Automating Updates for User-Installed macOS Software
How much time do you spend packaging and deploying new versions of macOS apps? An updated version of Chrome? Check! The latest version of Zoom? Check! And on it continues across the twenty, or fifty, or more apps in your organization. But what if the folks using macOS in your organization have admin privileges to their system? How do you handle the upkeep on non-critical apps that users install out of convenience or familiarity?
“Managed” Versus “Updated” Apps
In my experience, app management is always a delicate balance. As an organization enabler, IT needs to ensure users can access the apps they need to be productive. On the other hand, as an organization steward, IT needs to ensure apps are maintained and current. In many cases, IT simply manages the GateKeeper settings and allows the user to install non-store developer-signed and notarized apps.
That said, each app that a user installs inevitably leads to a decision point. Is the app “business-critical,” thoroughly tested, and managed? Does the app simply require “maintenance” (e.g., upgrades)? In either case, Workspace ONE admins need to obtain each new app version and configure it for deployment within the Workspace ONE console. Basically, as a Workspace ONE admin, you’ve just inherited a new app for management (regardless of the testing/validation requirements).
Choosing an Update Path
Should admins spend time readying those non-critical application binaries for maintenance and upgrades? Perhaps not. Perhaps these non-critical, non-store apps are prime candidates for automated updating. Maybe the app has automatic updates built-in – but are end-users applying the updates? Enter Alectrona Patch.
Augment Workspace ONE with Alectrona Patch
Alectrona Patch is a lightweight, agent-based tool for installing and upgrading a catalog of 180+ non-store macOS apps. The patch agent pulls install binaries directly from the software vendors, so admins need not host or re-package software before installation or upgrade. As such, Workspace ONE admins can leverage Alectrona Patch to augment their existing software maintenance workflows for macOS.
Figure 1: Alectrona Patch Profile Configuration
The basic process flow would go something like this:
- Configure your license and the list of “update-only” software titles on Alectrona’s Patch Profile website.
- Generate the Alectrona profile using the Get Profile button.
- Deploy a Custom Settings payload using the contents of the Alectrona profile: One Custom Settings payload to license the agent, another to configure the list of titles to maintain (see below).
- Parse the Alectrona Patch agent with the Workspace ONE Admin Assistant and create a new “Internal” application to deliver the Alectrona Patch agent to macOS.
The Alectrona Patch agent periodically checks for any configured software titles installed on the device. When found, the agent notifies the user that an update is required. Admins can also later make changes by adding additional “slugs” (under the “Update Only” column in Figure 1) to the Alectrona payload. Then, simply add a line to the custom XML (Figure 2) and Save/Publish the profile.
Figure 2: Custom Settings Payload for Alectrona Patch
What to Expect in Workspace ONE UEM
As presented above, the outcome of this setup is that you can enable your non-critical apps for an “automatic” update. Currently, there is no direct integration between Alectrona Patch and Workspace ONE UEM (although we’d like to change that… don’t get me wrong!). Without a direct integration, you won’t immediately see any of the Alectrona activity directly reflected in a device’s application list. However, once the device reports an Application List sample, you’ll see the app and version updated on the UEM console, as shown in Figure 3.
Figure 3: Application Status Reporting for Alectrona Maintained App
App management is time-consuming. There’s no way around it… or is there? Thanks to the folks at Alectrona, UEM administrators now have a way to keep low-criticality apps updated without chasing down binaries and readying them to deploy. Time saved (or at least, better spent elsewhere).