Apple @ Work is exclusively brought to you by Mosyle, the only Apple Unified Platform. Mosyle is the only solution that integrates in a single professional grade platform all the solutions necessary to seamlessly and automatically deploy, manage, and protect Apple devices at work. Over 45,000 organizations trust Mosyle to make millions of Apple devices work ready with no effort and at an affordable cost. Request your EXTENDED TRIAL today and understand why Mosyle is everything you need to work with Apple.
Over the past few weeks, the Mac admins I talk with have been talking about a report from Netskope Threat Labs regarding a new macOS ClickFix campaign. The campaign is a brilliant (and scary) piece of social engineering, and it highlights exactly why the traditional 90-day software update deferral window needs to be retired, either by Apple or by IT.
About Apple @ Work: Bradley Chambers managed an enterprise IT network from 2009 to 2021. Through his experience deploying and managing firewalls, switches, a mobile device management system, enterprise-grade Wi-Fi, 1000s of Macs, and 1000s of iPads, Bradley will highlight ways in which Apple IT managers deploy Apple devices, build networks to support them, train users, stories from the trenches of IT management, and ways Apple could improve its products for IT departments.
ClickFix is a tactic where attackers trick users into copying and pasting a malicious script directly into their Terminal app. They achieve this using fake CAPTCHA screens or fake browser update alerts. Once the user pastes and runs the script, it deploys an AppleScript dialog box that looks exactly like a native macOS system prompt.
The prompt asks for the user’s password and loops infinitely until the user provides it. There is no close button. Once the password is captured, the malware steals the entire macOS Keychain database, along with live session cookies from browsers such as Safari and Chrome. Stealing live session cookies is the ultimate prize because it allows attackers to bypass multi-factor authentication completely.
Apple is already fighting back against this specific attack type. In macOS Sequoia and macOS Tahoe 26.4, Apple introduced a native Terminal security warning. This feature specifically disrupts ClickFix attacks by alerting users when they attempt to paste harmful commands from an untrusted source into Terminal.
This brings me to my main point. Historically, Apple has allowed IT administrators to defer macOS updates for up to 90 days using their device management platform. For years, this was considered an IT best practice. It gave teams time to test internal apps, verify compatibility, and ensure a smooth rollout across the fleet.
However, the threat landscape in the age of AI is moving too fast for a three-month delay. If your organization is deferring updates for a maximum of 90 days, your users are missing out on critical OS level mitigations like the new Terminal paste warning. For three entire months, your employees are vulnerable to social engineering attacks that the operating system could easily block if it were simply up to date.
It might be time for Apple to rethink the management framework and formally reduce the maximum software update deferral window from 90 days to 45-30 days. The reality is that if a software vendor has not updated their enterprise app to support a new version of macOS within 30 days of release, you have a vendor problem, not an Apple problem.
Even if Apple keeps the 90-day option available indefinitely, IT teams need to manually tighten their internal policies. Enforcing a 30-day maximum deferral window strikes the perfect balance between testing application compatibility and protecting corporate data from emerging threats. You simply cannot afford to leave your fleet exposed for a quarter of the year.
Apple @ Work is exclusively brought to you by Mosyle, the only Apple Unified Platform. Mosyle is the only solution that integrates in a single professional grade platform all the solutions necessary to seamlessly and automatically deploy, manage, and protect Apple devices at work. Over 45,000 organizations trust Mosyle to make millions of Apple devices work ready with no effort and at an affordable cost. Request your EXTENDED TRIAL today and understand why Mosyle is everything you need to work with Apple.
FTC: We use income earning auto affiliate links. More.
Check out 9to5Mac on YouTube for more Apple news:
Apple @ Work is a 9to5Mac series where Bradley C…
Bradley has worked at K-12 independent schools for much of the last 20 years, serving as the head of the information technology department and leading classroom technology integration. He’s well-versed in enterprise Wi-Fi, macOS and iOS system management, school technology, and SaaS tools.
Upgrade your home security with wireless cameras that includes HomeKit compatibility.
Abode is the best home security system and includes compatibility with HomeKit.
Apple @ Work: Why the ClickFix campaign means it is time to kill the 90 day update deferral – 9to5Mac
Leave a Comment
