Apple @ Work is brought to you exclusively by Mosyle, Apple’s only unified platform. Mosyle is the only solution that integrates all the solutions needed to seamlessly and automatically deploy, manage and protect Apple devices at work into a single enterprise-grade platform. More than 45,000 organizations trust Mosyle to power millions of Apple devices effortlessly and affordably. Request your EXTENDED TRIAL today and understand why Mosyle is all you need to work with Apple.
Over the past few weeks, Mac admins I speak with have been talking about a report from Netskope Threat Labs regarding a new macOS ClickFix campaign. The campaign is a brilliant (and scary) piece of social engineering, and it highlights exactly why the traditional 90-day software update deferral window needs to be removed, either by Apple or IT.
About Apple @Work: Bradley Chambers managed an enterprise IT network from 2009 to 2021. With his experience deploying and managing firewalls, switches, a mobile device management system, enterprise-grade Wi-Fi, thousands of Macs and thousands of iPads, Bradley will highlight how Apple IT managers deploy Apple devices, build networks to support them, train users, stories of IT management and ways Apple could improve its products for IT services.
The ClickFix threat
ClickFix is a tactic where attackers trick users into copying and pasting a malicious script directly into their Terminal application. They achieve this by using fake CAPTCHA screens or fake browser update alerts. Once the user pastes and runs the script, it deploys an AppleScript dialog box that looks exactly like a native macOS system prompt.
The prompt asks for the user’s password and loops indefinitely until the user provides it. There is no button closure. Once the password is captured, the malware steals the entire macOS keychain database, as well as live session cookies from browsers like Safari and Chrome. Stealing live session cookies is the ultimate reward because it allows attackers to completely bypass multi-factor authentication.
Why delaying updates is a handicap
Apple is already fighting against this specific type of attack. In macOS Sequoia and macOS Tahoe 26.4, Apple introduced a native security warning for the device. This feature specifically disrupts ClickFix attacks by alerting users when they attempt to paste harmful commands from an untrusted source into Terminal.
This brings me to my main point. Historically, Apple allowed IT administrators to defer macOS updates for up to 90 days using their device management platform. For years, this was considered good IT practice. This gave teams time to test internal applications, verify compatibility and ensure smooth deployment across the entire fleet.
However, the threat landscape in the AI era is evolving too quickly for a three-month delay. If your organization defers updates for up to 90 days, your users won’t benefit from critical OS-level mitigations, like the new device sticking warning. For three whole months, your employees are vulnerable to social engineering attacks that the operating system could easily block if it were simply up to date.
9to5Mac’s point of view
Perhaps it’s time for Apple to rethink the management framework and officially reduce the maximum window for deferring software updates from 90 days to 45-30 days. The reality is that if a software company hasn’t updated its enterprise app to support a new version of macOS within 30 days of its release, you have a problem with the vendor, not Apple.
Even though Apple keeps the 90-day option available indefinitely, IT teams must manually tighten their internal policies. Enforcing a maximum deferral window of 30 days strikes the perfect balance between testing application compatibility and protecting business data from emerging threats. You simply can’t afford to leave your fleet exposed for a quarter of the year.
Apple @ Work is brought to you exclusively by Mosyle, Apple’s only unified platform. Mosyle is the only solution that integrates all the solutions needed to seamlessly and automatically deploy, manage and protect Apple devices at work into a single enterprise-grade platform. More than 45,000 organizations trust Mosyle to power millions of Apple devices effortlessly and affordably. Request your EXTENDED TRIAL today and understand why Mosyle is all you need to work with Apple.
FTC: We use automatic, revenue-generating affiliate links. More.
