In this post, let’s see how to push Safari Patch Updates on MacOS devices using Intune. We will see an overview of creating an update policy for Apple macOS devices using Intune MDM Platform. Also, we will discuss the several options or settings offered while creating a custom Intune Update policy.
Our last blog post discussed How to block Mac stealer malware using Intune. We have also discussed what is MacStealer malware, how it is affecting users on Mac, and how to be safe by implementing antivirus policies in Intune.
Recently Indian govt has issued a high-security warning, particularly for Apple users, asking MacBooks, iMacs, and Apple Watches should be updated immediately to remediate the vulnerabilities found on the lower version of macOS (macOS Monterey and Big Sur).
A remote attacker could exploit these vulnerabilities by persuading a victim to a specially crafted web page, from where if the user ends up providing information, then sensitive information could be extracted by the attacker, which might be riskier for organizations supporting MacBooks in their work environment.
Recommended Steps to Keep Mac Devices Safe from Remote Attacks
The best way is always to keep Mac devices updated with the latest macOS patches. Also, IT Admins can force critical macOS Patches and enable Mac Compliance policy in Intune to ensure all the devices are compliant and secure to be attacked by any remote attacker.
As per the Warning, it only impacts users using macOS Monterey and Big Sur using Safari apps older than v16.4, simply upgrading users to the latest macOS Ventura v13.3.1, or to the latest Monterey patch v12.6.5 or Big Sur v11.7.6 also can remediate the vulnerabilities.
Starting with Intune Service release 2210, we can use Intune update policies to manage macOS software updates, critical patches, and Firmware updates, as well as built-in app updates ( e.g., Safari, Mail, Calendar, etc.) for devices enrolled using Automated Device Enrollment (ADE).
By default, devices check in with Intune about every 8 hours. If an update is available through an updated policy, the device downloads the update. The device then installs the update upon the next check-in within the scheduled configuration.
The macOS updates policy can be managed only for eligible devices, enrolled using Automated Device Enrollment (ADE) and supervised using either Apple Business Manager (ABM) or Apple School Manager (ASM).
- Should you upgrade to Mac OS Ventura v13 managed using Intune
- New System Settings in macOS Ventura v13 and Intune Software Update Configs
Create MacOS Updates Policy in Intune
Follow the steps mentioned below to create Updates policies for macOS in Intune portal.
- Sign in to the Microsoft Intune Admin Center https://endpoint.microsoft.com/.
- On the left sidebar, select Devices > under the Policy category, and select Update Policies for MacOS.
- Click on Create Profile.
Under Basics, provide the Name of the Policy that helps you identify it later. For Example, macOS Update Policy, Also specify a Description and click on Next.
On the Update policy settings tab, configure the options by selecting how the update should get downloaded, installed, and notified for each type of update.
- For Critical, Firmware, Configuration file, and All other updates (OS, built-in apps), the installation actions can be selected accordingly :
- Download and install: Download and install the update, depending on the current state.
- Download only: Download the software update without installing it.
- Install immediately: Download the software update and install the update immediately.
- Notify only: Download the software update and notify the user through the App Store.
- Install later: Download the software update and install it later.
- Not configured: No action was taken on the software update.
To Update Safari to the latest version on the impacted devices ( We have Selected All Other Updates status as Install immediately)
For Update Policy schedule settings, By default, when an update policy is assigned to a device, Intune deploys the latest updates at device check-in. We can also create a weekly schedule with customized start and end times.
- Schedule type: Configure the schedule for this policy when updates will be available to install. Updates made during or outside of scheduled times require additional input.
- Update at next check-in: The update installs on the device the next time it checks in with Intune. This option is the simplest and has no extra configurations.
- Update during scheduled time: You configure one or more windows of time during which the update will install upon check-in.
- Update outside of scheduled time: You configure one or more windows of time during which the updates won’t install upon check-in.
In case start or end, times are not configured, the configuration results will be having no restriction, and updates can be installed at any time.
- Weekly schedule: If you choose a schedule type other than update at the next check-in, configure the following options:
- Time zone: Choose a time zone.
- Time window: Define one or more blocks of time that restrict when the updates install.
- Start day: Choose the day on which the schedule window starts.
- Start time: Choose the time of day when the schedule window begins.
- End day: Choose the day on which the schedule window ends.
- End time: Choose the time of day when the schedule window stops.
Next is to Select the Scope of the device. Scope tags are filtering options provided in Intune to ease the admin jobs. In the scope tag section, you will get an option to configure scope tags for the policy. Click on Next.
Select Assignments group (Included groups and Excluded groups) and click Next.
Assignment Group: It determines who has access to any app, policy, or configuration profile by assigning groups of users to include and exclude.
On the Review+create page, please review if any settings need to be changed, or else go ahead and click on Create button.
Deferral Period for macOS Updates
As we know, while pushing the updates in an organization, it is important to force the updates to make sure the devices are compliant, however also to ensure a smooth End-User experience, we should also provide permission to an end-user to delay or postpone the update installation in case the update wants to install at a crucial time.
The same can be done while forcing macOS updates using Microsoft Intune. To provide delay permission to End-User please follow the below steps.
- In Microsoft Endpoint Manager Admin Center, Go to Devices > Configuration Profiles > Create Profile.
- Select Platform: macOS, Profile type: Settings Catalog
Under Basics, provide the Name of the Policy, specify a Description, and click on Next.
On the Configuration settings tab, Search with the Keyword “Restriction” from Settings Picker and select the policies with Deferred install delay, as shown below.
Enforced Software Update Major OS Deferred Install Delay: This restriction allows the admin to set how many days End-User can delay a major software update on the device.
Enforced Software Update Minor OS Deferred Install Delay: This restriction allows the admin to set how many days End-User can delay a minor OS software update on the device.
Enforced Software Update Non-OS Deferred Install Delay: This restriction allows the admin to set how many days End-User can delay an app software update on the device.
Next is to Select the Scope of the device. Scope tags are filtering options provided in Intune to ease the admin jobs. In the scope tag section, you will get an option to configure scope tags for the policy. Click on Next.
Select Assignments group (Included groups and Excluded groups) and click Next. On the Next page, Review the policy and click on Create.
Monitor Updates for macOS in Intune
Once the macOS updates are pushed, IT Admins can monitor them by going to Intune Admin Center > Devices > Monitor > Under the Software Updates category, Select Installation status for macOS devices.
Conclusion
As we know, organizations must get all the devices updated to the latest macOS patches as well as ensure the built-in apps are updated to the latest version to make them compliant with Organizations’ policies and standards and protect the company’s data and restrict the user environment only to compliant users to access company resources such as M365 apps or MS teams or any other internal domain sites.
Just in case you are wondering how to configure ABM – You can check the following video Apple Business Manager Enrollment | Create DUNS Number | VPP Purchase | ABM and Intune Sync Options.
Author
Snehasis Pani is currently working as a JAMF Admin. He loves to help the community by sharing his knowledge on Apple Mac Devices Support. He is an M.Tech graduate in System Engineering.