For anyone that prefers to make Safari updates available via Self Service, here are the standalone installer download links extracted from Apple's Software Update Server catalog for what Apple's Security update bulletins published today are calling Safari 16.3.1. Unfortunately what Apple actually released today were new builds of Safari 16.3 with updated Build numbers. This means you'll have to use an EA to extract the CFBundleVersion string from the Safari app bundle to figure out exactly what version of Safari you have installed (also posted below).
Safari "16.3.1" for macOS Big Sur: http://swcdn.apple.com/content/downloads/30/47/032-38743-A_CT6YB7IU0E/etlliehrvoqmlrb8mso9d2lh8vtnb5...
Safari "16.3.1" for macOS Monterey: https://swcdn.apple.com/content/downloads/61/07/032-38754-A_I6L5FGHO4W/6vezgtgkabm4112wd26y1moii3kak...
EA to report Safari CFBundleVersion:
#!/bin/sh # EA - Get Safari CFBundleVersion result="Not Installed" PListToCheck="/Applications/Safari.app/Contents/Info.plist" if [ -f "$PListToCheck" ] ; then result=$( /usr/bin/defaults read "$PListToCheck" CFBundleVersion ) fi echo "<result>$result</result>"
Given that this is not the first time this has happened with a Safari release (I forget if it's the 3rd or 4th time) and the complete lack of reliability in the macOS software update mechanism the past couple of macOS generations it does make one wonder if there is any adult supervision for Apple's software releases. Yes I'm grumpy, but I've been working on Macs since you had to have a Lisa to write software for them and I'm not happy with Apple's current level of attention to detail.
Yup, apparently Apple has discovered there is a shortage of numbers, you know, those things that are infinite. Why they do this I just can't even wrap my head around. It's like rank incompetence. How difficult is it to give something a new proper number? Apparently very difficult for Apple.
I got an email from JSS this morning at 3:41a that a patching definition for Apple Safari v16.3.1 was added.
It was not there yesterday. I was annoyed that I had to downgrade all my patching definitions so I could replace the 16.3 package with the 16.3.1 package. I figured it best to get the vulnerable package out of the mix.
Oh it gets better. After I complained yesterday that the re-use of the Safari 16.3 version number for the new Safari releases didn't match the 16.3.1 version listed in the Security update bulletins Apple revised the Security bulletins to roll the version number back to 16.3 and add a mention of checking the Build number. <HeadExplodingEmoji/>
So which build numbers are we talking about?
On macOS 13.2.1 I am seeing
On macOS 12 I am seeing
Just going with a hunch that the highest numbers are the correct latest patches and when there's a discrepancy (like 13.2.1 with older build) this could be because OS numbers are sent through the new declarative management status channel, while the CFBundle ID has to be extracted programmatically by the EA script, with a delay.
Same here. Not overly concerned with 11 and 12 since sdagley was able to provide those packages. Thank you so much!!
However, I am seeing multiple different Safari builds when the OS is claiming to be upgraded to 13.2.1. Not sure if we are compliant with remediation.
Is it possible to get the correct Safari package for Ventura so we can update it manually?
I did install it on our test devices and the version changed, but in Jamf, it's labeling it 16.3.1 in patch management. When I look at the installs for this, it shows zero. I'm assuming because it's not technically called 16.3.1.
@atlantamacguru Thanks for the heads up! Looks like Apple added macOS Big Sur 11.7.4 and Safari 16.3.1 for Big Sur to SUS on 2023-02-15
EDIT: Looks like @ClassicII identified the reason for the Safari 16.3.1 release for Big Sur on the MacAdmins Slack channel:
The update "fixes an issue that may cause website icons to not load."
The Big Sur 11.7.4 update is required before you can install the Safari 16.3.1 update.
Found a link for Safari 16.3.1 (Big Sur) that reports back 16618.104.22.168.7
How does one find/access a list of swcdn download links? I happen to come across the above from another forum.
The days of standalone Safari is over with MDM. This does make sense from Apple's perspective as it is core to the OS and should be considered an OS upgrade. The major issue is that OS upgrades take so darn long and require a reboot from what I understand.
If Apple can make a simple x.x.1 upgrade that acts like a standalone safari update. Also, can be executed quickly and present the ability to not require a restart where necessary it would be great.
It just feels like Apple and JAMF haven't dedicated the resources to get this into a more manageable state for enterprise. This has been an issue for years.
@steven_z You're missing the point that Apple does make a standalone Safari installer for Monterey which also uses a Sealed System Volume similar to Ventura. Since Safari on Ventura is installed in /System/Cryptexes/App/System/Applications it could be updated as a standalone update, but Apple chooses not to.
The update architecture for macOS, and the apps included with macOS, is purely Apple's domain. Jamf just follows their lead (I'm sure they'd like to have some input on the decisions, but I don't expect it works that way).
Apple's Rapid Security Response feature will provide less than full macOS update security updates, but we've yet to see them except in testing so it's too soon to tell if they'll be used to update Safari. While Apple did pitch the RSR updates as not requiring restarted at WWDC that's limited to updates being applied at the app level, for OS level updates you'll still have to restart but at least it won't be like a "regular" OS update.
@steven_z I can't speak for Apple's plans, but as I see it there's not a technical reason they couldn't offer a standalone Safari updater for Ventura like they do for Monterey. Since Ventura is the current major macOS release it's easier to tie the OS and Safari updates together. If you're an org that's not allowing updates from Monterey to Ventura yet (for whatever reason) it's possible you might not be allowing macOS updates either but a standalone Safari updater might be useful.