New Apple RSR Flaw Blocks MDM Functionality on macOS Devices

Addigy, which provides management solutions for Apple devices, today warned that Apple’s new Rapid Security Response (RSR) updates aren’t being delivered to as many as 25 percent of macOS devices in managed environments, and that the failure to do so is also impacting mobile device management (MDM) stacks on those devices.

RSR updates are new – the first batch was delivered at the beginning of this month. As Apple explained in a recent support document describing the updates, “They deliver important security improvements between software updates – for example, improvements to the Safari web browser, the WebKit framework stack, or other critical system libraries. They may also be used to mitigate some security issues more quickly, such as issues that might have been exploited or reported to exist ‘in the wild.'”

Because RSR updates are focused solely on urgent security patches, it makes sense to install them as quickly as possible. While they can be disabled, they’re delivered and applied automatically by default.

Although there was an install issue discussed on Reddit earlier this month when the first RSR updates was released, the problem Addigy describes appears to be both more persistent and more complex.

Stuck Updates and Unresponsive MDM

By checking customer environments in which its clients have macOS and iOS devices under management, Addigy found that some macOS devices end up in a “stuck” state in which the RSR update is delivered but never installed.

“More concerningly, there is no way for IT departments to know which machines are not implementing RSR updates without manually inspecting each machine and enabling the update,” Addigy warned today.

Critically, the stuck state also impacts the MDM stack on the affected device. “Addigy discovered the RSR wasn’t being implemented after finding that the MDM client binary gets stuck after executing the OSUpdateScan command and stops communicating with the Apple MDM Framework that Addigy follows,” the company said.

“If the MDM client on the device is unresponsive, necessary MDM actions are delayed, leading to potential security vulnerabilities in this critical RSR case,” the company added.

One in Four macOS Devices

According to Addigy, the issue affects only macOS devices, not iPhones or iPads, and impacts a quarter of all MDM-managed macOS environments. “As a result, all MDM vendors and customers are encouraged to audit their environments to ensure the critical RSR update is making its way onto every eligible machine under management,” the company said.

In response, Addigy has released a new MDM Watchdog utility that monitors the MDM framework on devices for the stuck condition described above and automatically fixes any in which it’s discovered.

“The stuck state condition we discovered within our customers’ environments affects one out of every four devices, so the impact to macOS environments in any enterprise is likely the same,” Addigy CEO Jason Dettbarn said in a statement.

Learn more about enterprise mobility management (EMM) and unified endpoint management (UEM) solutions