macOS Patching Standards

Scope

This policy applies to all Jack Henry & Associates, Inc. macOS devices within the Digital Business Unit.

Standards

The Mobile Device Management (MDM) solution used by Jack Henry Digital is Jamf Pro. All company owned macOS devices are required to be enrolled in Jamf Pro and will have their macOS version along with other inventory information reported on a regular basis, at minimum once per day. Jamf Pro is capable of forcibly applying macOS updates using the Apple MDM protocol.

Nudge is free and open source software maintained by the MacAdmins community and available on GitHub. The Nudge application is used to notify users of available macOS updates, and encourage them to apply these updates in a timely manner. Jamf Pro is used to ensure Nudge remains installed and configured on all endpoints.

Apple will post information relating to security updates for all of their operating systems on the following page: https://support.apple.com/en-us/100100. For each update Apple will list any CVEs that were patched along with a notice if any given CVE has been actively exploited. This information will be used to calculate patching deadlines.

Production Version

The last two major versions of macOS will be enforced (N-1).

Within major versions, the latest patch will be enforced. (Example: If the major version is 12.0 and 12.4 is available, the latter will be enforced).

Tooling/Method Used for Patching

The Nudge application will be used to notify users when a new macOS update is available. The Nudge interface will clearly display a deadline after which the update may be forcefully applied. Users are encouraged to update on their own schedule prior to this deadline. This approach offers flexibility to users helping them to avoid inconvenient work delays or stoppage.

A Jamf Pro management command utilizing the SoftwareUpdateEnforcementSpecific policy will be scheduled to enforce updates after the deadline has passed. Note that using the SoftwareUpdateEnforcementSpecific policy will force all apps on the Mac to quit at the scheduled time, even if documents haven’t been saved. This command requires that a notebook Mac have a battery percentage of 50% or be connected to power.

Jamf Pro will be used to monitor and confirm the installed macOS version.

Patching Cycle

Apple has no defined software update cycle. The Digital Ground Control team utilizes an Apple provided mailing list to learn of any new security updates in addition to the URL listed above^*. A Slack channel has been configured to receive these announcements from Apple.

Updates with no CVE content will not be enforced, and may be applied at the discretion of the end user.

For updates with CVE content that has not been actively exploited, Nudge will be activated with a deadline of 21 days after the update’s release. A Jamf Pro management command utilizing the SoftwareUpdateEnforcementSpecific policy will be scheduled to enforce the update.

Critical Vulnerability Patching

In the event that an actively exploited, zero-day, or otherwise critical vulnerability is identified, Nudge will be activated with a 5 day deadline.

A Jamf Pro management command utilizing the SoftwareUpdateEnforcementSpecific policy will be scheduled to enforce the update.

Patching Cycle Reporting

Reporting of endpoint versions are available within the Jamf Pro management console and is accessible to Corp and Digital team members with Jamf Pro access.