• MystikIncarnate
    link
    fedilink
    English
    arrow-up
    1
    ·
    10 months ago

    Given that the op is taking about an apple device, Apple has made their own mobile device management system (MDM) for their devices. Within that MDM you may, or may not be able to set that updates are automatically approved. I’m not certain as I have limited experience with their MDM. I have used it in the past, but only a very small amount, and never in-depth enough to deal with how that MDM handles updates, or what options are available.

    I know from my experience with other remote monitoring and management systems that you can often, especially with Windows, specify some clarifications of updates to automatically approve, or do so manually. It is up to the administrator. You can set the approvals to be automatic for all updates too… Or, when doing manual updates, you can approve updates for a group of computers, or one computer, or all computers. I imagine much of this is also available from Apple’s MDM.

    The approval only gives the end user the ability to install the update. Due to the disruptive nature of updates, it is generally up to the end user to finish the process at their convenience. Updates usually involve a system restart, so the thinking is to allow the user to pick when specifically to install it, to minimize disruption to their work.

    Some organizations with the IT resources to do so, will approve a batch of updates to a group of test devices (usually the IT staff, if there’s no pool of devices that are dedicated to testing), where all applications are run through testing after the update. These unit tests, if you will, are usually designed to give an idea if the update has caused any issues with the software that the users need to use. Not all organisations have the resources to do this, and usually rely on third party testing (usually reports from companies that do this sort of testing, or complaints from the public), and will simply approve the update after a duration of time after it has been available for more than a week or month without complaint.

    Every organization is different in this respect.

    At the same time, the monitors that inform the notification system may not be aware of the approval status of the update and simply see that an update is released, and that the user does not have it installed. This may be an issue with reporting (eg. The update is installed and it’s working with outdated information), or it could be any number of other factors.

    It’s likely that the MDM and update monitoring are done by completely unrelated systems, unaware of what the other is doing, or what has been set.

    In the A scenario, going into the MDM and setting automatic approval would fix the problem. By the time the monitoring solution is reporting and notifying the users about an update, it is available to them.

    The B scenario, on the other hand, may not even be possible, as it relies on a link from the monitoring system into the MDM to know if an update is approved. If such a system has the ability to set which version all users should be updated to, then when the update is approved, then the version of software that should be expected on the device can be set to a minimum level and notify the users if they are below that level.

    The unit tests are usually done by hand, so the outcome can be evaluated immediately. Rather than rely on an automated system for testing, which may not recognise that a failure has occurred if it is an unknown or unexpected error.

    Yes, B is preferred, but not always possible. Often with MDM, you cannot exempt a single system from MDM control for updates, depending on the platform, so usually approval is a required step, hence A being an alternative approach.