How can you manage updates?Apple Beta Software Program Help make the next releases of iOS, iPadOS, macOS, tvOS and watchOS our best yet. This will be long but please read as now is a critical time to provide Apple feedback before WWDC (whenever that takes place) and the next major OS is released. However in a very near future that may change unless other IT administrators start to provide feedback to Apple. Apple security documents reference vulnerabilities by CVE-ID when possible.For sometime now, Apple has allowed IT administrators to manage updates for macOS. Recent releases are listed on the Apple security updates page. For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available.
Apple S Software To AchieveReposado is the most popular software to achieve this at the moment since Apple removed that functionality for the macOS Server app.With softwareupdate you can create scripted workflows to have updates installed in an automated fashion.The ability to manage updates has worked pretty fine for about 10+ years. This allows you to approve updates on your organization’s schedule and once the updates have been vetted. Apples 2015 update, OS X 10.11 El Capitan, was announced to focus.You’ve been able to manage software updates on macOS through an Apple Software Update Server (SUS) and/or softwareupdate.With a Software Update Server, you can manage which updates are made available to your Macs. This means that the devices don’t need to redownload the necessary update over the internet however, they’ll still need to contact Apple servers to complete the update process.macOS is a proprietary graphical operating system developed and marketed by Apple Inc. Software updates for Apple devices can be cached on a Mac running macOS 10.13 or later with Content Caching turned on.This is less than ideal in situations where computers are in shared environments such as computer labs or conference rooms. This has made working with softwareupdate a bit difficult and has resulted in some IT admins essentially creating workflows where they repeatedly prompt end-users to open up the Software Update preference pane to run updates. In other scenarios, if you downloaded software updates in advance, you only had a certain amount of time to install the updates before they “expired” which would mean you’d need to redownload the updates again. For many reasons this is not a good assumption to make as some third party tools and/or patching workflows like to run at the login window.In some scenarios, the softewareupdate command line tool would simply say it completed successfully, but not actually restart/shutdown because it wasn’t run with a logged in user. They assume that all updates are essentially triggered when someone is logged in. This resulted in them adding a new option for softwareupdate which would take the appropriate action on updates that required a shutdown instead of a restart.Unfortunately, Apple made certain assumptions when updating softwareupdate and reworking their tooling/update process. Caching servers are useful for bandwidth savings, not controlling updates.Likewise, we’ve used the -ignore feature to temporarily block one or more specific updates because they were causing computers to not boot properly or computers to crash (issues created by new firmware). Unfortunately, caching servers do not help control which updates can get released to Macs. Apple will be making that impossible in a future OS release. For example, in 10.15 if you run:Softwareupdate -set-catalog you will get the message:Changing the Software Update catalog is deprecated.The ability to specify a custom catalog will be removed in a future release of macOS.It is unclear what future release that will be.In 10.15.4, another interesting change has occurred: the ability to use -ignore to ignore updates through softwareupate will also be deprecated and removed.And although the MDM documentation has not been updated, in the macOS 10.15.4, Apple is planning the following:The forceDelayedSoftwareUpdates key in the Restrictions payload will now apply to major OS versions in addition to software updates.This would be problematic for our environment for multiple reasons, two of which include: 1) we cannot just allow users to upgrade to the latest version of macOS without ensuring all third party software works and 2) it also implies that the previous version of macOS will no longer get security updates.-set-catalog and it’s MDM equivalent has been used for many years by many organizations to point Macs at an internal software update server containing updates that they’ve approved and released on THEIR schedule. kernel panics on some Macs waking up from sleep, But more recently, they’ve released updates that have caused: A few years ago, they released an update that broke Ethernet on Macs. We only take action to ignore an update when we notice that there are widely reported problems that are effecting us internally due to the latest update Apple has released causing issues.As a simple aside, Apple’s quality control on their updates in recent years has left a lot to be desired. That is, we typically tend to support the latest Apple updates the same day. Requires a supervised device. With this restriction in place, the user doesn’t see a software update until the specified number of days after the software update release date. Available in iOS 11.3 and later, macOS 10.13 and later, and tvOS 12.2 and later.Description: Sets how many days to delay a software update on the device. Requires a supervised device. In macOS, seed build updates are allowed, without delay. Apple is taking these mechanisms away without providing for adequate functional replacements.Completely turning off Apple software updates to avoid these forced OS updates will leave our Macs missing other important security updates. Existing mechanisms for controlling and managing these updates have worked well for us for at least ten years. We are not 100% in control of when we can move to new macOS releases — often we must wait for third-party vendors to release their own updates and also confirm that Apple does not introduce new bugs in their own updates.It will be a major business disruption if our Macs are forced to upgrade to macOS 10.16 (or another future release) on Apple’s schedule and not ours. What are the problems with the current options?If I think about the implications of these deprecation notices in 10.15 and you look at how software updates behave on iOS, it’s hard to avoid this conclusion:MacOS 10.16 will be distributed via Apple Software Update and previous methods to control the availability of these major updates will no longer work. You will be able to use MDM to delay it up to 90 days (no longer), but only if you delay all other updates 90 days as well.The only other possible option is to completely disable Apple Software Update checks, which means getting zero security updates — like those for MRT and XProtect.If my interpretation is correct here, Apple seems to have decided that its own schedule is far more important than the schedule of any organization that has chosen to use Mac computers. However, in my experience, the automatic update mechanism has resulted in a much lower percentage of our Macs getting updated versus prompting users to perform updates or forcing the update on computers that may not be in use. Use burn on mac for mp4 to dvdAs an example, maybe Adobe has released a version of InDesign that finally works with the latest version of macOS, but now you need to wait for that Adobe InDesign third-party plugin to also get updated too! And then add to that the third party plug-ins that then have to work with those applications. Think of companies that rely on image, video or audio applications that often are slow to support the latest operating system. Keep in mind that for many organizations, macOS is not the main productivity tool, 3rd party apps are and we have to respect their requirements, too. You cannot block specific updates or major OS version advertisements like you can with an internal Software Update Server or through the use of softwareupdate -ignore. Historically for the past few years, Apple has released updates about every 2 months.
0 Comments
Leave a Reply. |
Details
AuthorCandace ArchivesCategories |