4 Recommendations for Keeping Your macOS Fleet Up to Date
Keep your macOS fleet secure by following these recommendations: leverage Nudge, define upgrade policies, monitor compliance, and gate major OS upgrades.
March 30, 2023
Keeping your fleet updated on the latest operating system is an important way to protect your company against security threats and vulnerabilities. OS updates often contain vital security patches and new security features, which should be installed as soon as possible to avoid bad vulnerability discoveries like remote code execution or privilege escalations.
Even since we began drafting this blog post, the MacOS community has been swept up with how to rapidly upgrade their fleets to version 13.2.1 for security reasons, for those who have not already moved on to 13.3 to avoid a vulnerability that allowed malicious actors to arbitrarily execute code if you visited the wrong website.
For Mac devices in particular, employers may find that keeping every single MacBook in the fleet up to date can require a lot of time and bandwidth while being tedious and prone to error. This post will discuss some recommended practices for keeping your MacOS fleet up to date while minimizing as much time and manual process as possible.
Recommendation 1: Leverage Nudge alongside your MDM tools
Many MDM tools allow you to issue a command to automatically schedule or force an OS update. Admins and security teams should be looking to give their users agency in being part of security and not always having changes forced, which can have negative consequences, including:
Unclear user notification when scheduling update times, which could result in forced updates occurring at uniquely bad times, like before an important demo or customer meeting
Bad user experience with the potential to install the wrong update, therefore requiring the user to update again to get to the latest version.
Potential for data loss if a forced update occurs without the chance to save work
Inconsistent success in actually pushing and enforcing device updates through this method
Luckily, you can avoid many of these issues with OS update commands by utilizing a notification tool like Nudge on top of your MDM solution. Nudge is an open-source tool that allows you to alert and encourage users when it’s time to update their MacOS devices, with configurable levels of urgency. This allows users to select a time that works best for them, minimizing the risk of data loss or poorly scheduled updates.
Recommendation 2: Define Upgrade Policies for Different Patch Urgencies
Not all upgrades require the same level of urgency. For minor version updates that don’t include security-related patches and improvements, it is recommended to target having a fleet updated within 30 days or less. For major version updates, the deadline can be increased to 60-90 days.
However, for urgent security patches, you may want to take a more strict approach and consider targeting a tighter deadline within 1-7 days, depending on the level of severity. This is another place where a notification tool like Nudge is helpful, as it allows you to configure when and how it notifies users to encourage compliance. For example, you can decide on the following:
How frequently the prompt to update the OS should pop up
The option for an “aggressive user experience” by blurring out other windows or blocking access to other applications until an update is completed
How many deferrals a user is allowed to do before the “aggressive user experience” is enabled
A target deadline to update by, after which an “aggressive user experience” may also trigger
By appropriately defining upgrade policies aligned with the level of urgency, you can minimize the need to individually chase down non-compliant device owners and bypass the unreliability and potentially bad user experience of force-pushing all OS updates via MDM command.
Recommendation 3: Continuously monitor compliance in your MDM tool
Keeping your MacOS fleet up to date is a continuous process that needs to be redone whenever relevant updates are released. Using an MDM tool allows you to easily monitor all devices in your fleet, view which ones are noncompliant, and keep track of the update progress. Access to this monitoring type also allows you to troubleshoot, identify, and resolve issues that may arise when trying to update MacOS within your fleet.
Recommendation 4: Gate Major OS Version Upgrades
For companies where stability is key, major OS version releases can present a risky proposition of not yet being compatible with the software needed for security or day-to-day work. It’s likely to be worth leveraging your MDM tool to prevent users from upgrading to a new major OS version before it’s been widely consumed and has received its first few patches.
Keeping your Mac fleet updated with the latest OS can be a pain point for many IT administrators, security teams, and technology leaders due to inconsistent enforcement methods and a reliance on user cooperation + compliance. With notification tools like Nudge alongside an MDM tool, you can reduce the time and effort it takes to roll out updates while still ensuring a good user experience and minimizing work disruptions. We hope that these recommendations improve your MacOS update workflows and reduce some of the manual burden needed to keep your Mac fleet compliant and secure. Please contact us or schedule a demo if you’re curious about learning more, want to connect, or would like a demo of our product.
Get started with Zip
Learn more about Zip's MDM, EDR, IT, and Compliance solutions and we'll find the right fit for you.