Safari 16.3.1 Standalone Installers

sdagley
Esteemed Contributor II

For anyone that prefers to make Safari updates available via Self Service, here are the standalone installer download links extracted from Apple's Software Update Server catalog for what Apple's  Security update bulletins published today are calling Safari 16.3.1. Unfortunately what Apple actually released today were new builds of Safari 16.3 with updated Build numbers. This means you'll have to use an EA to extract the CFBundleVersion string from the Safari app bundle to figure out exactly what version of Safari you have installed (also posted below).

Safari "16.3.1" for macOS Big Sur: http://swcdn.apple.com/content/downloads/30/47/032-38743-A_CT6YB7IU0E/etlliehrvoqmlrb8mso9d2lh8vtnb5...

Safari "16.3.1" for macOS Monterey: https://swcdn.apple.com/content/downloads/61/07/032-38754-A_I6L5FGHO4W/6vezgtgkabm4112wd26y1moii3kak...

EA to report Safari CFBundleVersion:

 

#!/bin/sh

# EA - Get Safari CFBundleVersion

result="Not Installed"
PListToCheck="/Applications/Safari.app/Contents/Info.plist"

if [ -f "$PListToCheck" ] ; then
	result=$( /usr/bin/defaults read "$PListToCheck" CFBundleVersion )
fi

echo "<result>$result</result>"

 

31 REPLIES 31

obi-k
Valued Contributor II

Why Apple? Why.

sdagley
Esteemed Contributor II

Given that this is not the first time this has happened with a Safari release (I forget if it's the 3rd or 4th time) and the complete lack of reliability in the macOS software update mechanism the past couple of macOS generations it does make one wonder if there is any adult supervision for Apple's software releases. Yes I'm grumpy, but I've been working on Macs since you had to have a Lisa to write software for them and I'm not happy with Apple's current level of attention to detail.

mm2270
Legendary Contributor III

Yup, apparently Apple has discovered there is a shortage of numbers, you know, those things that are infinite. Why they do this I just can't even wrap my head around. It's like rank incompetence. How difficult is it to give something a new proper number? Apparently very difficult for Apple.

piotrr
Contributor III

Again we are reminded of how badly unable we are to force updates on Mac users. 

AJPinto
Honored Contributor II

We don't manage devices over here, that is not the Apple Way. We politely herd sheep to do the right thing.

piotrr
Contributor III

Apple offers full management of supervised, company owned prestage ADE registered Macs through MDM unless - of course - the current user doesn't want to. 

AJPinto
Honored Contributor II

I got an email from JSS this morning at 3:41a that a patching definition for Apple Safari v16.3.1 was added.

 

It was not there yesterday. I was annoyed that I had to downgrade all my patching definitions so I could replace the 16.3 package with the 16.3.1 package. I figured it best to get the vulnerable package out of the mix.

sdagley
Esteemed Contributor II

Oh it gets better. After I complained yesterday that the re-use of the Safari 16.3 version number for the new Safari releases didn't match the 16.3.1 version listed in the Security update bulletins Apple revised the Security bulletins to roll the version number back to 16.3 and add a mention of checking the Build number. <HeadExplodingEmoji/>

AJPinto
Honored Contributor II

I mean, one would have problems assuming Apple is one of the largest companies in the world making mistakes that would cause you to fail an assignment in a system analysis college course.

obi-k
Valued Contributor II

They should call this update "Safari+". 

Boom.

AJPinto
Honored Contributor II

@obi-k Now I want Safari Pro and Safari Max. 

obi-k
Valued Contributor II

You win.

AJPinto
Honored Contributor II

Why does this not surprise me. 

piotrr
Contributor III

So which build numbers are we talking about? 

On macOS 13.2.1 I am seeing

  • 18614.4.6.1.6
  • 18614.4.6.1.5
  • 18614.2.9.1.12
  • 18614.3.7.1.5

On macOS 12 I am seeing 

  • 17614.4.6.11.6 
  • 17614.3.7.1.7
  • 17614.1.25.9.10 

Just going with a hunch that the highest numbers are the correct latest patches and when there's a discrepancy (like 13.2.1 with older build) this could be because OS numbers are sent through the new declarative management status channel, while the CFBundle ID has to be extracted programmatically by the EA script, with a delay. 

steven_z
New Contributor II

Same here.  Not overly concerned with 11 and 12 since sdagley was able to provide those packages.  Thank you so much!!

 

However, I am seeing multiple different Safari builds when the OS is claiming to be upgraded to 13.2.1.  Not sure if we are compliant with remediation.

Is it possible to get the correct Safari package for Ventura so we can update it manually?

Like I mentioned, that might be because you have some machines that report their version number using declarative device management, whereas the Safari build won't be updated until the next recon. 

SMR1
Contributor III

I did install it on our test devices and the version changed, but in Jamf, it's labeling it 16.3.1 in patch management. When I look at the installs for this, it shows zero. I'm assuming because it's not technically called 16.3.1.

daniel_behan
Contributor III

Apple left the Version to be 16.3* instead of 16.3.1, so patch management will be inaccurate.

https://support.apple.com/en-us/HT213638

After installing this update, the build number for Safari 16.3 is 167614.4.6.11.6 on macOS Big Sur and 177614.4.6.11.6 on macOS Monterey.

daniel_behan
Contributor III

Even Apple's Article appears incorrect.  I'm seeing the following build IDs as the latest:

macOS Ventura
Bundle ID 18614.4.6.1.6

macOS Monterey
Bundle ID 17614.4.6.11.6

macOS Big Sur 16614.4.6.11.6

atlantamacguru
New Contributor II

Safari 16.3.1 appeared today in Software Update for one of my Big Sur machines. I installed it and the version number is indeed 16.3.1 and the build ID is 16614.4.6.11.7

sdagley
Esteemed Contributor II

@atlantamacguru Thanks for the heads up! Looks like Apple added macOS Big Sur 11.7.4 and Safari 16.3.1 for Big Sur to SUS on 2023-02-15

 

EDIT: Looks like @ClassicII identified the reason for the Safari 16.3.1 release for Big Sur on the MacAdmins Slack channel:

The update "fixes an issue that may cause website icons to not load."

The Big Sur 11.7.4 update is required before you can install the Safari 16.3.1 update.

MacInTX
New Contributor II

For Monterey, this requires macOS 12.3 or later - but it will install on 12.0.1 - 12.2.1.  Beware!

sdagley
Esteemed Contributor II

@MacInTX Thanks for the warning. Normally the Apple installers have a list of builds they're usable on, but it could be that these .pkgs don't because they were expecting Software Update to do the build verification.

obi-k
Valued Contributor II

Running the software update command seems to pull down the latest Safari build. Using @sdagley EA to report the build version.

Screenshot_2023-02-22_at_2_07_47_PM.png

1rose
New Contributor

Found a link for Safari 16.3.1 (Big Sur) that reports back 16614.4.6.11.7

https://swcdn.apple.com/content/downloads/62/14/032-51569-A_6C8JMC4NSY/3excb9qywqf00i87sfss53vk636ji...

 

How does one find/access a list of swcdn download links? I happen to come across the above from another forum. 

SMR1
Contributor III

Is there a Safari pkg for Ventura?

sdagley
Esteemed Contributor II

@SMR1 No. Currently to update Safari on macOS Ventura you have to do a full macOS Ventura update. Once the successor to Ventura comes out then we may see standalone updates as with macOS Big Sur.

steven_z
New Contributor II

@SMR1 @sdagley 

The days of standalone Safari is over with MDM.  This does make sense from Apple's perspective as it is core to the OS and should be considered an OS upgrade.  The major issue is that OS upgrades take so darn long and require a reboot from what I understand.

If Apple can make a simple x.x.1 upgrade that acts like a standalone safari update.  Also, can be executed quickly and present the ability to not require a restart where necessary it would be great.

It just feels like Apple and JAMF haven't dedicated the resources to get this into a more manageable state for enterprise.  This has been an issue for years.

sdagley
Esteemed Contributor II

@steven_z You're missing the point that Apple does make a standalone Safari installer for Monterey which also uses a Sealed System Volume similar to Ventura. Since Safari on Ventura is installed in /System/Cryptexes/App/System/Applications it could be updated as a standalone update, but Apple chooses not to.

The update architecture for macOS, and the apps included with macOS, is purely Apple's domain. Jamf just follows their lead (I'm sure they'd like to have some input on the decisions, but I don't expect it works that way).

Apple's Rapid Security Response feature will provide less than full macOS update security updates, but we've yet to see them except in testing so it's too soon to tell if they'll be used to update Safari. While Apple did pitch the RSR updates as not requiring restarted at WWDC that's limited to updates being applied at the app level, for OS level updates you'll still have to restart but at least it won't be like a "regular" OS update.

steven_z
New Contributor II

@sdagley You are definitely more knowledgeable than I am.  My question would be does Ventura still have the capability to install Safari as a standalone or maybe Apple is locking Safari to the system so it can only be deployed as an OS update to protect an integral application?

sdagley
Esteemed Contributor II

@steven_z I can't speak for Apple's plans, but as I see it there's not a technical reason they couldn't offer a standalone Safari updater for Ventura like they do for Monterey. Since Ventura is the current major macOS release it's easier to tie the OS and Safari updates together. If you're an org that's not allowing updates from Monterey to Ventura yet (for whatever reason) it's possible you might not be allowing macOS updates either but a standalone Safari updater might be useful.