MacOS Automatic Updates

Hello All,

I’m hoping that someone else had managed to fix this issue. My company is experiencing issues with the automatic update feature on MacOS. We are able to update the machines manually through the App Store, however, they are not even recognizing that an update is necessary in the Software Update tool in System Settings.

I have inspected the Web Inights for our Mac users and can’t find any errors or policy violations during the time that various users are trying to update, and I have added policies that according to Apple, should allow us to update without problems.

Hi Chase, when did this start happening and have you opened a support case to have the team take a deeper look?

Hi Keith,

It has been occurring since the 11.4 updates, and yes, I have worked with support to attempt to resolve this, but they seem to be as lost as I am since there is no evidence of a policy violation in our logs.

Chase, have you been able to resolve this issue? We just noticed this is an issue for us as well. We just started pushing the client connector to our Macs.

We somewhat have a fix but have not fully solved the problem due to some environmental variables on our end…

Presently we are just directing our users to update their device manually via the App Store. For us, it’s a passable work-around because of some other rules that we have in place.

One thing to ensure is that all of Apple’s Software Update Servers are bypassing SSL inspection (the most common one being swcdn.apple[.]com), and are not being caught by any other policy. We thought we were doing this, but we had a conflict in our SSL inspection policy. You can test this by creating a policy for apple URLs only, then moving it to the top of the list.

A hypothetical solution would be to self-host an Apple content cache on a local macOS server that is perhaps accessible via ZPA and configure your mac’s to use that for updates.

Apple Filtering rules for Enterprise Networks:

Setting up a Content Cache:

I just confirmed we have this solved. We had to add .cdn-apple.com to our ssl inspection bypass policy.

1 Like

Can confirm this worked for us as well. Zscaler should probably add this to the documentation about recommended SSL bypasses.