App management for mixed fleets – how to start planning your Mac and Windows patching strategy

Keeping computers and applications up to date continues to be of paramount importance, as administrators work to stem the tide of malware threatening organisations.

Describing the most recent attacks here is futile – something new turns up every few days enforcing the organisation in question to send out the email of shame, confessing to a breach and requesting their customers reset their passwords.

Breaches are not just embarrassing, they can also be catastrophic. Windows PCs and Apple Macs alike must be kept up to date with both application and operating system patches, as attackers continue to expand the surface area for exploitation. Simply locking down your operating system is not enough; you must also take steps to ensure applications are updated. Just ask Microsoft about Outlook, its ubiquitous email and calendar application.

As Apple hardware is increasingly adopted by organisations, particularly since remote working has become commonplace giving users more say in which kit they use, administrators are faced with the headache of mixed fleets. 

The challenge is how to keep such fleets up to date, both in terms of operating systems and applications.

What can an admin do?

Despite the differences between Apple and Microsoft platforms, concerns for device administrators have been similar for a long time – are native patch capabilities enough? Will a third-party tool come with adequate enterprise support? Will users be impacted?

The good news is there are a variety of tools out there, ranging from native to third-party. Depending on your point of view or experience, you may be surprised (or not) to discover, for both platforms, the latter often does a better job of preventing users from tumbling down the gaps lurking within the former.

The Windows world is a good first example. Microsoft Intune (which Microsoft would much rather you called Endpoint Manager) works well for a fleet of Windows devices and has some macOS and iOS functionality. For Windows users, it permits the rotation of BitLocker keys among its features. The management tools extend to Macs and iOS/iPadOS devices; for example, an administrator can erase the former and disable the activation lock on the latter.

However, there is also a loss of granularity and fine tuning in the Intune/Endpoint manager approach (which, frankly, can sometimes be less than friendly if you have not fully bought into Microsoft’s cloud services). Third-party tools, such as PatchMyPC, augment the approach with a vast catalogue of applications, against which administrators can compare their baselines and update accordingly.

Similarly, there is no shortage of patch management tools for Apple device users, helped by early support for MDM in the Apple ecosystem. And, as with the third-party tools such as PatchMyPC for Windows computers, additional tools are required to keep a fleet of Apple computers up to date and secure. Jamf Pro is the leading solution for managing updates and augmenting it with dataJAR’s Auto-Update for Jamf means users can get an App Store-like update experience for apps downloaded outside of the macOS App Store. At the time of writing, more than 700 popular macOS software titles are supported, with more being continually added. 

Unsure where to start? Focus on the experience

Keeping the applications on a device up to date should be a seamless experience for the end user, with familiar notifications being the only clue of what is happening behind the scenes (unless, of course, you have opted for a more self-service approach.) Ensuring an update does not impinge on the productivity of the end user (or cause annoyance, irritation and eventually non-compliance with a company’s security posture) is essential. 

A final consideration to make regarding patch and update management is ensuring the source is secure. The deployment of an update that is either deliberately or accidentally poisoned can be as catastrophic as a successful attack. Perhaps worse, since it was your own administrator taking aim at their foot. Enterprise-level third-party update management tools (such as Auto-Update) will ensure updates are signed and scanned properly before allowing them anywhere near a production environment.

Ultimately, in the deployment of any successful update framework, you must ensure the right tools for the job have been selected, be it something like PatchMyPC in the Windows world or Jamf Pro and dataJAR’s Auto-Update for Macs. A mixed environment requires a thoughtful combination of tools that enhance, rather than restrict, the end user experience.