The updates released on Monday are a hot mess. Safari was broadcasted to be 16.3.1, and apple released 16.3* instead. You had to read the CFBundleVersion to know which build of Safari you had installed, which of course patch management cannot manage. JAMF Added a patching policy for 16.3.1 this morning. I manage my own patching definitions, are you using JAMF provided packages or are you making your own?

So, yes. Lots of strange things right now. 

Re: Safari 16.3.1 Standalone Installers - Jamf Nation Community - 284167

Been using the 16.3 version that I found on MrMacintosh. it working fine as far as I can tell.

should I be using the updated patch policy that Jamf have released with my 16.3 package.

I see there isn’t a 16.3.1 so can’t see that would make any difference. 

Just puzzled why some machines are advising Safari been available through software update. Despite it already been installed. I’m not seeing this on ever machine just some. 

I will say it’s difficult to see how many are showing the above as I have over 800 IMacs.

Correct me if I'm wrong: if I push Safari to all devices in this new version, the devices are safe again, right? There is also no problem that the Ventura Fix 13.2.1 has not yet been installed?

Patching Safari is only one piece of the puzzle, because this affects _webview_ as well, so any app that users Apple's webview (like _all_ webclip-type apps) will also be affected. 

Apple just stealth updated their security update page to list 16.3 again, instead of 16.3.1 for Safari. 
Apple security updates - Apple Support 

Not sure if this is related, but it seems that there is also some confusion with Safari and using Smart Groups based on "Patch reporting Safari" and asking for it to locate machines with "Latest Version"

In our Patch Reporting, we're showing 36 machines on the latest version yet the Smart Group I've defined to locate them (and so be used to work out which machines I need to target with the update policy) shows 0 devices.