macos patch update best practice

Macchendran
New Contributor

Hello ,

Need a suggestion with the macOS patch management.

in our environment we are managing different OS version.

Eg: we have 100 device with macOS 12 , 100 device with macOS 13 and respectively 100 device with macOS 14

If we need to update patch in macOS 12 to latest 12.7.4

If we need to update patch in macOS 13 to latest 13.6.6

If we need to update patch in macOS 14 to latest 14.4.1

What is the best practice we can follow , thank you

 

8 REPLIES 8

obi-k
Valued Contributor II

Others will chime in, but the recommendation would be to baseline your environment to one macOS version. Of course, this will require testing on your part and perhaps your infosec will have a voice in it.

But overall, if you can get them all to the latest and greatest, which is 14.4.1 at the time of this writing, get your devices to that.

You can scour other threads for managing macOS updates. There's Nudge and Superman. You also look into leveraging the new DDM, but that would require macOS 14 and up. Otherwise, you'll be playing with the older MDM commands for software updates.

sdagley
Esteemed Contributor II

@Macchendran I cannot emphasize @obi-k 's recommendation enough. Getting all of your environment upgraded to the latest version of macOS 14 rather than the latest update to the macOS version they currently have installed should be your goal. Once you have your environment baselined updating to Apple's latest macOS Whatchamacallit becomes much simpler.

AJPinto
Honored Contributor II

As @obi-k suggested, you need to have all your Macs on a single version of macOS. There are several reasons for this.

  • Features, Apple does not add new features to older builds such as Declarative Device Management (which requires macOS 14) and is a tool to manage OS updates.
  • Security, Apple themselves states they don't patch all known vulnerabilities in non-current (at this time macOS 14 and iOS 17) builds of their software.
  • No roadmaps, we know that macOS 12 will end of life this year, but you have no idea when its last security patch will be until months after it happens when you notice that a CVE was not patched in macOS 12. Which opens you up to security vulnerabilities (see above).

Note: Because of dependency on architecture and system changes to any current version of Apple operating systems (for example, macOS 14, iOS 17, and so on), not all known security issues are addressed in previous versions (for example, macOS 13, iOS 16, and so on).


About software updates for Apple devices - Apple Support

 

As far as how to manage OS updates, Apple does not give us any options. You use MDM commands (or DDM for macOS 14), and that is it. There are ways to help engage users such as Nudge, I use Jamf Helper to notify people when OS updates are available but that is just alerts and not actually managing updates. The general state of managing macOS updates has not changed much since 2020.

Introduction - Technical Paper: Deploying macOS Upgrades and Updates with Jamf Pro | Jamf

 

mm2270
Legendary Contributor III

I 3rd (or 4th) the recommendations above. We had let things slide a bit too much where I am, and also currently have a spread of Monterey through Sonoma, but we're making a push to get them all upgraded to Sonoma this month. Once on the latest and greatest, software update management should get easier.

I'm really hoping DDM being in the mix will be a big improvement in an area (software update management) that frankly has stunk to high heaven for a number of years now. That being said, I'm keeping my expectations.. mild.

sdagley
Esteemed Contributor II

Speaking as an someone who has gone through using DDM Scheduled Updates to enforce 14.2.1 and 14.3.1 updates (we're also using it for 14.4.1 but that deadline hasn't hit yet) I can say the success rate is around 98%. Not perfect, but worlds better than where things were since macOS Big Sur. The Macs that have failed to update from the DDM command are generally ones that have an uptime north of two weeks, or ones that were still reporting a previous update was still in-progress even though it had completed (the force download and install MDM command helped pick those up)

obi-k
Valued Contributor II

I was actually going to start another Jamf thread about this and get your @sdagley and others' thoughts on this. 

We were late to the ballpark with DDM Software Update Beta. This was due to a couple of PIs. I did run the macOS 14.4.1 DDM scheduled update and was pleasantly surprised by the saturation uptick and no complaints from test users.

• The one gotcha I noticed was that the scheduled date kept moving back on the endpoints. You could see it in the notification go from, for example, 5 PM to 5:20 PM, to 5:35 PM, and so on. On one test device, it did restart and update on its own. For the test devices, I just hit "Update." 

• We will be testing our iOS fleet with DDM for 17.5. I did have positive traction on my test device for 17.4.1; it got the notifications and promptly restarted on its own.

• There were two gotchas. One was the PI116287 for using a specific version. One was PI117278 for resetting the Software Update Beta feature.

• I also noticed if you run the old MDM command ahead of the DDM command, the endpoints respect the first MDM command first and ignore the DDM command. Next time around, I will send the DDM command first and schedule the iOS update.

• Overall, I see a positive with this. I'm curious what others think, especially those who use other tools like Superman or Nudge. 

SCCM
Contributor III

for DDM OP would need to update all his devices to Sonoma 14 before the feature will work in the first place 2/3rds of his devices would need updating using the old methods first.