May 4, 2023

Using Munki to “nudge” for Rapid Security Response updates (like 13.3.1 (a))

Posted on May 4, 2023 by alanysiu

For many MacAdmins, Nudge has been an amazing tool for bothering users to update their Macs to the latest patch. Apple threw a wrench in things by the way it implemented the 13.3.1 (a) Rapid Security Response update, so Nudge doesn’t currently (as of this writing) support Rapid Security Response updates.

There would be challenges to the user experience even if Nudge did implement support for Rapid Security Responses (at least the way Apple’s implemented them so far).

First of all, the 13.3.1 (a) update is available for only 13.3.1, so two (disruptive) reboots would be necessary for users on older versions. If you have users on 13.2.1 or 13.3, they’ll have to update to 13.3.1 first (that requires a reboot), and then they’ll have to update again to 13.3.1 (a) (another reboot).

Apart from the reboots being disruptive, they’re also a terrible user experience. Since 13.3.1 (a) won’t appear at all for users on older versions of macOS Ventura, if you Nudge people to update to 13.3.1 (a), they’ll see only 13.3.1, install the update, think they’ve updated, and then get confused as to why they’re being Nudge’d again for 13.3.1 (a).

On top of the user experience being terrible, 13.3.1 (a) isn’t even an actual version. Let’s take a look at how Apple sees this update:

ProductName: macOS
ProductVersion: 13.3.1
ProductVersionExtra: (a)
BuildVersion: 22E772610a

As you can see, the product version is not 13.3.1 (a) but still 13.3.1, and to get to the (a) part, you need to look at this new key, ProductVersionExtra, which is not part of the major OS version (13), the minor OS version (3), or the patch version (1). The “extra” part is its own thing.

If you have Munki, which doesn’t really support Apple updates, because Apple doesn’t properly support script-installing Apple updates, you can’t natively enforce this update. You can’t even stage a full installer, as Apple hasn’t released a full installer for 13.3.1 (a), only for 13.3.1.

You can, however, use a Munki nopkg to act like Nudge to prompt users on 13.3.1 to update to 13.3.1 (a). Here’s a sample Rapid Security Response nopkg (feel free to tweak further if necessary for your environment).