Recently, Google released an urgent fix for two severe vulnerabilities, including a new zero day, CVE-2019-13720, which enables remote code execution and has apparently already been spotted in exploits found in the wild.
Whenever a zero day and patch like this is announced, we get sympathetic anxiety because we remember the impact it had on us when were managing computers. Fleetsmith was founded by former IT admins, so the existential dread of zero day patches is inscribed into our very bones. Your productivity for a whole day gets blown up as you figure out what parts of your fleet are affected, make a plan to update them, try to carry it out. The agonizing decision—do you trust employees to update and risk some of them not doing it soon enough, or do you push the update yourself and deal with the fallout when your whole fleet restarts and you interrupt a bunch of people’s work? That nagging feeling that you missed something dogs you for weeks. No part of a major security patch is fun.
Making this process automatic was a major factor in the way we designed Fleetsmith, so we thought we’d take a minute to illustrate how it works, why we built it that way, and how this played out in our own Mac fleet. (Our own IT manager simply set an enforcement deadline and sent one company-wide Slack message.)
For apps like Chrome, which are managed through the Fleetsmith Catalog, we handle all aspects of testing, packaging, triage, and deployment automatically. Whenever there’s an update (including security patches), we quickly add them to the Catalog so that our customers can enforce the latest version. In this case, we had the Chrome 78.0.3904.87 patch up within a couple hours of the update dropping.
At that point, it’s simply a matter of choosing the new version from the Chrome page in the Fleetsmith Admin Console, clicking the enforce checkbox, and choosing an enforcement date.
One of the challenges with the way that updates are handled in many Apple MDMs is that they’re executed immediately when the device checks in, which is a bit of a wildcard—it could be anywhere between 30 minutes to a day depending on when the device is in use and its internet connectivity. That means you risk dumping employees out of something important if you just push an update immediately.
The usual procedure is to communicate out to the team with increasingly urgent emails, asking them to update on their own before a deadline, and then finally pushing the update yourself after a certain amount of time has elapsed. But this is a hassle, and it’s still not likely to prevent an angry ticket when you accidentally kill the 400 open Chrome tabs that one of your engineers swears are critical to their job.
Fleetsmith handles this all for you automatically. Once the version is enforced, it is downloaded and queued for install immediately across the device fleet. Most apps will update silently and automatically once they’re restarted, but users can also choose to do the update manually. Our agent will remind users about the update periodically, and then once the enforcement date hits, it will give them an opportunity to save work and then run the update itself.
Here’s the Slack message our IT manager sent the Fleetsmith team about the Chrome zero day, which was the only proactive communicating she had to do:
Thanks to this system, we were able to have everything completely patched within two days with a very high level of confidence, and IT only had to spend a few minutes thinking about it.