OS Upgrades: Are They Necessary on Day One?
By Frank Yang
Whenever Apple releases a new upgrade, we get a lot of questions about the process of rolling it out. One question that’s especially common: “How can I prevent my fleet from updating?”
We totally get it — OS upgrades contain many changes, each with the potential to break functionality, and it’s very tempting to put that off. But people also underestimate the risks of delaying upgrades. Our view is that everyone should always upgrade their devices as soon as possible.
In this post, we’ll share a few words as to why we think this, and highlight some things we’ve done at Fleetsmith to make the process as delightful as possible. (And if you’re still not convinced, read on for a foolproof way to prevent your users from updating before you’re ready.)
Upgrades: Maybe more important than you think
“N-2” support is a lie
It’s common to think that Apple has a policy of “back-porting” security patches to the last two versions of its Operating System (so-called “N-2 support”). Yet security researchers — including those from Google’s well-regarded “Project Zero” program — have repeatedly pointed out that this is a misconception.
The reality is that Apple only back-ports some patches, and what gets this treatment doesn’t neatly correspond with the severity of the vulnerability being closed. The majority of patches (even critical ones) will never be available for older versions. And only the very latest OS version will ever have everything. Unfortunately, this means that for your fleet to be the most secure it can be, you need to upgrade — sooner, rather than later.
And that’s just security patches. Security features are also an issue.
New security features
Even in a world where “N-2 support” was true — it still wouldn’t include major new security features. Take macOS Mojave, for example. With the changes Apple has introduced around the privacy of user data in macOS Mojave, macOS is now more secure than ever. Yet as far as we understand, there are no plans for High Sierra to ever support these changes. This means security teams at companies that run High Sierra or Sierra will always be at a disadvantage compared with those that upgrade, even considering the extra work required to learn and support this feature.
This also carries over to third-party apps. With a major OS upgrade, developers can also begin taking advantage of additional optional security features made available by Apple. A great example is Notarization, a new runtime security feature developers can enable to make their apps more secure. The longer you wait, the less you’ll be able to minimize software vulnerabilities in your apps.
In summary, putting off an upgrade to a new major OS release means you’re missing out on both security patches and new security features.
A note on other vendors
It’s worth mentioning that some vendors are giving the dangerous advice not to upgrade, despite a lack of known issues with macOS Mojave. For example, in a post titled Block Mojave Addigy writes: “although there doesn’t seem to be considerable changes to infrastructure and existing workflows in this release, Addigy recommends waiting.”
Testing upgrade flows, from admin to user
Upgrade by Enforcement Date
Many of us are ex-IT admins. We know the pain of selecting subgroups to push out new installers for the sake of testing in small batches. We think testing environments are important, and we wanted to make rollouts as painless as possible.
However, we felt that time spent identifying which devices require upgrades is wasted time. In an ideal world, this should be handled for you, and so this is exactly what Fleetsmith does. Our model is: you tell us the date by which you need every device to be updated, and we’ll take care of the rest automatically, including automated end-user notifications as the deadline approaches.
Automatic whitelisting of kernel extensions and TCC for apps managed via the Fleetsmith catalog
The releases of High Sierra and Mojave each introduced user-approved kernel extension loading and privacy controls on user data (managed by Privacy Preferences Policy Control payload), respectively. These are perfect examples of added security features to a major OS for an end-user, but to an admin, it becomes one more thing to look out for when administering software.
Researching the workings of TCC profiles was a monumental collective effort (check the #tcc channel in MacAdmins Slack), and it really goes to show how strong the community is.
But time is precious, and Apple’s documentation doesn’t always help (or exist). Not everyone can afford to go down a rabbit hole to learn all the nuances of something like TCC. We want to give that time back, which is why we chose to automate kext whitelisting and TCC profile delivery for all the apps in the Fleetsmith catalog.
Only the apps that you choose to manage are whitelisted, which means you can deliver a great experience to your users — apps installed by Fleetsmith “just work” — without sacrificing security.
Alright, but fleet-wide upgrades on Day 1 are still too ambitious for my environment; can I still prevent upgrades with Fleetsmith?
No problem, we’ve got your back. We recommend you upgrade your fleet as soon as you can, but in the meantime, you can use Google Santa to block the upgrade until you’re ready! Check out the help center article here.
Thoughts? Comments? Come find us in the #fleetsmith channel of MacAdmins, or drop us a line!
Originally published at blog.fleetsmith.com on October 8, 2018.
