Managing macOS endpoints

You can manage patches for macOS endpoints with enforcements. Enforcements send Apple MDM commands to download and install updates on macOS endpoints. Enforcement commands are executed at the specified start time and are reissued every 24 hours to maintain operational hygiene for macOS endpoints.

If macOS computer groups, patch lists, block lists, and maintenance windows display in the Patch workbench, ignore them. They are part of the legacy method of patching macOS endpoints and should not be used. Follow the instructions in this section to patch macOS endpoints.

Before you begin

Configure Tanium Mac Device Enrollment, which provides the ability to manage macOS endpoints. See Tanium Mac Device Enrollment User Guide: Getting started with macOS Device Enrollment.
Install and configure Tanium Mac Device Enrollment, which provides the ability to manage macOS endpoints. See Tanium Mac Device Enrollment User Guide: Getting started with macOS Device Enrollment.
To prevent end users from disabling updates, configure an MDM policy with AutomaticCheckEnabled set to true using Tanium Enforce. For more information, see Tanium Enforce User Guide: Create a macOS device configuration profile.
Remove existing scan enforcements for macOS endpoints. Scan configurations targeting macOS devices can cause MDM enforcement errors.

View software updates

On the Updates page, you can view macOS software updates that are applicable to endpoints in the mobile device groups. Monitor the Applicable column to ensure that enforcements are reducing the number of applicable endpoints.

From the Main menu, go to Patch > Mac Patching > Updates.
View the updates. The table contains the following columns:
- Name: Update name
- Version: Version of the update
- Product Key: Product key of the update to be installed
- Major Update: Indicates if this is a major update or not
  
  Major updates have limited install actions. For more information on updates, see Apple Platform Deployment Documentation: About software updates for Apple devices.
- Critical: Indicates if this update is marked as critical
- Restart Required: Indicates if this update requires an endpoint restart
- Enforcements: Number of enforcements in which the update is included
- Applicable: Number of endpoints on which the update is applicable
To quickly start an enforcement, select the updates to deploy and click Create Enforcement. For more information, see Create an enforcement.

Create an enforcement

Create an enforcement to deploy macOS updates to macOS endpoints. Enforcement commands are executed at the specified start time and are reissued every 24 hours to maintain operational hygiene for macOS endpoints.

From the Patch menu, go to Mac Patching > Enforcements > Create Enforcement.
Enter a name.
Select the updates to include in the enforcement.
Select and preview the MDM device groups on which to deploy the updates.

Select groups based on department rather than applicability so that the enforcement can be easily used on an ongoing basis. Endpoints ignore update commands that are not applicable.
Configure the enforcement settings.
1. Select the date and time to start the enforcement. The date and time is based on the machine that is used to access the Tanium Console.
2. Select the install action for the enforcement. The install action controls notifications on the endpoints.
  The available install actions are dependent on the type of update. For a description of each action, see Apple Device Management Documentation: ScheduleOSUpdateCommand.Command.UpdatesItem.
3. Select the maximum number of times the user is allowed to postpone an update before it is installed. The system prompts the user once a day to install the update.
4. Select the scheduling priority for downloading and preparing minor updates for macOS 12.3 and later. Earlier macOS versions use Low.
Click Create.

Review enforcement summary

You can review the enforcement results, enforcement status, endpoint status, and the enforcement configuration details. You cannot edit an active enforcement.

From the Patch menu, go to Mac Patching > Enforcements.
Select the Active or Inactive tab.
Click the enforcement name and review the information.
- Summary shows the status, install action, number of updates, and information about when the enforcement first ran and when it will run again. For possible statuses, see Reference: Enforcement status.
- Updates provides the updates information as described in View software updates.
- Targeting lists the mobile device groups targeted for the enforcement.
- Endpoints lists the serial number and device ID of endpoints that have been issued the command, the date and time that the command was issued, and the status of the MDM command. For a list of statuses, see MDM command status.

MDM command status

Issued: Command sent to the endpoint
Error Issuing Command: Command not sent to the endpoint
Acknowledged: Command received by the endpoint
Format Error: Apple MDM error, for example, Apple MDM rejects a malformed command
Error Running Command: Command received by the endpoint, but the endpoint encountered an error when it tried to run
Idle: MDM status
Not Now: Endpoint returned this status when trying to run the command and the command will need to be retried in the future

Stop an enforcement

You can stop an enforcement. Stopping an enforcement does not remove updates that have already completed installing.

From the Patch menu, go to Mac Patching > Enforcements.
For the enforcement, in the Actions column click Stop .
Go to the Inactive tab and click the enforcement name to verify the status.

Delete an enforcement

You can delete an inactive enforcement. Deleting an enforcement does not delete updates.

From the Patch menu, go to Mac Patching > Enforcements.
Click Inactive and select the enforcement.
Click Delete .

Reference: Enforcement status

Status group	Sub-status
Active enforcement	Running Upcoming
Inactive enforcement	Ran Did not run

Mac and macOS are trademarks of Apple Inc., and registered in the U.S. and other countries and regions.