Enterprise admins handling fleets of Macs take note: there's a new security management tool from Apple device management firm Addigy.
The MDM Watchdog Utility monitors the MDM framework on devices and automatically forces software patches to be installed if they're not already in place. This is designed to help solve a specific problem in which some (not all) managed Macs do not properly install Apple’s Rapid Security Response updates.
When security isn’t
In today’s fast-moving threat environment, Apple has introduced Rapid Security Response (RSR) as a key front line against new threats. The defense is intended to be distributed and installed across Apple’s platforms as swiftly as possible once new threats are identified. The idea is that by expediting distribution and making installation a quicker process, it will be easier to maintain security across Mac fleets. That’s important as the scale of Apple deployments grows and enterprises move to support employee choice.
But that defense is obviously less useful when managed Macs fail to properly install them.
Citing its own research, Addigy claims as many as 25% of macOS devices in managed environments could be affected by the issue. Rather than upgrading their defenses, they remain in a "stuck state" after an update is pushed, and the update is never implemented.
Time makes fools of us all
To make matters worse, the company claims, there is no way for IT departments to know which machines are not implementing RSR updates without manually inspecting them. And, of course, it suggests other MDM functions will also be stalled. That’s not good.
“MDM Watchdog monitors the MDM framework on devices and automatically remediates those in which the condition was found,” Addigy said.
To achieve this, the tool automatically monitors devices to ensure they are in a healthy state and communicating properly so they act on instructions sent by IT admins (such as when applying an emergency security patch like the RSR update).
What’s the underlying problem?
Providing a little more insight into the nature of the flaw, Addigy claims the updates aren’t being implemented because in some cases the MDM client binary “gets stuck after executing the OSUpdateScan command” and stops communicating with the Apple MDM Framework. When that happens, later MDM actions may not be acted on or may be delayed.
"The stuck state condition we discovered within our customers' environments affects one out of every four devices, so the impact to macOS environments in any enterprise is likely the same," Addigy CEO Jason Dettbarn said in a statement. "We are committed to keeping our customers' macOS devices secure. The MDM Watchdog utility is a critical tool to ensure all of our customers' devices are automatically updated with the latest RSR and every future update."
The tool is available now to Addigy clients and will be released as a utility for Macs using other MDM services in future, the company said. Meanwhile, Addigy recommends IT staffers verify that Macs in their fleet have installed the update.
Optimistically, it seems likely that Apple itself will find a platform-based solution to this problem, probably involving tweaks to the OSUpdateScan APIs it provides to device management vendors in order to improve process reliability.
Please follow me on Twitter, or join me in the AppleHolic’s bar & grill and secur groups on MeWe.