moofMacOS

Introduction

Since macOS 11 (Big Sur), the ability to manage and enforce macOS updates using built-in Apple tools has been limited, leading to devices regularly falling behind on software updates. This is a significant challenge for most organisations where security accreditations are held (e.g Cyber Essentials +, ISO27001 etc), where patching of the OS is mandated within a specified timeframe.

Moof have seen and tested a wide range of approaches to this macOS challenge over the years, without finding a satisfactory solution, Moof have therefore created a custom macOS reminder solution.

What is moofMacOS

moofMacOS is a custom built Mac reminder & enforcement tool to encourage applying macOS updates that reminds users with increasing frequency and severity to run their macOS updates with an enforcement event set to encourage compliance (typically blocking the use of browsers.)

Moof have achieved over 98.6% macOS update compliance across devices using this solution.

Key features

The key features of moofMacOS are:

• Daily reminders presented to users requesting they apply the update
• Built-in user notification of any impending device restrictions if updates are not installed, including the deadline date

• Automatic restriction of chosen applications on the device if the update is not installed

• Support for minor updates and major macOS upgrades
• Respect for MDM macOS update deferrals, taking these into account before calculating a deadline
• Ability to specify your internal “release” date for major macOS upgrades to avoid jumping before you are ready

Patching process

Steps

1. Apple release a macOS software update
2. If a deferral period is set by your MDM, this is automatically applied
3. Once the deferral period has ended, the users will automatically receive a notification once per day advising that there is a pending update that they need to install

Users are able to install the update at any stage after the deferral period has ended and are recommended to install them before the deadline date to avoid any impact

4. Once the deadline is reached, the applications you have chosen (typically the built-in web browsers) will be blocked from use. If the user attempts to use the restricted app, they will receive a notification asking them to apply the macOS update
5. Once the update has been applied, the Mac restarts and the restriction is removed from the applications

Customisation options<?h2>

Deferral period

If you are using the enforcedSoftwareUpdateDelay MDM profile key, the number of days you specify will be respected by the moofMacOS reminder system.

Notifications only

moofMacOS can be set to “notifications Only”, meaning users will receive a daily notification, but will not be subject to any application or device restrictions.

Enforcement deadline

Allows you to specify the number of days that the update has been available before restrictions are applied to the device.

Restricted applications

Allows you to specify which applications are to be blocked if the device passes the enforcement deadline threshold.

FAQs

Can we still use the MDM server to enforce updates?

Yes, the moofMacOS system does not interfere with any other mechanisms you are using to push updates.

Can we use moofMacOS to notify the users only (no enforcement)?

Yes you can configure moofMacOS to notify only. Please note that the effectiveness of the solution will drop considerably without an enforcement mechanism in place.

Can we have a group of users excluded from the enforcement?

Yes you can have different configurations for different sets of users. These can be controlled with separate Configuration Profiles for the respective user groups.

We have specified 14 days as the deadline, why are devices exceeding this?

The deadline is calculated with [deferral days]+[deadline threshold]. So if you have a deferral of 7 days before updates are available to users, the deadline countdown will start from day 8.