Posted on 02-04-2021 06:04 AM
Hi I was wondering what my fellow Jamf administrators did about patching macOS as far as lifecycle. I'm a long time SCCM admin and very familiar on the windows side but still a little green on macOS. I'm currently getting my neglected macs up to mac OS 11 as a baseline but I'm wondering do you always stay on the latest version? I've heard Apple supports macs 2 releases back but I'm unsure on that. I would like to only patch one version so maybe I stick to 11 and when 11.whatever comes out when I've tested and ready I just move all of them. With windows I usually stay like n-1 and as long as I'm on a supported release with security patches I'm ok and just update every other release so skip 2004 upgrade to 20H2 etc. Also what does everyone do on upgrading mac os. Our infosec blocks apples update servers so I usually have to off network download the latest full installer upload it as a dmg (since its too big for a package) and I have a script that takes the .app and puts it in applications and then runs it silently. Is that the best way? 12GB update every patch is kind of big lol although its not impossible to do.
Posted on 02-04-2021 06:24 AM
@lbseals Installing macOS updates these days requires a network connection even if you have downloaded the installer, so you need to get your InfoSec team on-board.You'll want to reference the Use Apple products on enterprise networks KB article from Apple on what servers are needed.
IMO N-1 is preferred for what versions of macOS I want to see deployed in my environment, but N-2 is usually doable. Apple typically provides Security Updates for N-2 and Microsoft's support for the Mac version of Office is N-2 (see Upgrade macOS to continue receiving Microsoft 365 and Office for Mac updates)
With Apple's push to eliminate the use of Kernel Extensions for 3rd party products, and the introduction of System Extensions in macOS Catalina to replace them, you might have more pressure to be on N-1 as some security related vendors have released updates to their products that require System Extension support. That creates a requirement for supporting two versions if your environment has macOS Mojave systems.
Posted on 02-04-2021 06:37 AM
Unfortunately at this point Microsoft does a much better job of making your life easier managing Windows systems. On Macs you can't just slipstream in the latest Security Update to your OS installer ISO... in fact unlike SCCM OSD you can't readily image Macs at all anymore, and even a vanilla OS install requires internet connectivity so the installer can validate itself with Apple and mid-install pull down additional required components (usually firmware for the TouchBar or T2 security chip.) This is really wonderful - you can actually pretty easily get a modern T2-equipped Mac you're rebuilding into a state where you must perform an Internet Recovery!
What you've heard is currently correct; Apple patches their latest OS pretty quickly, and provides security updates for the previous 2 releases (so we're looking at macOS 11/10.16 = Big Sur getting current updates for security and "features" - usually mostly bug fixes - while 10.15 = Catalina and 10.14 = Mojave will only get Security Updates and not for several days after Big Sur is patched.
Within Major OS releases, Apple pretty much expects you to stay up-to-date at all times... if you are encountering an issue with Big Sur 11.1 you'll be directed to upgrade to 11.2... if there's a bug fix in 11.2 for something in 11.1 that you need in your environment, there's no separate KB patch that just implements that particular fix in 11.1... you'll need to move your fleet to 11.2.
If your Infosec team is blocking Apple's servers, you'll want to get them to stop doing that, or stand up a separate Mac that they WILL allow to access Apple's servers to run Apple's Caching Server service (any Mac can do this but it will take significant storage.) You'll still need to at least need allow all Macs access to Apple's magic that allows local Macs to find the local caching server. Fortunately most minor OS updates are 2-4 GB in size, not full OS installer sized downloads.
Most of us long-time Mac admins are shaking our heads at Apple and wondering what's going on with their QA - there's a lot of inconsistency and far-too-frequent regressions in subsequent updates OR glaring new bugs introduced. Security Updates are generally cumulative, so Security Update 2021-001 for Mojave is all you need, but when Big Sur was released likely due to a lack of engineering resources Security Update 2020-006 required Security Update 2020-005 to be installed; 2020-007 was again fully cumulative. It seems like with the M1 (Apple Silicon) Macs Apple's changing the paradigm for complete OS wipe/reinstallation to something analogous to an iOS device - which makes sense - but is totally different from the direction Apple was going with the previous 2 Intel-based generations.
Fortunately there is a deep community of Mac admins here and at the MacAdmins slack channel who can offer insight and assistance and who will be able to share your frustrations as we discover what fresh changes Apple has wrought - not unlike the way Microsoft was toying around with Windows 10 releases early on in its lifecycle.
Posted on 02-09-2021 07:43 AM
Thanks to everyone here for the replies and responses. I brought it up to infosec but for now I think I'll have to go with either a separate mac that can run apples caching server or packaging the full .app package. I'm packaging up the full 12GB .app and deploying it for now.