WWDC starts in one month. Do you feel that you and macOS Ventura are ready for the next version of macOS?
(Sponsor: Mosyle)
The only Apple Unified Platform for Business
Mosyle is the only solution that fully integrates Enhanced MDM, Endpoint Security, Internet Privacy & Security, Single Sign-On, and Application Management on a single Apple-only platform.
Click here to learn why Mosyle is all you need to work with Apple.
This week Apple published the first Rapid Security Response (RSR) for macOS, iOS, and iPadOS. Even though RSRs were tested during the beta phase, there were some hiccups. Overall, the actual release seems to have gone as planned by Apple.
The reception in the MacAdmins community was… not enthusiastic.
The support article for the RSR contains no information on which software or CVEs was patched and the Apple security updates page has no entry for the RSR either. It is not unprecedented or even unusual for security documentation to be published or amended after the release of updates. Since the point of RSRs is to be released quickly, there might still be embargoes in place, CVEs might not even exist, or documentation simply takes second priority. We should expect to see documentation with the release of the macOS 13.4 and iOS 16.5 updates, which will include the issues fixed in the RSR. (It would be nice if Apple pointed out which were fixed in the RSR.)
Because they can be removed, RSRs introduce a new “extra” addition to the version number. This one is 13.3.1 (a). Even though RSRs were announced at WWDC and could be tested during the beta phase, not all management systems, security and monitoring tools are ready to gather the information. Even when your tools are ready, most admins have not yet adjusted or even prepared their workflows for this new piece of information.
There are also (of course) some issues with the management of RSRs. Configuration profiles and MDM commands don’t quite work as advertised. Tools that exist to work around the many shortcomings of the software update workflow will need to be adapted to incorporate RSRs
For a change, Apple announced this well ahead of time. But then, why are (some) MacAdmins still reacting with so much frustration?
I believe, there was some expectation that RSRs might be a fix, or at least a bandaid, for macOS software update. It was implied they wouldn’t require reboots, but most will. You cannot update directly from an older version of macOS to the RSR version, so a user may need two successive installations and reboots to get ‘fully patched.’
Instead of replacing (security) updates, it now looks as if RSRs will happen in addition to the traditional update cycle, increasing the number of updates users and admins have to manage.
RSRs do not solve any of the multitude of issues prevalent with software update. Whether that hope was overly optimistic, misguided, or misinformed, MacAdmins were hoping for some relief with managing software updates. Instead, we are now are facing yet another thing to manage; more and new workflows to build, fix, and adapt.
The burden was increased, rather than reduced. The lack of detailed information, even though it has good reasons, obscures their benefit. We can’t even tell why we have to do this, except for a nebulous “trust us, this is important!”
At Apple, the rollout of RSRs might justifiably be considered a success. They solve a problem they had internally that kept them from responding swiftly to security issues. RSRs improve the overall security of the platforms, which is something Apple obviously and correctly cares about. You have to appreciate that.
This mismatch in the requirements and expectations from the MacAdmins community and Apple isn’t new and there will always be friction here. Nevertheless, Apple needs to directly address the issues with software update in a way that does not increase the workload of users and MacAdmins.
Maybe at WWDC? (ever the optimist)
If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)
macOS and iOS Updates and Responses
- About Rapid Security Responses for iOS, iPadOS, and macOS – Apple Support
- Three ways to determine if macOS Rapid Security Response updates have been installed on your fleet – macOS Adventures
- Apple has just released the first Rapid Security Response for Ventura – Howard Oakley
- What is a Rapid Security Response (RSR)? – Howard Oakley
- Using Munki to “nudge” for Rapid Security Response updates (like 13.3.1 (a)) – Alan Siu
念Social Media
- Pepijn Bruienne: “It’s not an industry-first for a patch mechanism like RapidSecurityResponse to fire without having a CVE on hand.”
- Tom Bridge: “I’m gonna rant for just a minute. As IT Professionals, we have to deal with risk and insufficient information a lot. I need you to understand: you cannot eliminate risk, and you cannot know everything. What you can do, though, is be prepared and be paying attention.”
- Jason Broccardo: “TIL that passkeys won’t sync across OSes”
Security and Privacy
- Atomic Stealer: Threat Actor Spawns Second Variant of macOS Malware Sold on Telegram – Phil Stokes, SentinelOne
- The beginning of the end of the password – Christaan Brand, Sriram Karra, Google
- Passwordless Google accounts are here – Ron Amadeo, Ars Technica
- The one and only password tip you need – Mark Stockley, Malwarebytes Labs
Support and HowTos
- Proper Packaging Principles – Nate Felton
- Using Okta with OIDC/ROPG with Jamf Connect – Sean Rabitt, Jamf Tech Thoughts
- Jamf Pro LAPS – Skartek
- Using an Elgato Game Capture HD60 S+ to record movies from a test Mac – Dr. K
- Deep dive into the various types of Mac apps – Braden Newell, Jamf Blog
- PowerShell for the Mac Admin, Part 5: Pivot – Charles Mangin, Radical Admin Blog, JumpCloud
烙Scripting and Automation
- Using Script2Pkg to create payload-free installer packages – Rich Trouton GitHub
- Software Updates, Bonus Round: SWU Bugged Fact – Sudoade
- Sdelsaz/PIN-for-Admin: equest temporary admin privileges with a PIN
- Managed Apple ID Pre-work: Determining Impacted Users – Dan K. Snelson
Apple Support
♻️Updates and Releases
- App Catalog (April 2023)
- Munki 6.3.1
- swiftDialog 2.2 Preview 2
- Baseline v1.2beta1
- super v3.0-b12
- Setup Your Mac 1.10.0-rc29
To Listen
- All about Jamf’s spring release – Apple @ Work Podcast, 9to5Mac
- The Fix Is In – Command-Control-Power
- NanoMDM – Mac Admins Podcast
Support
If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!
If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!