverged. Once maintaining two codebases became too much hassle, they dropped the Mac app entirely. Until now, that is. Using Catalyst, the Twitter team made a Mac app that uses the existing iOS codebase. This gives development a huge boost, and they can just build Mac-specific features on top of it. 

project catalyst mac app store 1

Image source: developer.apple.com

Long story short, Catalyst is making it easier to turn iPhone apps into Mac apps, and that will make it easier on IT to handle Mac patch management .

Adding Custom Apps to your MDM

Now, let’s move on to see how you can leverage your MDM solution to take some of the stress out of Mac patch management. If you’re looking for custom apps (that don’t have an Auto Apps version), then adding them to your MDM library can help you keep track of them — and handle Apple MDM app distribution to boot.

The process of adding custom apps to your MDM library varies by the MDM solution you use, so in this section, we’re going to show you how easy it is in Kandji:

custom app patch management mac

  1. In the Kandji Web-App, click “Library” in the navigation bar.
  2. Click “Add New,” and then select “Custom App.”
  3. Fill out the sections. These include Execution Frequency and Install Details options, and you can also add any relevant preinstall or postinstall scripts. If your app requires restarting the device upon installation, you can check the “Restart After Successful Installation” box.
  4. Click “Save.”

That’s all there is to it — now, the custom app is saved to your Kandji library. This makes Apple MDM app distribution a breeze, and when the time comes to update the custom app, you can just replace the package with the new version, and Kandji will allow you to install the new package, as shown here:

custom app mac patch management kandji

Keeping all of your custom apps loaded into your MDM solution library can help you avoid some of the pain points of completely manual Mac patch management. But it bears repeating that using apps from Apple Business Manager or Kandji’s Auto Apps is always ideal.

 

Auto Apps are just the latest time-saving feature that we’ve come up with for Kandji, our MDM solution. With other great features like zero touch deployment, over 150 pre-built security controls, the ability to deploy third-party apps with just a few clicks, and plenty more, Kandji keeps your Apple devices safe and your IT team sane.

Request access to Kandji today.