macOS Best Practices: Patch Notifications & CVEs

For patch administrators, it is important to know that Apple Inc. does not have a consistent patching schedule for when they release macOS security and feature updates. This is in contrast to Microsoft, who provides Patch Tuesday updates.

This can create a problem for macOS administrators, because this requires they consistently check their devices if a patch is available, and in some cases, they might get a patch later than their fleet.

Patch Notifications

There are two ways you can get notifications about new patches for macOS devices.

  1. Apple has a public security notifications and announcements mailing list you can sign up for. This sends an automatically generated email any time that Apple releases a patch for macOS (this includes patches for iOS, tvOS, etc.).
    • You can sign up here; please make sure to review the document before subscribing to the mailing list.
  2. Apple also posts all of its security updates and patches here. This page provides patch names, patch information, affected devices, and release dates.
    • This list includes updates and patches for macOS and app updates, such as Safari and Bootcamp.
    • Some of these updates also include CVEs in the patch notes, although the CVEs and Severity are not included in the metadata of these patches.

CVEs

As stated previously, Apple Inc. does not include CVEs in the metadata of patches they release. This can be a pain point for Mac administrators.

Note: Apple does not include this data and, therefore, Automox has no way of verifying the severity of any released patches. It is recommended that you get this information from the source (security updates link) or an external source.

Example: Automox recognized that a macOS device requires a patch, but because Apple does not include the CVE metadata, it shows as "Unknown" under Severity in the Automox console.