Apple has released software patch updates for MacOS and iPhone / iPadOS that address recent security vulnerabilities. For JumpCloud customers, JumpCloud Patch Management is the best way to be sure that your macOS fleet has been updated. End users with affected mobile devices should observe the Apple-provided update mechanisms.
The affected Apple devices are:
Below you will find information on the CVEs, OS versions impacted and step-by-step instructions for how to patch your Mac devices with JumpCloud Patch Management.
The Patch Management features live under the Policy Management section in the JumpCloud Admin Console. To create the Automatic MacOS Updates policy:
1) Log in to the JumpCloud Admin Portal
2) Go to DEVICE MANAGEMENT > Policy Management.
3) Select OS Patch Management. Only OS patch policies appear in this tab.
4) If this is the first time you’ve accessed the OS Patch Management tab, click Load Default Policies & Policy Groups. To add the automatic MacOS Updates Policy, click ( + ), then choose macOS. You will see that 4 ring policies are created.
After loading the Default Policies you will see 4 ring policies, each with update defaults. For instructions, see Creating Default Patch Policies & Policy Groups on the JumpCloud support site.
It’s important that your macOS device fleet is placed in the correct ring that maps to your internal policies (as they have different deferral defaults). Depending on your risk appetite, you can be more aggressive on the updates and adjust the deferrals within the thresholds called out in the support docs, for example going from a 7 day deferral to 3 days in a given ring policy.
You can also check out this video tutorial that covers the entire Patch Management configuration process within JumpCloud, including an overview of the default policies and how to adjust them.
The update notifications to end users from JumpCloud begin once the device detects that it has an update available. Every 5 hours – twice per average working day – the alert window will launch and prompt the user to update their operating system.
When less than 72 hours remain in the grace period, the alert will increase in frequency from twice per working day to 6 times per working day, every 100 minutes. When less than 24 hours remain in the grace period, the alert will increase in frequency again from every 100 minutes to every 10 minutes.
When the grace period has elapsed, and the system is still not updated, the alerts will continue every 10 minutes, but the window can no longer be closed, will re-center on the screen every 10 minutes, and you cannot quit the app from the UI. If the user discovers the process and terminates it through the command line, it will regenerate.
In the JumpCloud Admin Console on the Devices tab you are able to see a Fleet Overview where the current OS version status of macOS devices. As devices check in and the notifications trigger OS patch version upgrade, the device counts will shift to the target OS version (example below).