Skip to main content

For anyone that prefers to make Safari updates available via Self Service, here are the standalone installer download links extracted from Apple's Software Update Server catalog for what Apple's  Security update bulletins published today are calling Safari 16.3.1. Unfortunately what Apple actually released today were new builds of Safari 16.3 with updated Build numbers. This means you'll have to use an EA to extract the CFBundleVersion string from the Safari app bundle to figure out exactly what version of Safari you have installed (also posted below).

Safari "16.3.1" for macOS Big Sur: http://swcdn.apple.com/content/downloads/30/47/032-38743-A_CT6YB7IU0E/etlliehrvoqmlrb8mso9d2lh8vtnb59e0o/Safari16.3BigSurAuto.pkg

Safari "16.3.1" for macOS Monterey: https://swcdn.apple.com/content/downloads/61/07/032-38754-A_I6L5FGHO4W/6vezgtgkabm4112wd26y1moii3kak18ykb/Safari16.3MontereyAuto.pkg

EA to report Safari CFBundleVersion:

 

#!/bin/sh # EA - Get Safari CFBundleVersion result="Not Installed" PListToCheck="/Applications/Safari.app/Contents/Info.plist" if [ -f "$PListToCheck" ] ; then result=$( /usr/bin/defaults read "$PListToCheck" CFBundleVersion ) fi echo "<result>$result</result>"

 

Is there a Safari pkg for Ventura?


Is there a Safari pkg for Ventura?


@SMR1 No. Currently to update Safari on macOS Ventura you have to do a full macOS Ventura update. Once the successor to Ventura comes out then we may see standalone updates as with macOS Big Sur.


@SMR1 No. Currently to update Safari on macOS Ventura you have to do a full macOS Ventura update. Once the successor to Ventura comes out then we may see standalone updates as with macOS Big Sur.


@SMR1 @sdagley 

The days of standalone Safari is over with MDM.  This does make sense from Apple's perspective as it is core to the OS and should be considered an OS upgrade.  The major issue is that OS upgrades take so darn long and require a reboot from what I understand.

If Apple can make a simple x.x.1 upgrade that acts like a standalone safari update.  Also, can be executed quickly and present the ability to not require a restart where necessary it would be great.

It just feels like Apple and JAMF haven't dedicated the resources to get this into a more manageable state for enterprise.  This has been an issue for years.


@SMR1 @sdagley 

The days of standalone Safari is over with MDM.  This does make sense from Apple's perspective as it is core to the OS and should be considered an OS upgrade.  The major issue is that OS upgrades take so darn long and require a reboot from what I understand.

If Apple can make a simple x.x.1 upgrade that acts like a standalone safari update.  Also, can be executed quickly and present the ability to not require a restart where necessary it would be great.

It just feels like Apple and JAMF haven't dedicated the resources to get this into a more manageable state for enterprise.  This has been an issue for years.


@steven_z You're missing the point that Apple does make a standalone Safari installer for Monterey which also uses a Sealed System Volume similar to Ventura. Since Safari on Ventura is installed in /System/Cryptexes/App/System/Applications it could be updated as a standalone update, but Apple chooses not to.

The update architecture for macOS, and the apps included with macOS, is purely Apple's domain. Jamf just follows their lead (I'm sure they'd like to have some input on the decisions, but I don't expect it works that way).

Apple's Rapid Security Response feature will provide less than full macOS update security updates, but we've yet to see them except in testing so it's too soon to tell if they'll be used to update Safari. While Apple did pitch the RSR updates as not requiring restarted at WWDC that's limited to updates being applied at the app level, for OS level updates you'll still have to restart but at least it won't be like a "regular" OS update.


@steven_z You're missing the point that Apple does make a standalone Safari installer for Monterey which also uses a Sealed System Volume similar to Ventura. Since Safari on Ventura is installed in /System/Cryptexes/App/System/Applications it could be updated as a standalone update, but Apple chooses not to.

The update architecture for macOS, and the apps included with macOS, is purely Apple's domain. Jamf just follows their lead (I'm sure they'd like to have some input on the decisions, but I don't expect it works that way).

Apple's Rapid Security Response feature will provide less than full macOS update security updates, but we've yet to see them except in testing so it's too soon to tell if they'll be used to update Safari. While Apple did pitch the RSR updates as not requiring restarted at WWDC that's limited to updates being applied at the app level, for OS level updates you'll still have to restart but at least it won't be like a "regular" OS update.


@sdagley You are definitely more knowledgeable than I am.  My question would be does Ventura still have the capability to install Safari as a standalone or maybe Apple is locking Safari to the system so it can only be deployed as an OS update to protect an integral application?


@sdagley You are definitely more knowledgeable than I am.  My question would be does Ventura still have the capability to install Safari as a standalone or maybe Apple is locking Safari to the system so it can only be deployed as an OS update to protect an integral application?


@steven_z I can't speak for Apple's plans, but as I see it there's not a technical reason they couldn't offer a standalone Safari updater for Ventura like they do for Monterey. Since Ventura is the current major macOS release it's easier to tie the OS and Safari updates together. If you're an org that's not allowing updates from Monterey to Ventura yet (for whatever reason) it's possible you might not be allowing macOS updates either but a standalone Safari updater might be useful.