02-13-2023 02:02 PM - edited 02-13-2023 02:03 PM
For anyone that prefers to make Safari updates available via Self Service, here are the standalone installer download links extracted from Apple's Software Update Server catalog for what Apple's Security update bulletins published today are calling Safari 16.3.1. Unfortunately what Apple actually released today were new builds of Safari 16.3 with updated Build numbers. This means you'll have to use an EA to extract the CFBundleVersion string from the Safari app bundle to figure out exactly what version of Safari you have installed (also posted below).
Safari "16.3.1" for macOS Big Sur: http://swcdn.apple.com/content/downloads/30/47/032-38743-A_CT6YB7IU0E/etlliehrvoqmlrb8mso9d2lh8vtnb5...
Safari "16.3.1" for macOS Monterey: https://swcdn.apple.com/content/downloads/61/07/032-38754-A_I6L5FGHO4W/6vezgtgkabm4112wd26y1moii3kak...
EA to report Safari CFBundleVersion:
#!/bin/sh # EA - Get Safari CFBundleVersion result="Not Installed" PListToCheck="/Applications/Safari.app/Contents/Info.plist" if [ -f "$PListToCheck" ] ; then result=$( /usr/bin/defaults read "$PListToCheck" CFBundleVersion ) fi echo "<result>$result</result>"
Posted on 02-14-2023 04:25 AM
Why Apple? Why.
Posted on 02-14-2023 06:11 AM
Given that this is not the first time this has happened with a Safari release (I forget if it's the 3rd or 4th time) and the complete lack of reliability in the macOS software update mechanism the past couple of macOS generations it does make one wonder if there is any adult supervision for Apple's software releases. Yes I'm grumpy, but I've been working on Macs since you had to have a Lisa to write software for them and I'm not happy with Apple's current level of attention to detail.
Posted on 02-16-2023 09:00 AM
Yup, apparently Apple has discovered there is a shortage of numbers, you know, those things that are infinite. Why they do this I just can't even wrap my head around. It's like rank incompetence. How difficult is it to give something a new proper number? Apparently very difficult for Apple.
Posted on 02-14-2023 06:10 AM
Again we are reminded of how badly unable we are to force updates on Mac users.
Posted on 02-14-2023 01:24 PM
We don't manage devices over here, that is not the Apple Way. We politely herd sheep to do the right thing.
Posted on 02-14-2023 11:57 PM
Apple offers full management of supervised, company owned prestage ADE registered Macs through MDM unless - of course - the current user doesn't want to.
Posted on 02-15-2023 05:48 AM
I got an email from JSS this morning at 3:41a that a patching definition for Apple Safari v16.3.1 was added.
It was not there yesterday. I was annoyed that I had to downgrade all my patching definitions so I could replace the 16.3 package with the 16.3.1 package. I figured it best to get the vulnerable package out of the mix.
Posted on 02-15-2023 12:45 PM
Oh it gets better. After I complained yesterday that the re-use of the Safari 16.3 version number for the new Safari releases didn't match the 16.3.1 version listed in the Security update bulletins Apple revised the Security bulletins to roll the version number back to 16.3 and add a mention of checking the Build number. <HeadExplodingEmoji/>
Posted on 02-15-2023 12:57 PM
I mean, one would have problems assuming Apple is one of the largest companies in the world making mistakes that would cause you to fail an assignment in a system analysis college course.
Posted on 02-15-2023 01:06 PM
They should call this update "Safari+".
Posted on 02-15-2023 01:14 PM
Posted on 02-15-2023 01:20 PM
Posted on 02-14-2023 01:25 PM
Why does this not surprise me.
Posted on 02-15-2023 12:33 AM
So which build numbers are we talking about?
On macOS 13.2.1 I am seeing
On macOS 12 I am seeing
Just going with a hunch that the highest numbers are the correct latest patches and when there's a discrepancy (like 13.2.1 with older build) this could be because OS numbers are sent through the new declarative management status channel, while the CFBundle ID has to be extracted programmatically by the EA script, with a delay.
Posted on 02-15-2023 12:08 PM
Same here. Not overly concerned with 11 and 12 since sdagley was able to provide those packages. Thank you so much!!
However, I am seeing multiple different Safari builds when the OS is claiming to be upgraded to 13.2.1. Not sure if we are compliant with remediation.
Is it possible to get the correct Safari package for Ventura so we can update it manually?
Posted on 02-16-2023 07:02 AM
Like I mentioned, that might be because you have some machines that report their version number using declarative device management, whereas the Safari build won't be updated until the next recon.
Posted on 02-15-2023 05:37 AM
I did install it on our test devices and the version changed, but in Jamf, it's labeling it 16.3.1 in patch management. When I look at the installs for this, it shows zero. I'm assuming because it's not technically called 16.3.1.
Posted on 02-15-2023 07:26 AM
Apple left the Version to be 16.3* instead of 16.3.1, so patch management will be inaccurate.
After installing this update, the build number for Safari 16.3 is 167618.104.22.168.6 on macOS Big Sur and 177622.214.171.124.6 on macOS Monterey.
Posted on 02-15-2023 08:52 AM
Even Apple's Article appears incorrect. I'm seeing the following build IDs as the latest:
Bundle ID 186126.96.36.199.6
Bundle ID 176188.8.131.52.6
macOS Big Sur 166184.108.40.206.6
Posted on 02-17-2023 10:44 AM
Safari 16.3.1 appeared today in Software Update for one of my Big Sur machines. I installed it and the version number is indeed 16.3.1 and the build ID is 166220.127.116.11.7
02-17-2023 11:04 AM - edited 02-17-2023 11:23 AM
@atlantamacguru Thanks for the heads up! Looks like Apple added macOS Big Sur 11.7.4 and Safari 16.3.1 for Big Sur to SUS on 2023-02-15
EDIT: Looks like @ClassicII identified the reason for the Safari 16.3.1 release for Big Sur on the MacAdmins Slack channel:
The update "fixes an issue that may cause website icons to not load."
The Big Sur 11.7.4 update is required before you can install the Safari 16.3.1 update.
a month ago
For Monterey, this requires macOS 12.3 or later - but it will install on 12.0.1 - 12.2.1. Beware!
a month ago
@MacInTX Thanks for the warning. Normally the Apple installers have a list of builds they're usable on, but it could be that these .pkgs don't because they were expecting Software Update to do the build verification.
a month ago
Running the software update command seems to pull down the latest Safari build. Using @sdagley EA to report the build version.
2 weeks ago
Found a link for Safari 16.3.1 (Big Sur) that reports back 16618.104.22.168.7
How does one find/access a list of swcdn download links? I happen to come across the above from another forum.
Is there a Safari pkg for Ventura?
@SMR1 No. Currently to update Safari on macOS Ventura you have to do a full macOS Ventura update. Once the successor to Ventura comes out then we may see standalone updates as with macOS Big Sur.
The days of standalone Safari is over with MDM. This does make sense from Apple's perspective as it is core to the OS and should be considered an OS upgrade. The major issue is that OS upgrades take so darn long and require a reboot from what I understand.
If Apple can make a simple x.x.1 upgrade that acts like a standalone safari update. Also, can be executed quickly and present the ability to not require a restart where necessary it would be great.
It just feels like Apple and JAMF haven't dedicated the resources to get this into a more manageable state for enterprise. This has been an issue for years.
@steven_z You're missing the point that Apple does make a standalone Safari installer for Monterey which also uses a Sealed System Volume similar to Ventura. Since Safari on Ventura is installed in /System/Cryptexes/App/System/Applications it could be updated as a standalone update, but Apple chooses not to.
The update architecture for macOS, and the apps included with macOS, is purely Apple's domain. Jamf just follows their lead (I'm sure they'd like to have some input on the decisions, but I don't expect it works that way).
Apple's Rapid Security Response feature will provide less than full macOS update security updates, but we've yet to see them except in testing so it's too soon to tell if they'll be used to update Safari. While Apple did pitch the RSR updates as not requiring restarted at WWDC that's limited to updates being applied at the app level, for OS level updates you'll still have to restart but at least it won't be like a "regular" OS update.
@sdagley You are definitely more knowledgeable than I am. My question would be does Ventura still have the capability to install Safari as a standalone or maybe Apple is locking Safari to the system so it can only be deployed as an OS update to protect an integral application?
@steven_z I can't speak for Apple's plans, but as I see it there's not a technical reason they couldn't offer a standalone Safari updater for Ventura like they do for Monterey. Since Ventura is the current major macOS release it's easier to tie the OS and Safari updates together. If you're an org that's not allowing updates from Monterey to Ventura yet (for whatever reason) it's possible you might not be allowing macOS updates either but a standalone Safari updater might be useful.