Creating Patch Job for Mac Assets

Before you go ahead with patch job creation for Mac assets, go through Managing Patch Jobs for Mac Assets, wherein the details about patch jobs for Windows assets are mentioned. 

Navigate to Jobs > Mac tab and then click Create Job.

Create Mac Job.


Complete the following steps to create a Mac deployment job:

1. Basic Information

2. Select Assets

3. Select Pre-actions

4. Select Patches

5. Select Post-actions

6. Schedule

7. Options

8. Job Access

9. Confirmation

Basic Information

Enter a job title and description, and click Next.

Mac Deployment Job Basic Information.

Select Assets

Refer to the following details, select the assets you want to apply patches to, and click Next.

i. Select assets or asset tags to which you want to apply the patches.

Want to add assets later? Go to the Assets tab, select one or more assets from the Quick Actions menu of a single asset, or from the Actions menu (bulk actions), click Add to Existing Job or Add to New Job. Once enabled, you cannot add assets later to On-Demand or run-once (non-recurring) jobs.

Note: Patches are deployed on the tags you select only for assets in the user's scope. The corresponding child tags are automatically selected when you select the asset tag.

- Select Any to include assets that have any of the selected tags.

- Select All to include only those assets in the patch deployment job with ALL the selected tags.

ii. (Optional) Select the Add Exclusion Assets checkbox to exclude specific assets from the deployment job.
Note: You can include and exclude a maximum of 50 assets from the job.

Mac deployment job - Select Assets step.

Note: Based on the selected options, the final list of assets is calculated taking into consideration included and excluded asset tags and included and excluded assets.

iii. (Optional) Select the Add Exclusion Asset Tags checkbox to exclude the assets from the deployment job with All/ANY of the selected asset tags.

Note: You can include and exclude a maximum of 50 asset tags from a job. To understand how final assets are determined for a job, see Which Assets are Included in a Job

Add Exclusion Assets.

Select Pre-actions

Select the Run Script pre-action and click Add. For more information, see About Pre-Actions and Post-Actions.

Select Patches

i.  Refer to the following details, select patches to apply to the assets, and click Next.

You can select one of the following patch selection options:

-  Manual Patch Selection

-  Automated Patch Selection

-  Patch Selection from Another Job

Manual Patch Selection:

After you select the Manual Patch Selection option, click the Select patches link to select patches. On the Patch Selector page, you can use the Within Scope option to view missing patches within the scope of the selected assets or all available patches. Select the desired patches, click Add to Job, and click Close. 

On the Select Patches pane of the deployment job wizard, click Available Patches if you want to add more patches to the job.

Manual Patch Selection for Mac Job

Automated Patch Selection: You can use the Qualys Query Language (QQL) to create criteria to automate the patches that need to be installed for a job based on vulnerabilities or patches. The query can be used for run-once and recurring jobs. You cannot use a combination of a QQL and Patch list to select patches added to a job. You must either create a job that is executed based on the query or choose the patches from the Patch List.

Click Preview to view available patches associated with assets and/or tags that can be added to the job.


-  You can use vulnerability tokens to create a QQL-based job only if you have a subscription to the VMDR app. You can use the RTI tokens only if you have an active subscription to the Threat Protection app.

-  During the automated patch selection, you can use the patches or vulnerabilities tokens individually or in combination.

Want to add patches later? Go to the Patches tab and select one or more patches. Then, click Add to Existing Job or Add to New Job from the Quick Actions menu of a single patch or the Actions menu (bulk actions). Once you enable On-Demand or run-once (non-recurring) jobs, you cannot add patches later.

You can add patches but not target assets or asset tags when you modify a patch job using the Add to Existing Job option from the Patches tab. To apply patches to an asset that is not added to the job, you can choose one of the following approaches:

1) Edit an existing job from the Jobs tab

2) Select the asset from the Assets tab and use the Add to Existing Job option

3) Create a new patch job for that asset.

Note: You can add a maximum of 2000 patches to a single job. Create another job to add patches above 2000. You can run the scheduled job daily, weekly, or monthly.

Automate Patch Selection for Mac

Patch Selection from Another Job: After you select the Patch Selection from Another Job option, click the Select the job to fetch patches link. From the Select  Job window, select the job you want to fetch the patches from its latest run and click Apply.

Patch Selection from another Mac job


- After you select and apply the job from which you want to fetch the patches from its latest run, its run cycle details, such as the previous run and the next run, are shown. The run cycle details are not shown for Run Once and On-demand jobs and jobs with the Disabled status. 

- If the selected job has unresolved patches, no patches will be fetched for the job that you create. Also, when you view the job progress of the job that you created, the status will be shown as 'No patch available'.

Run cycle details for Mac job

After selecting the required patches by using the options that are explained, click Next.

Select Post-actions

Select the Run Script post-action and click Add. For more information, see About Pre-Actions and Post-Actions.


Refer to the following details, complete the job schedule settings, and click Next.

i. Choose when to install the patches, whether On-Demand or Schedule.

- The On-Demand option lets you install the patches immediately once the job is created and enabled.

- The Schedule option allows you to install the patches at a set time. You can run the scheduled job daily, weekly, or monthly.

For more information, see Schedule Job Settings.

Monthly jobs which are scheduled to run on the 31st of the month will be scheduled every two months (where 31st date is available). You can schedule the job to run on the last day of the month which ensures that the job runs on the last day irrespective of whether the month has 28, 30, or 31 days.

ii. (Optional) To configure a Patch Window, click Set Duration.

A Patching Window is used to enforce time-bound execution. The Patch Window can be set between 30 minutes to 168 hours or 10080 minutes.

Schedule Deployment


Configure the communication options by referring to the following details on how to notify users about the patch deployment, and click Next.

- Deployment Messages

- Request for Credentials

- Notification Settings

- Additional Job Settings

Deployment Messages

Configure the Deployment and Reboot Communication Options, configure notification settings, and click Next. For more information, see Configuring Reboot Settings for Mac Deployment Jobs.

Note: The MacOS deployment messages are available on the UI if you the Mac agent binary version 4.30.0 and later for Intel and 4.40.0 and later for ARM. 

Deployment and Reboot Communication Options - Mac Job.

Request for Credentials

You can go through the details provided in the Request for Credentials section and decide whether to clear the Save User Credentials checkbox. Note that the Save User Credentials checkbox is selected by default.

-  When the Mac ARM OS update is pushed to the user's machine, a message will be shown about entering credentials to start with the OS update. 

-  When the checkbox is selected, the user credentials will be saved and used for all the runs of the current job being created and for other jobs where this checkbox is selected.

-  When the check box is cleared, the user credentials will not be saved, and the user will be required to enter the credentials for every Mac ARM OS update.

Note: The expected behavior of saving user credentials for Mac ARM OS updates will work only if you have the Agent binary version 5.5.0.x or later.

-  If you clone the job, revisit the Save User Credentials setting to decide whether to save the credentials. 

-  If you edit the job before it is enabled,  revisit the Save User Credentials settings.

Notification Settings

You can choose to send email notifications for events, such as a job has started, or a job has been completed to the intended recipients. You can enter a maximum of 50 email addresses. Also, the distribution list is not supported.

Important to Know!

-  If the email notification is configured for a recurring job, you will receive it once per day for the job run. If the same recurring job is edited and scheduled again for the same day, you will not receive the email notification again on that day.

-  The job completion email is sent after the job is sent to all agents, considering all agent timezones, and after the job completion criterion is met. When this is implemented, the email notifications might be impacted for that day.

- The email notifications are tracked for up to six months. Agent getting updates after six months might trigger false email notifications.

See the examples of the 'Patch Job Started' and 'Patch Job Completed' email notifications, respectively.

Additional Job Settings

i. Turn the Download Patches from the Internal Repository toggle to On to allow cloud agents to download the patches from the internal repository server.

ii. Select the name of the internal repository server from the Select Name list. The URL associated with the server is auto-populated. Note that you can add only one internal repository server.

Note: You can enable this setting only if the Download Patches from the Internal Repository Subscription-level setting is enabled and the internal repository server and URL are entered. For more information, see the "Enabling Download Patches from the Internal Repository" section from the Subscription Level Settings topic. 

When the job is created, you can see the internal repository details from the Options tab on the Job Details page.

Internal repository server details - Mac Options tab.

Job Access

Choose Co-Authors for this job and click Next. The co-authors can perform job actions based on their permissions, such as editing the job.

Mac Job Access


Review your selections, and choose to Save or Save & Enable the job.

Note that the SuperUser or Administrator can change the job status (enable/disable), delete and edit the job.

- When you click Save, the job is saved, and its status is DISABLED. You can enable it later. 

To run a job in the DISABLED state, you must enable it. To enable it, go to the Jobs tab and click Enable from the Quick Actions menu of a job.

- When you click Save & Enable, the job is saved and ENABLED. This option is available only when creating a Job the first time, not during editing the job.

The Save & Enable option should be chosen only when you are confident that the job is correctly configured because it's enabled and in a good-to-execute state.


You can use the Disable option to temporarily disable a scheduled job. Later, at your convenience, you can re-enable the job.

On-demand or run-once (nonrecurring) jobs cannot be edited or disabled once enabled.

See Enabling or Disabling Jobs

Scheduling Jobs

Enabling or Disabling Jobs