We help top organizations stay competitive, by implementing the latest disruptive technologies.

Latest Posts

How to Patch Mac App Store Apps with LANDESK Patch’s Manual Definitions

How to Patch Mac App Store Apps with LANDESK Patch’s Manual Definitions


Patching OS X applications can be quite the adventure.  Due to digital rights management, Apple ID’s and user agreements, not all content found inside of Apple’s Mac App Store for OS X is available for redistribution by LANDESK.  This white paper will discuss how an application installer found in the Mac App Store (MAS) can be captured and used to patch applications deployed on your OS X devices.


LANDESK has a team of engineers that write content for many of the common applications in use on the OS X platform.  This content can be downloaded by anyone with a LANDESK Patch Manager or LANDESK Security Suite license.  However, unless the application is patched by Apple’s update servers, the content provided by LANDESK will have a “manual” appended to the title of the definition file.

Manual Content.png

This “manual” indication in the title is to inform you that LANDESK cannot redistribute the content for that particular object. In order to do more than just detection for that vulnerability, the application will need to be manually downloaded.  By reviewing the Description tab on the Properties panel, you’ll find the note: “The patches for these applications should be downloaded from the Apple network by the LANDESK administrator. The respective patches should then be compressed into individual packages for each patch and named as *-version.zip (for example, Pages-5.0.zip). The last step would be to copy the zip package to the path \\coreservername\ldlogon\patch” or wherever your patch repository is located.



The LANDESK administrator will need to have access to an OS X device that has purchased the application that is intended to be patched, but that does not have the application currently installed.  A VM set aside just for downloading Apps may be an efficient method for the ongoing patch process.

Enable Debug Mode for the Mac App Store (MAS)

When an application is downloaded from the MAS, the installer file is downloaded, executed and then promptly removed.  By enabling debug mode for the MAS, we can create a link to the downloaded installer(s) allowing for future use on more than just the machine currently downloading the app.

  1. Quit the Mac App Store if currently opened
  2. Open Terminal and run the command ‘defaults write com.apple.appstore ShowDebugMenu -bool true’


Note: To disable debug mode, use the following command: ‘defaults write com.apple.appstore ShowDebugMenu -bool false’

Download the Installer for the App to be Patched

Once the debug mode is enabled, it will be possible to capture the download installer file for later use in patching.

  1. Launch the App Store App (notice you should now have a Debug menu item) and navigate to the Purchased tab.  Sign in if prompted.
  2. Select the app to be patched and click Install
  3. Once the install process shows visible progress in the download process, hit the pause button
  4. From the Debug menu, select the option Show Download Folder
  5. Finder will open and you’ll need to navigate inside the com.apple.appstore folder
  6. Locate the folder with a string of numbers, this should be your app, and navigate inside of it


You now need to create a hard link between the randomly named download to a file name and path of where to store the installer.  You’ll do this by opening Terminal and use the ‘ln’ command followed by the path of the installer from the Mac App Store and then the path to where you want to save your copy of the installer that won’t be deleted as soon as . The easiest way to enter the path of the randomly named installer is to drag and drop it into terminal after typing ‘ln’

  1. Launch Terminal and type ‘ln /path/to/macappstore.pkg /path/to/savedinstaller.pkg’                            HardLink.png
  2. Return to the Mac App Store purchased tab and resume the download
  3. When the installation for your app finishes, you’ll have a signed installer from Apple to use to update your fleet of Mac devices

Automating for Multiple Concurrent Downloads

If the manual linking process described above seems a bit burdensome when in need of downloading many applications, Max Schlapfer has created a script to not only automate the creation of the hard links, but it also has the capability to download multiple files at once.  To download Max’s AppStoreExtract script, seehttps://github.com/maxschlapfer.  These next steps are not requisite, if you have the installers you need to patch, skip forward to Configuring the Output Installers for LANDESK Patch.

Note: You do not need the Debug mode enabled for the Mac App Store, as outlined above, for this script to work.

  1. Download Max’s script from Github and extract it to a folder location of choice                                                 AppStoreExtractGitHub.png
  2. Open terminal and execute the script by typing in ‘./path/to/script/AppStoreExtract.sh’ and hitting Return
    1. Note: Do not run this script as root.                                                                                             AppStoreScriptWaiting.png
  3. Launch the App Store App and navigate to the Purchased tab.  Sign in if prompted.
  4. Click Install on all of theApps you want to create installers for and wait for them to complete the install process
  5. When the installation process has finished, return to the Terminal window and hit any key to finish the script.  When asked to finalize the packages, type Y.TerminalAppStoreExtractProcess.png
  6. The script will name the output files according the product and version and then convert them to DMG files and store them in the /Users/Shared/AppStore_Packages folderOutputAppStoreExtract.png

Configuring the Output Installers for LANDESK Patch

There is a good chance that LANDESK has already created the definitions needed to properly detect and repair the application of choice, you simply need to zip up the installer and name it according to what the definition file expects.  Refer to the description tab for each piece of content for specifics, but in general, you’ll want to name the zip file by the productname-version.zip.  If LANDESK has not already created the content, feel free to reach out to your local support representative and request the content be generated. Alternatively, you can create your own custom definitions as well.  See https://community.landesk.com/support/docs/DOC-6041 for more information on creating your own vulnerability definitions.

  1. Rename each installer according to productname-version.zip as defined in the definition file.  Make sure artifacts such as .dmg or .pkg are removed from the zip file name as well as any underscores “_” where LANDESK patch content may be expecting a dash “-.”    If you want to verify you have properly named your installer, go to the properties panel for the detection rule within the vulnerability definition and highlight the Patch Information menu tree item. TheUnique Filename provided will tell you the exact name it is expecting.                                     UniqueFileName.png
  2. Copy the installers to your LANDESK patch repository
    1. Typically, the path to the LANDESK patch repository will be \\coreservername\ldlogon\patch.  However, this can be changed by an administrator.  If you’re unsure, go to the Patch and Compliance tool within the console and hit the Download Updates icon from the tool’s menu bar.  From there, click on the Patch location tab and validate your UNC path.

Note:  The individual patch content will not show as downloaded until the next scheduled patch download or if you manually attempt to download the patch.  At that point, it will see the file and change the status to yes.

Repair Your OS X Devices Using LANDESK Patch

Now that you have the installers for your content, you can repair your devices by either scheduling a repair task or by setting the content to be repaired by Autofix.


  1. Open the Patch and Compliance tool within the LANDESK console
  2. Ensure your desired content is in the Scan folder
  3. Right click on the definition and select Autofix > Enable global autofix or Enable autofix for all scopes.AutofixSelection.png
    1. If you prefer to only enable autofix for a couple of scopes, go to the prosperities panel, select the Autofix tab and  check the boxes for the desired scopes.ScopeSelection.png

For more information on Autofix, see: https://community.landesk.com/support/docs/DOC-33690

Scheduled Repair

  1. Open the Patch and Compliance tool within the LANDESK console
  2. Ensure your desired content is in the Scan folder
  3. Right click on the definition and select Repair
  4. From the Add targets select on the Repair settings task panel, select Add all affected computers                              RepairTaskTargets.png
  5. In the Tasks settings panel, set your desired Task type.
  6. Ensure the Display in portal option for the portal settings panel is set to Run automatically (unless you want your users to update their own apps)
  7. Schedule the task to start when desired from the Schedule task panel
  8. Save the task


For additional information on how to use LANDESK Patch Manager, see: https://community.landesk.com/support/docs/DOC-32250

No Comments

Post A Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.