Update week! As expected, we got the updates for macOS 13.2, iOS 16.3, and all the other updates that go along with these.
The Complete Guide to Understanding Apple Mac Security for Enterprise
Everything you need to know to understand the strengths and weaknesses of the security controls built into Apple Macs and the macOS platform.
The day before macOS 13.2 was published was the day that a 90 day major upgrade deferral limit on macOS ran out. Because of the, well…, state of what is software update on macOS, this has some interesting and some unexpected side effects. (I talked about the state of software update in my Year 2022 summary.)
When you are managing a 90 day deferral on major macOS updates, a user on an MDM enrolled Mac will now see the full (~12GB) macOS 13 upgrade in the Software Update pane. Apple is withholding the smaller delta upgrade option from managed Macs because of a bug in macOS 12.3 through 12.6 that resulted in the delta upgrade ignoring the major deferral time, and using the minor deferral time instead. This bug was fixed in 12.6.1.
The user will see 13.0, and not 13.1 or 13.2, since those were released less than 90 days ago still fall under the limitation. However, after the Mac has completed the upgrade to 13.0, the 13.1 and 13.2 updates are minor updates and will fall under the (likely much shorter) minor upgrade deferral time. This means that after going through the trouble of upgrading to 13.0 the user will immediately see that 13.1 is available and then, whenever the minor deferral period for 13.2 is over, see the 13.2 update as well. This might lead to two or three updates within a few days, which is not the experience we want for our users.
The major deferral period is only useful for the first 90 days after the release of a major version of macOS. Afterwards it is actually somewhat detrimental, as it doesn’t prevent the major upgrade, but does prevent the user getting to the latest minor version in one step. I recommend MacAdmins that have set a major deferral to change its value to match the minor deferral period now, to avoid getting users getting double-hit by the upgrade-then-update workflow. Also, since 13.1 and 13.2 are offered as delta upgrades, this will reduce the download volume and overall time for the upgrade.
The other side-effect, however, is that delta-upgrades and updates can be started by non-admin users, which may or not be beneficial to your particular plans and workflows. Full updates (i.e. 13.0 on managed Macs), on the other hand, require admin privileges to start. This may give admins who want some extra time to defer upgrades to 13.0 a bit more time, because the trick of blocking the macOS Installer application for the full 13.0 upgrade will work, at least until the 90 day deferral on 13.1 expires.
In case you were wondering, that will be March 13. Apple has a support page for this.
When Apple prepares to release macOS 14 (Sequoia, I have been expecting macOS “Sequoia” for years…) in September, remember to change the major deferral back to your preferred value. Or you can follow Fraser Hess’s advice and ‘Embrace the upgrade.’
To be able to fully ’embrace the upgrade,’ you need to be downloading and testing the betas, not only with major updates, but through out the year. As Ed Marczak points out, MacAdmins really need to be signed up for AppleSeed for IT and actively testing the beta releases with their deployment. Testing with the betas should give you the time to verify and report issues, and, even when they can’t be fixed in time, be prepared with temporary update deferrals or instructions for the support team and users on how to mitigate the issues.
MacAdmins should also be following the MacAdmin news, events, and posts in the community, but if you are reading this news summary, you already are! When you happen to talk with someone who was blind-sided by all this, then please recommend they subscribe!
🌼macOS Ventura 13.2 and iOS 16.3
Note: links to support articles should go to the US versions as localizations might take a while to be available. Nevertheless, the Apple web site might redirect you to the localized version. You can select the localization in the lowest right corner of a Apple support page.
macOS Ventura 13.2
macOS 13.2 (22D49), 12.6.3 (21G419), 11.7.3 (20G1113)
- macOS Ventura 13.2
- What’s new for enterprise in macOS Ventura
- Manage upgrading to macOS Ventura in your organization (Still relevant)
- macOS Ventura 13.2 Developer Release Notes
- Security content of macOS Ventura 13.2
- Security content of macOS Big Sur 11.7.3 – Apple Support
- Security content of macOS Monterey 12.6.3 – Apple Support
iOS 16.3 and iPadOS 16.3
- iOS 16.3
- What’s new for enterprise in iOS 16.3
- iPadOS 16.3
- What’s new for enterprise in iPadOS 16.3
- iOS & iPadOS 16.2 Developer Release Notes
- Security content of iOS 16.3 and iPadOS 16.3
- Security content of iOS 15.7.3 and iPadOS 15.7.3
- Security content of iOS 12.5.7
Apple Platform Deployment Guide
- January 2023 update
- Document revision history
- What’s new in Apple platform deployment
- Software Release Dates
- MacBook Pro Wi-Fi specification details
- SCEP MDM payload settings for Apple devices
- Use secure token, bootstrap token, and volume ownership in deployments
- About Security Keys for Apple ID
- watchOS 9.3
- watchOS 9.3 Developer Release Notes
- Security content of watchOS 9.2
- About Apple TV 4K and Apple TV HD software updates
- tvOS 16.3 Developer Release Notes
- Security content of tvOS 16.2
- HomePod Software Version 16.3
- macOS Ventura 13.2 Update (22D49)! What’s New? – Mr. Macintosh
- What has changed in macOS Ventura 13.2? – Howard Oakley
- Embrace the macOS Ventura upgrade – Fraser Hess
- Own an older iPhone? Check you’re on the latest version to avoid this bug – Pieter Arntz, Malwarebytes Labs
📰News and Opinion
- Adam Codega on Mastodon: “You can’t use traditional methods to check app versions of apps like Chrome that update silently, the app version on disk is going to be the latest but the app version running in memory is going to be older. There’s a one liner you can use to check the running version of Chrome but I recommend using a custom config profile or CBCM and setting Chrome to notify and enforce a restart after X time.”
- Adam Codega on Mastodon: “Zoom can be set to automatically restart itself under certain conditions: ‘Auto install an available update when the device is idle. Idle devices must be: No current meeting, phone call, or contact center engagement, No upcoming meeting within 30 minutes, Screen is locked or screen saver is active'”
- Ed Marczak on Mastodon: “Apple isn’t perfect with communication to admins, but I am shocked—SHOCKED!—at the number of admins that don’t: a) pay attention to betas, and have a robust testing group (or at least have one of their own devices on the beta track) And b) Just don’t pay attention to any Apple docs and comms. Hey MacAdmins: help yourselves. Have a testing plan for new releases, and help the people that you serve have a smooth upgrade. Get onto Appleseed and read the release notes.”
- mwichary on Mastodon: “TIL after all these years: In macOS Finder you can press space to do a quick preview. But hold ⌥ and space, and the preview goes full screen. (Annoyingly, you cannot press space to exit, though.)” (‘esc’ key for exit)
🔐Security and Privacy
- Passkeys.directory (via Catalin Cimpanu)
- Is it more secure to be a normal or admin user? – Howard Oakley
- Enforcing Device AuthN & Compliance at Pinterest –Pinterest Engineering Blog
- L’art de l’évasion – Taha Karim, Objective-See’s Blog
🔨Support and HowTos
- Verifying installer package signing and notarization using pkgutil – Rich Trouton
- ARD: Admin, Client, VNC and Security – Marriott Library, Apple Infrastructure
- Moving to M1/arm native rsync – Eric Hemmeter
- Scheduled activities: 1 Scheduling by DAS – Howard Oakley
- An easier method to put a MacBook into DFU mode – Kevin M. Cox
🤖Scripting and Automation
- How to Grant Local Admin Permissions with Microsoft Forms and PowerAutomate – Thijs Xhaflaire, Jamf Blog
- JPS API Wrapper
- Good bye loginhooks, Hello launchdaemons… – Rusty Myers
- Using the Jamf Pro API to retrieve FileVault personal recovery keys – Rich Trouton
♻️Updates and Releases
- Munki 6.1 Official Release
- Jamf Pro 10.43.0
- Wifi Explorer 3.4.1 and siblings
- swiftDialog 2.1 RC 3
- Setup-Your-Mac-via-Dialog.bash 1.7.0.rc7
- Jan 2023: MacAdmins Meeting Archived Presentations and Slides Online – Marriott Library, Apple Infrastructure
- Vira Tkachenko, CTO at MacPaw – Mac Admins Podcast
- 500: Today’s Show Was Brought To You By The Letter D — Command-Control-Power (500th episode! Amazing!)
- Building a healthy password management ecosystem – Apple @ Work Podcast, 9to5Mac
- Fighting technology’s gender gap with TracketPacer – Lock and Code
If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!
If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!