In the wake of the macOS High Sierra root access issue last week, four things were reinforced:
- No operating system is immune to security challenges
- Operating system and/or software providers must be quick to address security vulnerabilities and issue updates
- Device management, and specifically patch management, are no longer simply nice-to-haves
- Community forums, such as Jamf Nation and Slack, provide instant and valuable insight into how to resolve issues
Last week, a macOS High Sierra security vulnerability was discovered, which allowed a user or attacker to gain access to a Mac with default settings sans a password, provided the attacker had physical access to the device. This issue also allowed standard users who were already logged into a device to gain elevated privileges in System Preferences, access via a script, and most importantly at the Login Window.
Within 24 hours, Apple released a security update for High Sierra (HT208315), and went on to push the update to all applicable computers, automatically updating devices.
However, organizations can take action to remediate security vulnerabilities both before a global update is applied and when manual interaction is required to remediate the issue. Specifically, with a mobile device management (MDM) solution such as Jamf Pro, which leverages a binary in addition to MDM, you gain the following capabilities:
- The ability to write scripts and deploy them through policies to address interim settings/fixes while organizations wait for a fix from a software vendor.
- Patch notifications in order to know when a third-party patch is issued from the provider.
- Patch policies to automatically scope the patch to the computers that need it for speedy remediation.
- MDM commands — or the Jamf binary — to upgrade or update (when an operating system or software provider releases an update or upgrade). Whether patching critical software is done via a robust binary or a streamlined MDM command, vendors like Jamf empower IT to immediately push important updates to all end users and close security vulnerabilities before a system is compromised.
Apple provided a timely response and administrators could see their work in real time. And, while Apple responded swiftly, many organizations would prefer to not wait on another vendor to patch significant vulnerabilities. Thanks to communities like Jamf Nation and Slack, IT administrators often have the knowledge and, with a tool like Jamf Pro, the complete ability to execute a patch on their own terms and timelines.