macOS App Management with Prebuilt Apps

Alrighty. Hello, everyone. Thank you for joining the prebuilt apps webinar here. So just going into the next slide here. Yeah. So we’re gonna talk about the nitty gritty and, the high level, who, what, when, where, why, behind prebuilt apps, and just generally how can you kinda be a master behind macOS management in general? And, before we get started, I’m just gonna introduce us. So, my name is Mikaela. I’m a product manager here at Addigy. I’ve worked here for three, going on four years now, working on the product. I work on a lot of the identity and end user solutions. And, Selena here is a senior product manager who’s also been in Addigy, who also previously worked at Jamf and is on the Mac admins podcast as well and heavily integrated in with the Mac admins community. And prebuilt apps, VPP, you know, MDM, DDM, that is her cup of tea. She also does, like, a lot of tea. But, all jokes aside, yeah, let’s go ahead and dive in. So in general, just as a reminder, to put all the questions in the q and a. That way, they don’t get buried in the chats. So first, we are just gonna go high level, talking about prebuilt apps. What is it? Why does it matter? And then we’ll talk about policy, catalog, and go live, what it looks like on the admin side, things to consider, all the meat and potatoes there. And then we will, talk about, the end user experience, self-service, prompting. And then we have some best practices, tips, and tricks, and then a little sneak peek as to what we’re working on next. And then finally, we’ll wrap up with q and a. So why does why Prebuilt apps? Why does it matter? I’m sure you’ve all felt this, one time or another. You know, setting up software packages repeatedly, and another version, you know, comes out shortly after, and you have to go in and manually update it. But also, you know, when a a security, patch gets dropped and there’s a vulnerability, you know, companies don’t want to leave their, organizations exposed. But the longer, you leave that, update, then, you know, you’re leaving the company exposed. And then also you have user disruption. You know, we’ve seen some admins where they manually go and update devices on a Saturday or Sunday when everyone’s off, or we also see them go into Addigy and manually update them one by one, you know, via smart software or using public library. And so, overall, we saw an opportunity. And so for those of you who don’t know what, prebuilt apps are, they’re a collection of ready to deploy vendor verifying software packages, with Addigy’s device, with Addigy’s touch. And yeah. So instead of having to install those macOS applications one by one, we’ve tried to make it as seamless and as easy as possible, but still giving you the flexibility and options that you need, with a good end user experience. But, yeah, I I’m gonna hand it off to Selena to dive into it more. Yeah. So prebuilt apps has a lot of features that we’re gonna kinda we’re gonna dive into a lot of these throughout the next few slides, but just kinda add an overview. Prebuilt apps has, the latest and auto updates, so you have a setting where you can say, hey. Deploy the latest app and keep it up to date for me, you know, so you don’t have to think about it. There is a lot of scheduling options for when do you want prebuilt apps to run. You can control the prompt frequency of how often do you want your end users to see the prompts for prebuilt apps. This is the prompts to make them update or inform them that there is an update. There is days to delay auto update by. So if a new version of an app comes out today, maybe you don’t wanna press, like, day zero updates out your whole fleet because you’re not sure how stable it is, you know, especially if it’s a mission critical application. So this kind of allows you to define how many days to delay an auto update. So how many days before the auto update appears on your policy and starts actually pushing out to all of your users. We also have update only, which is a setting where we look at all the apps that are on the device. And if the app is there, we’re gonna keep it up to date, but we’re not gonna enforce those updates. So we’re not gonna, like, install them if they’re missing. That’s really good for things like browsers or for apps that you may not actually be managing in your environment, things like Spotify or, like, Discord, you know, apps that end users typically have, but maybe don’t maybe you’re not managing it as, like, a central IT. We do include some MDM profiles. There is an asterisk. We are working very hard on getting all of the PPPC profiles. However, if there is a system extension or profile like that, we do have those all upload uploaded and included. Typical to Addigy, prebuilt apps has policy inheritance, but untypical to Addigy and something new that we introduced was inheritance override. So you could have settings and follow the typical inheritance that you usually expect for everything else in Addigy. However, with prebuilt apps, because it’s so customizable and there are so many things that you can do within your environment and there’s so many scenarios, we really, really try to focus on creating the most flexible and extensible solution here so you can actually override what is being inherited, and I’ll kinda give you an example of what that looks like in a few slides. But, basically, we are aiming to provide a set it and forget it type management. I know I’m doing my job well if you set this up and you never look at this page again. Ideally, you only go back there if new apps are added to the catalog that you’ve requested or you wanna manage, things like that. The less you touch this page, the better I’m doing is kind of the metric that I’m looking for. So today, there are a hundred and sixty five apps in the catalog. The catalog is continuously growing. I believe we just shipped another batch of apps last week. The way to check out what apps are being added is usually in our Mac admin Slack, we’ll post the batch of apps that are are there, and the releases page shows every new app update. So if a new version of an app comes out, the releases page is gonna be your friend. The catalog is has been growing with help from our customers. If you are using prebuilt apps and there’s an application in your environment that you would like to see in the catalog, let us know. There is in app product feedback that goes to my email, or you can email us directly at product at dot com. There’s gonna be a little bit of a competition between me and Mikaela on who’s gonna be able to save that email the most. All feedback for anything Addigy, including prebuilt apps, product at Addigy.com. That will email all of us. It’s the best way to get our attention. And the in app product feedback as well also falls not just to us, but to also folks from other teams internally at Addigy. You can also talk to your customer success manager, but those are the two ways that well, email me directly. Some requirements and requests that we have and to make your request go faster is if you have a direct download link, that would be great. Please provide that. That saves us a lot of time and make sure that it’s an app that we can even have. Sometimes these app downloads live behind login paywalls, and those are things that we unfortunately can’t support because we don’t have access to those those installers. The app must be publicly available, so outside of the Mac App Store. I’ve gotten requests in the past of apps that only live in the Mac App Store, things like the Windows app, for example. Those ones we are not able to support. Those will have to be deployed using Apple apps, So buying licenses in your Apple Business or Apple School Manager and deploying them through MDM. The auto updates work for MDM within reason, and that’s unfortunately the only way. And we also can’t have any license keys or any special installation scripts. So if you have something where it needs to be activated during an installation script upon install, stuff like that are not things that we’re able to support. These are typically things like antivirus and stuff like that where you have to, like, pass on a license file or something like that. I do wanna highlight this known issue. We are working on the PPPC profiles. They’re being added continuously. New app versions may temporarily lack profiles. It’s something that we’re working really hard on. And when we release these profiles per app, it’s something that we’re also gonna ask for your help. A lot of these dialogue pop ups don’t appear unless the user’s actually using the app. And at a hundred and sixty five apps, we’re not using every single app internally here at Atigee. You know? Our catalog’s not that big. So if you notice pop ups, let us know. We’re not gonna blanket allow everything in the PPPC profile for obvious reasons. We’re gonna try to give it the minimum required permissions, but that may not be something that is that we’re always perfect on. So if you do ever see a pop up and we are providing a PPPC profile, do file feedback. Let us know. Reach out to support, your success manager, and we will try to get those fixed. But for now, we are working hard on it, and it will come in future versions. So prebuilt apps is in a lot of places. I’m gonna kinda go over some general settings and a few of those places where it lives. The first one is in go live. So this is a device’s go live page. Under the software tab, there is a new tab called prebuilt apps. This is for one off deployments. This will only install the latest version of the app that is available in our catalog. You cannot install an older version. We typically assume the newest version is the most secure version, so we’re not really allowing via go live any of those previous versions. This will also install the MDM profiles associated with the app if there are any. It’s important to note that this is not going to actually keep your apps up to date. This is literally a one time we’re gonna install it here because you requested it. It could be useful because maybe your end user needs Adobe Acrobat right now, and for reason, they don’t have it or, like, a one off of, like, you have someone experimenting with Figma, but you don’t really wanna package it or push it out any other way. You can do that here. Just keep in mind, you should manage your updates through a policy. Everywhere where prebuilt apps lives, there is this view app details button, and this is a really important feature that tells you everything you need to know about the app. We have it split down by version details. So if you click the version details, it defaults to the latest. All every available version that’s in the catalog is here, and it includes information like the description, if there’s any release notes associated with it. It’s important before you add new apps to check out if there are release notes. We usually have release notes for a reason. Not every app has release notes, though. That is important. It also has information such as, like, the minimum OS if you know, make sure that that this app can even run on the OS. We have information about the architecture. And I didn’t have it in the screenshot, but you can, like, scroll down and see things about, like, what MDM profiles are included, what the installation script looks like, what the condition script looks like, if there is an uninstall script. Most apps, the only apps that have uninstall scripts are the Tahoe or the the OS blockers. Everything else doesn’t have an uninstall script, but this will tell you everything you need to know about the app that we have. We try to be very transparent about what we’re doing, what the package name is, all of the scripts we’re writing, things like that. So important things to know. Now prebuilt apps also lives in the catalog. The catalog looks a little bit different than it does in the policy or go live. Here, we have these tiles. And what’s actually really nice about these tiles is we can show more from these tiles in a single page than you can in the policy, and, also, they just look pretty nice. The catalog is great for seeing on a whole what you have configured in your environment. So if you notice here, one password has a policy assigned to it. You can see what the assignments are and what the settings are for an app across your whole environment. You can also assign a single app to many policies using the catalog. So that’s an important thing to remember. If you wanna make a change to one app across everything, it’s best to do it from the catalog. When we talk a little bit later about policy, that’s many apps to a single policy. That’s how those two workflows kinda break out. So if you click into an app here in the catalog, you also get a list of assignments if there are any. So here is an example of Discord. I have assigned to quite a few policies and some things about the inheritance and the inheritance override. Here in this example for the football fans, in the women’s Super League, there is Chelsea, which is inheriting its Discord prebuilt app settings from the women’s Super League policy. So that’s why it has that checkbox with, like, kind of the transparent background. If you hover over it, it says inherited from parent. But London City, Lionesses, the new team on the on the block, they have their own settings. So this could be something is different about what they have configured. It could be the app version. It could be whether it’s set to update only or not, or it could be, you know, the enforcement update. There’s there’s a few things that can be configured that is unique from what is being pushed from the women’s super league overall. Once you look at these assignments, you can either use the next button in the lower right or go to the settings tab, and you can see what those settings actually are. And here, you can tell I made a change to the policies in the previous one, and my screenshots don’t quite match up. So instead of London City Lionesses, I have Arsenal. Here are the settings that is configured, and you could see they’re different. Arsenal is using not using update only. So they’re enforcing Discord on all of their devices. They have it set to latest and auto update, and the enforced update is fourteen days. So what this means is the app the end user has fourteen days to update their application themselves. And if that fourteen day deadline hits, that app is gonna close, and it’s gonna auto update. We’re gonna talk a little bit more about how prebuilt apps works on the back end, but, basically, the end user this enforced update is how many days before this app is force updated. If the prebuilt apps runs and it runs with the policy here, it will check to see if the app is closed. If the app is closed, it’s gonna update. And if the app is open, we’re gonna prompt the end user for however many days until this deadline comes. Once this deadline comes, the app will close. The end user will get a notification, but it will close, update, and reopen. Here, Women’s Super League, they’re pushing a specific version of Discord, and they have seven days. If you want to see just new assignments, there’s a toggle in the top right there. And if you want to mass update settings, so say you wanna set everything to five days for enforced update, you can do that in the top right. There’s the set all update. That drop down will set everything to whatever you choose. And if you wanna just toggle on or off the update only, that’s in the top left above the little policy tag. We do that to kinda save you some clicks and to set things in mass, especially for people who are usually pushing out the same things across all of their policies, maybe for different customers or things like that. Next, this is the policy. So this is the policy overview. And if you remember, I said in the catalog, it was catalog was a way to update one app across many policies. If you wanna update one many apps in a single policy, this is the way you do it. So the whole catalog lives here in software prebuilt apps, and you can choose a few different apps. Without anything in your policy, you can still see what the latest version is in our catalog. It’s just grayed out. And when things are configured, which will show a little bit later, you’ll see whether there’s an update only or enforced update, what settings you have at a glance. This is similar to everything else. You have that all drop down. You can see things not in policy, in policy, and you can search the catalog from here. The other important thing to note in this screenshot is whether you have a deployment window. So here in the top right, I have a deployment window. We’re using device local time, so apps can update or any or install between four PM and nine AM. So it’s an overnight schedule. We’re gonna talk a little bit more about settings and go into details about them, but I wanted to show this is what the overview looks like and if you have that configured. The other thing to note here is that helpful feedback button that I mentioned that does email us. So I went and I chose a bunch of apps, and I hit add to policy. And this is the model that you get. You can configure all of the settings for the apps. So for things like Alfred, I chose a specific version, five point seven. However, if you notice compared to Claude, Claude has a specific version, and it says latest. If it’s the latest version, it will say latest. And if it is a version that is not the latest, it will show just nothing, just the version that you’re pushing. This is only gonna push out that specific version of those apps. If a new version comes out for Claude or for Alfred, we are not gonna update the policy. This is just the specific you’re putting a pinned version for whatever reason. The rest of them are set to latest and auto update. So what this means is the policy is gonna grab whatever the latest version is. And when a new version comes out, we’re going to update that on the policy so you don’t have to think about it. We have update only. So what update only is doing is it’s saying, hey. Is this app on the device? It is. Great. We’re gonna update it. And if it’s not on the device, we’re not gonna install it. So for some apps like one password, it could be a critical app that you need everyone to be using. You have that update only turned off, and that means it will force install 1Password on everyone. If the end user deletes it or it’s not there for whatever reason, when Prebuilt apps checks, we’re going to install it. However, for things like browsers, like Brave, Firefox, and Chrome in this example, you know, I don’t really care what browser people are using. I just care that it’s up to date. The enforce update is how long until the user has before the app is force updated. I recommend people kinda think about their security posture and and what they’re comfortable with. And also think about, like, how often are these apps actually updated by the developer. So things like Chrome are always coming out with new updates. I feel like there’s a new Chrome update every few days. However, things like maybe OnePass may not be as aggressive in their update schedule as a developer. Here, I have an example of one password. It’s set to three days. You know, it’s a critical app. It’s the holding all the passwords for my my company, so I wanna make sure that that’s not out of date for too long. So the end user, this app was gonna update three days after it gets added to the policy. So the end user has three days to update it on their own, or it will close and update and and not be out of date, be patched. For other apps, I don’t really care about, maybe Clyde or Figma. You know, they can use they have up to two weeks before the app is force updated. And for Firefox, I have five days. This is actually what Aditya uses internally. And for Chrome, I’m using NextDeployment, and NextDeployment is really aggressive. And I caution people about using it. It is super helpful. If you have an app that you need to update today, this app will update. If you push next deployment so say Chrome has a critical security vulnerability in the previous version and you need to fix that now. Like, it is actively being exploited in everyone. You don’t care what they’re doing. They need to update and be on the latest app. That’s where next deployment’s gonna help you. It what it does is the next time this policy runs, that app, if it’s out of date, is gonna update. The end user can’t defer it. There is no no nothing they can do. If the app is open, it will they’ll get a little pop up saying, hey. This app is out of date. Needs to be updated. The app will close, update, and then reopen. So it’s a tool that’s there. It’s kind of a hammer, but it is perhaps useful for it. The other thing here, like, the catalog before, you also have the toggle update only for all of the things. You can toggle on or off, or you can also, like, set the enforced update to the same date across the board. This kinda just saves you from needing to check all the boxes or needing to go to the drop down. If you’re just trying to set everything to a single value, we make that fairly easy, especially if you’re trying to add all hundred and sixty five apps to your policy at once. You don’t wanna click update only a hundred and sixty five times. The other so this is my policy that is configured. I’ve added those apps in the previous example, and notice there is some tags. So there’s a lot going on here. We’re gonna kinda break it down. So one password is has the latest. This means that we set this dot version, and it is the latest version. Alfred has has no tags. It’s neither the latest nor is it set to auto update. In Brave Browser, we set to latest and auto update. So the latest is being pushed on the policy, this version, and auto update is enabled. This version that you see on the policy is what is actually being deployed by the policy. So it’s an idea is is that it’s just trying to give you, like, a quick glance of, hey. Is the latest of whatever app being deployed, and do I have auto update? If you have auto update, the tag here, we show you. Yes. You have auto update. You don’t have to think about it. But for whatever reason, maybe you’re pushing a specific dot version of an app like Alfred. It’s not the latest version. There are new versions in the catalog. We have update only. If you have that box checked, it shows green here that it’s true. This means the app, if it’s there, it’s gonna be updated. And the enforce days. So how many days before this app is forcefully updated with the new release? The other thing here that is a little bit different and something that is unique to prebuilt apps is this little briefcase icon. You should recognize it, the in parent one, if if you’re doing anything else in Addigy, and that’s our normal inheritance of, hey. This app setting is actually coming from the parent. We introduce something new with this briefcase icon with the line crossed out. So that’s a visual indicator that there is a parent level policy that has settings for this app, and these settings are different. We also give the option to override the parent. So say, okay. Cool. This setting is coming from from my parent policy, but I’m not really happy with what it set. I want this child policy to have something different. You can hit that override, set whatever settings you want. If you don’t wanna override any longer, maybe whatever that one off case is, you wanna get back into with normal inheritance, you can remove it from here too. So that’s kind of the two different views of how to see inheritance and inheritance override. If you’re looking overall on a whole of, like, what you have configured in your your your environment. The catalog gives you a much nicer view and easier to to kinda change things. But if you’re in a policy and you’re you’re curious about what’s happening, that’s kinda what those two icons are meant to show. In the catalog where you can see what things are inheriting or overriding, we have this icon. The briefcase icon everyone should be familiar with. That means the app is being inherited from the parent, and you can see where that parent is. If you are overriding the parent, though, that briefcase icon will have a little cross through it. And you can go and you can remove the local override or you can override it. So if you’re in the policy itself, you can see, and you can control what’s happening if you want it to go back to. And the request email is product at adagi dot com. I saw that in the chat. So fine tuning your deployments. There is a few things that you might wanna think about. It’s always a balance with your end users of, like, you wanna make sure your apps are patched, but you don’t wanna be bothering your end users all the time, especially with some apps like Chrome, for example, that updates regularly. I know there are others that put out multiple updates a week. Chrome is just the one that I think us and everyone else likes to pick on. There is update only. So maybe you don’t wanna force installation on all the devices. Your end users, you know, have choice in certain things, and you don’t really wanna say you need this app. But you wanna kinda get a handle on some of that, like, shadow IT stuff that’s happening of, like, people installing things that you may not be controlling, but you know people are using. Things like Spotify, Discord, a lot of the AI tools, like ChatGPT, things like that of, like, maybe you’re not pushing that, but you still wanna make sure if users are using it, that they’re not using outdated versions. Enforcing your updates, we give people up to two weeks to do it. That’s the longest you can set the setting for. But it’s something to think about of for critical updates, you know, for apps that are are vital, maybe you wanna think about when do you want how long do you want this to to happen? Can they be on an older version? It’s it’s something to think about with your security team. It’s something to think about on your applications as well. I can’t really give you what the best practices is because it all depends on your environment and kinda your own policies and what apps you’re using. There’s also an update schedule. So you can actually stop when prebuilt apps is running and set it to only run on specific days and times. And we really recommend if you are using a schedule to use device local time. So what this means is there’s a schedule that you can set and say, okay. I only want prebuilt apps to do anything between, say, four PM to nine AM. Run overnight. If your computers are online or you catch people at the beginning of their day, at their end of their day, you know, those tend to be good times to to do updates. Device local time is important, especially for people like me. I work at Addigy. Addigy is based in Miami, and I am not in the Miami time zone. So device local time means that it’s gonna run at four PM to nine AM for me in central, or if I’m happening if I’m in the UK or something like that, it’s happening in that time zone. I’m not getting random pop ups in the middle of my day because Miami time is set to one thing. The other thing that I like to point out is having, like, days to delay the auto update set to and having, like, a buffer. So something that that I see works really well with a lot of our customers is they have a subset of their their end users that are, like, beta testers or people like me who run I’m running the latest Apple beta for for twenty six two right now, my production machine, and doing this webinar. You know? I get the latest and greatest immediately, and I kinda am like the smoke tester of, hey. Is is our critical apps, are they secure? Are they functioning? And is there no breaking changes in here? And then once you’re happy with those beta testers, it’s been working for, say, five days, then the rest of the company can get it. So you can kinda have these testing windows with your internal IT team to run, you know, the day zero releases before you roll it out to the rest of your company. Those enforced update times are based on when that app was added to your policy, not when that app came out. So that’s a pretty important thing to think about as well. These settings that I was just talking about, this is what it looks like. This is in a policy view, and this is actually a screenshot of what Addigy uses. So we are managed my Mac is managed by Addigy. It’s managed by Pans who is on this call and in the q and a and and all of our Mac admins. I’m sure many of you have interacted with him. And this is what we we run. I see prebuilt apps. It’s being used on my machine. I am getting all the pop ups and notifications that all of you are seeing as well, and this is what we have set up internally. So we have an update schedule using device local time between seven PM and nine AM. These times are in twenty four hours, so our European friends will be happy with that, and our American friends may need to think a little bit about math in twenty four hour time zone as we’re not quite as used to it. It can run overnight like this start and stop time. The thing to note with this is if you are using an installation, the installation won’t happen outside of this. So if you are onboarding new devices, make sure that’s in a separate app that has an update schedule that makes sense. Maybe that’s a reason where you wanna put a dot version and not have latest and auto update. I have seen customers do that too where they have two different policies. One for onboarding new devices, dropping things on it, and then another one where apps are being kept up to date. Days for the auto update to be delayed by. So Atogee is gonna wait two days before adding a newly updated software version to the policy deployment. So if a new version of Chrome comes out today, it won’t be added to the policy for two days, and then that will start going out to your fleet. And then how often to prompt the end user to close the app? So every time the prebuilt apps runs, if the app is closed, we’re gonna update it. Nobody sees anything. If the app is open, we’ll prompt the end user and say, hey. You have an update available. Do you wanna do this now or defer? You can do that every four hours or every eight hours. We are we chose these times because we were thinking once in a workday or twice in a workday. Typically, people are working eight hour workdays, not always, but that was kind of the the thought process behind it. So this is what we use at Atogee. If you have questions about what the feedback has been internally with us using it, you know, post them in the q and a. I’m sure Pans would be happy to tell you whether we’ve been complaining a lot or not. I personally have had a really good experience with these these settings until I play dungeons and dragons on my work machine, which starts at seven PM, and then my brave browser needs to be updated. So that’s always when it hits me. Important things to know is prebuilt apps will never downgrade an application. It’s just we don’t do it. We assume the latest version is the most secure. We’re not gonna say, oh, in your policy, you have an older version, and there’s a new version installed on the machine. We’re we’re not gonna downgrade it to that older version. We removing a prebuilt app from the policy doesn’t uninstall the app from the devices. This is true for everything but the macOS blockers. The macOS blockers do have an uninstall script with them, so those do uninstall. But actual apps so if you have an issue and apps are disappearing off your device, it’s not prebuilt apps causing it. Zero day releases, you can always go and push out the latest and do that next deployment. We work very quickly internally to try to get the new critical app update out there for everyone to update it immediately and to get it out the door so every you can push it to your end users. That next deployment is kind of the time that you would wanna use that. You know, it’s a little bit of a hammer, but it will update it will update your fleet immediately. Something to also keep in mind is your app update philosophy. What are you using to keep your up to date? I recommend everyone choose a workflow and stick with it. And I promise I won’t be offended if that workflow is not prebuilt apps. Some people love using the built in auto update things, like the helper tools. Anyone who uses Slack or Postman or Firefox, Brave also has one. Those are the apps that I see it the most on personally because those are apps that I use. They get this little helper tool pop up that’s asking for the user’s password, and that’s the built in auto update mechanism in a lot of those apps. We recommend if you’re using prebuilt apps to keep your apps up to date, to disable those help helper tool pop ups because it can cause user confusion or in the case of Firefox. It’s can actually break the download. Firefox helper tool is really aggressive, and so we have seen cases where the app itself gets corrupted. These MDM profiles, I really recommend iMazing. You can upload them to Addigy and push them out. We’ll talk a little bit later about some forward looking things, but those are pretty nice to know, and and we do recommend. We do that internally. We suppress those helper helper tools because they can cause problems, and also just end users are constantly being prompted. The Microsoft auto updater is another one that comes to mind. And we have some customers that prefer to just use the the those these helper tools to keep things up to date. That’s perfectly acceptable. I just recommend just choosing one and and not muddying the waters because your end users are gonna be prompted a lot then. So, again, I promise my my feelings won’t be hurt if you don’t wanna use prebuilt apps to keep yourself up to date. So I’m gonna pass it over to Mikaela to talk a little bit about that end user experience. And I’m completely biased with the end user experience as most of you who have spoke to me know. I’m very passionate about it. And, yeah, just get your emails ready, product at Addigy, just as a reminder going through this. So if there’s something you don’t like, email us, or submit that feedback. So, overall, I did see in the chat, you know, a few questions about how the prompting actually works for, prebuilt apps. So, just to go, you know, through the entire process here. So first, we evaluate to see whether the conditions actually allow a silent update. So if the device is in an update schedule, so if you’ve set that and the app is not currently running, the update will install quietly in the background. So if it’s within that schedule and the app is not currently running, then it will silently update in the background with no, end user disruption. So they won’t get a prompt. If the app is open, the user receives a sixty second, notification indicating that the app needs to be updated. Now, you know, if, I’ll get more into, like, the branding and what it looks like actually in the slide right after this. So, and then after that, the user can have the option of update now. If you, depending upon how many deferrals you send, that’s then when they would see that defer button. And then, if they don’t click update, it’s actually going to auto defer, and take no action at that point. So our overall goal here, just to highlight, is minimal end user disruption. So, we obviously don’t want anything to happen there. So, that’s a lot of kinda, like, the decision making, that was happening behind the scenes on our side. And then, of course, you do have that clear enforcement deadline. So, basically, after that first prompt and once you reach that enforcement deadline, it has that time stamp of when it will be enforced, then users will actually be informed, and then, we will go ahead and push that out. By default, the frequency, for prompts is every eight hours just so everyone is aware. And here, just like what I was talking about, you actually have the prompts. So you have the default prompts, the default branding where you see the Addigy teal, icon. That is actually the MacManage icon, itself. And so if you do not have your self-service configuration branded, then you will see that default icon. If you do have, the self-service icon branding in place, that is specifically the icons file that has to be uploaded. I know that there’s three different places in the self-service configuration, but I’m specifically talking about the app icon itself. That is what we use, to put, in that place, as you can see, the little building icon. And then, going to the next slide, here, after the latest release of self-service, we actually introduced prebuilt apps. So, just wanted to show you here where we’re pulling a lot of the information from. That way if you have any questions, you know exactly where to look for it. So, as you can see on the left hand side, the prebuilt apps details, You can see a category option. It’s the second line and a description option. And then you also see the version details and all that good stuff. That is specifically what self-service is pulling from. So if you notice now, those app categories are actually pulling from prebuilt apps app categories. That’s not something that you need to set. It’s by default, categorized. And, also, that version is in place. And then as you can see, the description and the icon, also appear. Our goal with this was to make it blend in with the other assets so that your end users don’t necessarily know if it’s, you know, public library approval apps. You’re just able to provide them a clean solution. We did update the status tracking on this as well. So when you do click install, it does go queued very briefly. That’s just submitting the request. And then it goes downloading, installing, and then installed. If anything if any disruptions happen, it will go back to install, to allow you to attempt again, and you can see that in the activity section of self-service. And, yeah, that’s that’s pretty much it on, the high level, self-service. But going to the next slide here, I did wanna show, probably the most important takeaway from the end user experience, I cannot recommend this enough, is if you are wanting to provide your end users a place where they can, in between deferrals, go update their applications, I highly recommend you set up and provide those same apps that you have deployed through the policy in self-service because self-service only, it only allows you to apply, the latest version application in prebuilt apps. So we don’t let you pick a specific version. We only apply the latest version. And so with that, every single time that the application is opened, aka MacManage in this case, we check to see if there is an update. So anytime that there is, a latest version, that end user can be proactive and actually go manually update it themselves, potentially reducing the amount of pop ups they have. We’ve seen a few user a few companies overall, you know, set practices in place where they are now teaching their employees to go to self-service to actually go ahead and update it if they don’t wanna receive those notifications. So highly, highly, highly recommend this. And moving on to the next topic here. So, we did add, a little Easter egg for everyone, in our dashboards and reporting. So if you go to dashboards on the left hand side and then you click new and then search for prebuilt apps, you will see three new widgets containing, different, you know, information on prebuilt apps. You can see how often, updates are occurring, if they were deferred, if they weren’t. You know, if there’s something else that you guys are wanting to see, if anything’s confusing, recommendations, product, feature requests, please, again, email us at product at Addigy or submit that product feedback. We are really wanting, feedback, around, you know, the dashboards and reporting, and we just wanna know what you wanna see. Alrighty. The exciting part. Again, I’m biased here just being a product manager. So, moving forward with prebuilt apps, we do have a couple things that, we are looking into, anything that’s actually, currently in progress right now. So we are currently working on introducing prebuilt apps in Addigy Assist. It’s going to look almost the same, as any other application asset, you know, just like public library, smart software, it’s going to look the same to the end user. But you still have the option to show or hide those applications. You don’t have to show them everything. But that is something that’s currently in progress, and, we should have that out to you in the beginning of q one. And keep an eye on the, events, or not events, status dot Addigy dot com, and that’s where we’ll, publish the notice for this. So keep an eye there. And then, also, you will see it pop up in the Mac admins, Slack channel with the release notes as well when that is officially out. And then, Selena and myself, we are busy doing some discovery work in the team. We’re constantly seeing as to how we can, improve this. So one, thing that we’re looking at is consolidating all of those pop ups, those notifications when those users are leaving those applications open. You know, they’re receiving, they can receive a couple of them at a time or a few. So, we are looking to see how we can consolidate that and make that experience very clean. Again, if there’s something in particular you would like to see, product at Addigy. We’re also looking at separating the apps, specifically the apps that need to be updated into a separate tab in self-service. This includes Apple apps and also Prebo apps. So everything can be shown to the end user, and they can go ahead and update them all at once. Also, like Selena was talking about earlier, suppressing the helper tools and, again, just preventing the, end user any sort of end user disruption or pop ups that occur with those, we are looking into that. Also, updating the end user notification UI. So as I was talking about with the branding, with the Atigee branding and also the, custom branding, we’ve definitely heard your feedback around that and, how you guys want it to look macOS native. So we are, in discovery with that and looking into that. There’s no official timelines with any of these just as a disclaimer, but as we know more, we will share that. And then also respecting do not disturb. So with those with those pop ups that do occur, being able to potentially check for if they are in a focus mode or not. That way, we just prevent any sort of disruptions. And then also improve reporting that goes across our platform, if that’s from, you know, deployment statuses, event histories, also in the dashboards like I was talking about earlier. Again, we really need your feedback here. Please let us know what you would like to see. And, yeah, now before we, dive into our q and a, I’m going to, submit a poll. But as we, get lined up here and as you guys are answering, Selena and I will take a look at the q and a and see which questions we’re about to answer. Alright. Busy q and a, which I kind of expected, which is why we have a little bit of extra help here on the call. Well, I’m just gonna go down the list and see what we have. Do you plan to include the option to add a config to the application? I guess with that one, I have a little bit more questions for it is when I think of configurations, I think a managed app configurations, which is an MDM thing where you can deploy specific, like, key value pairs or or sometimes there’s arrays or the other ones, but certain things to configure notification along with the install application. Right now, we don’t have plans to add any type of MDM profile where you can control a lot of those things, mainly because that can get overwhelming pretty quickly, especially with some apps. Like, I know the browsers, for example, have really extensive plists that can be managed. For anything like that where you wanna have, like, really tight control over the application configurations, I recommend using iMazing. IMazing is a great free tool out there that you can create MDM profiles and set any settings. And something that iMazing does is they include a lot of the macOS application p list settings that can be configured and set by MDM. That’s completely outside of, like, what the Apple MDM spec has. Right? It’s just a plist on the machine, a a preference list. So that’s something that I recommend doing if you wanna get super granular with it. If you look at iMazing and you look at some of those applications, you can see what I mean about how it would get really overwhelming really quickly and keeping on top of new features and preference keys that are added. So that’s would be my answer. I know too I’ve seen a few in the q and a about how do I create the helper tool, MDM profiles, and where do they live. Right now, we don’t have them built into the Addigy platform mainly because it’s third party apps preferences. We we historically haven’t included an MDM profile options because it gets really overwhelming very quickly keeping on top of a lot of that. IMazing is the best place to go if you don’t know where to. They have a whole list of Mac apps and things like that that you can choose and configure and see everything you can configure. It’s kind of fun to see all the things you can configure for your end users too. But in there, you’re gonna look for auto updates, enable auto updates, and make sure that is unchecked and and sending that out. There’s also a KB that some people have written specifically for Slack as well. The next one, since many apps run-in the background and receive frequent updates, the number of update notifications can get overwhelming. Yes. I agree. Is it possible to have more control over how these app notifications are displayed? This is probably my biggest thing that I want to work on, and I’m still a little bit in discovery with it with the team. We use prebuilt apps internally, and I know exactly what you mean. I never close any of my apps because I am the worst end user in the world, which is also why I beta test things because if it’s gonna break, it’s gonna break with me because I’m the world’s first end user. I don’t close anything. And so it does get a little overwhelming when seven o’clock hits and that update schedule, and I am playing D and D, and then I get, like, ten pop ups. So I wanna work on consolidating those to a single pop up and redirecting people either to, like, a menu bar application or to self-service to say, like, alright. You control what updates, so it’s only a single pop up. And in that time too, I know there was a feature request in the chat from Ross about giving the option to not have any end user pop ups. I kinda wanna get that work done first to make sure everyone has a place for end users to go and update the apps if you’re not using self-service. So we don’t have a solution yet today, but I am painfully aware of it. Are we able to delay updates to say wait fourteen days then enforce after three? So the maximum today to delay the auto updates is seven days and then fourteen days on top of that. Once you have your your apps three weeks out of date for some applications, it’s not a problem. Like, I think Parallels doesn’t update too often. But for things like browsers, if you’re three weeks out of date, you’re forever gonna be out of date. You’re never gonna be in in date. Because when we’re enforcing the the auto update, it’s gonna be that version that’s on the policy. So it’s it’s your end users are just constantly gonna have pop ups. So when you’re thinking about those enforcement dates, I would really recommend looking at how often those apps actually update. I believe internally at Adagy and Pons can tell me otherwise, we set everything to five days we have just across the board for every app to update. And that, I think, keeps us in general compliance, but that’s kind of the the decision that we’ve made. So not my answer is you can’t delay it fourteen days. You can delay it seven for it to update on the policy. Is there a way to make the preferences not use twenty four hour time? Honestly, we chose twenty four hour time to stop people from making the mistake of AM and PM and having disastrous results. I know that was one of the reasons why I changed every all of my phone to twenty four hours because I set an alarm wrong for PM when it was supposed to be AM and slept through a meeting. So we don’t have any plans now to not use twenty four hours. But if this is a really heated request, definitely have people email product at Adigi. I’m kinda curious how many people absolutely hate that. Yeah. This looks like a Mikaela one. Yeah. So when you add a, prebuilt app to self-service, where are the update settings for this method? So, basically, we handle all of that for you. There’s no extra setting that you have to enable. You go to the and just so everyone knows, where we’re talking about, you go to the self-service tab in the policy. And then under the Mac tab, you will see a new prebuilt apps asset tab there. And then within that, you can check and, pick and choose generally what you would like, to show to your end user and what options you wanna provide them. And then the application itself will actually handle, checking to see if there’s an app that’s needed. That’s also why we only allow you to, you know, pick the latest version. So, basically, when there is a new version pushed out, self-service will then, know that there is a new version and it doesn’t match, what’s required. So then we will go ahead and present the update button. So, yeah, if there’s any other feature requests, again, let us know. Alright. We need to be able to edit the info about an update. It would be nice if that was a bit more clear, bigger eye button, etcetera. Or it would be great if when you click that install button, they first get info about it, and then they have to confirm an install. I assume that’s a self-service thing. Yeah. Definitely sounds like self-service here, Tim. So if there’s, I think I know what you’re talking about of how you want the, pop up to appear first. Go ahead and, definitely email us after if there’s certain workflows. We are looking to make it more flexible with the, pop ups in general because the prebuilt apps, pop ups, those notifications are using MacManage custom notifications. So it’s essentially that that we’d be making modifications to, but we also wanna make sure that users feel like it’s native, and it doesn’t look like, you know, something foreign or malicious or anything like that. So, yeah, definitely interested to hear your feedback there. Perhaps in the client system. Tim, I think that might have been a response to someone else. If there’s a place to add if there are apps on a client system that are not updating. But this actually does bring me to an interesting point that we sometimes get support requests on. Prebuilt apps only checks the main applications folder, not the user applications folder. Best practices in general for Mac OS management is to not install any apps in the user’s folder. Do it at the main applications folder. So that if you see things kinda weird, the apps not picking it up, that’s definitely something of where is it installed at and then moving it out of the user folder and into the main system applications folder. For respecting do not disturb, is there a max time that we’ll ignore that to ensure a user doesn’t have do not disturb on all the time to defer updates indefinitely? Mikaela, do you wanna take that one, or I can take a stab? Yeah. I mean, I think that if there’s something in particular that you are looking for, like I said earlier, this is in discovery. So we are currently researching this, seeing how to, how we can best go about implementing this. Basically, again, we would be implementing some sort of do not disturb potential check on the, MacManage custom notifications. That way, folks can also use that for other workflows outside of prebuilt apps. But if there’s something in particular that we’d like, we definitely are interested to hear your thoughts there. Is there a public facing list of apps and prebuilt apps that I can grab and share with our end users? Not yet. I know. We’ve been waiting on it. We just went through a big website redesign. So if you haven’t seen, adigy dot com is now, like, super pretty and beautiful. It’s got a new face on it. So we were kind of waiting for that work to be done before we could, you know, update. We didn’t wanna update it on the old website and then, you know, go through with the new website. So it’s something that’s still pretty high on our list. I’ll actually follow-up with our team with where we are with this. It is in the portal, which I know is not very helpful if you’re trying to share it with your end users. So noted. Tim, I also think this one I saw earlier, you mentioned you had pop ups that, if I recall, you had the prebuilt out of SmackDownage pop ups, and then you had some Apple pop ups. I’m not actually sure where the Apple pop ups might be coming from. I wonder if it’s, like, the the app’s auto update. We don’t use the Apple native notifications that you’ll get in, like, the top right notification center. So some other thing is doing that, and it’s probably the app itself, potentially. I do hear about wanting the prompt to be I can never say this word, editable. Edit to be able to edit the the prompt. That’s also on my list when we’re looking at redoing and consolidating those prompts. I really wanna spend some time making it customizable and more than just the logo. So I hear that feedback. Hopefully, that answered or I think you had a follow-up too of question earlier about that. Let’s see. I’m still unclear. I do monthly updates to my clients at a scheduled reserve time after hours. So the devices are left online online and logged in to the user accounts with all the apps that are being used still open. I wanna use prebuilt apps instead of public software library, but I need the updates to happen during my reserve time. Is there not an option to force the apps to close so the update can happen without me? Yes. So prebuilt apps, if you have a schedule set, I recommend in your case having a schedule set so things are after hours. You set that latest and auto update. That’s the biggest thing over public software library. And for anyone who is using public software library, that will be going away. I don’t have an exact date for you, but I would expect sometime next year or q one, q two next year, end of q one. But latest in auto update, have that set in your policy, have an update schedule, and then the days to enforce update. What that means is when you hit that days to enforce update, when that time passes, say you have it set to three days or four days, that app is gonna close regardless of whether it’s open or not and update. They’ll get that pop up that we showed earlier, but that could be a way to do it. The other thing you could have is you could set everything to the next appointment and really, really make sure you have that schedule set, or you could manually deploy the app. There’s a few things you can do here. You could but prebuilt apps will close the app if it has run out of time to to do the update. So you don’t you shouldn’t need to touch every device to to update. We are in a school district that uses Mozel. Are there any differences that you offer? As an MDM, yes. We don’t so, Addigy, we don’t really know of any other agents or MDMs that’s that’s talking to it. We’re gonna do things kind of independently. I don’t know, Mikaela, if you have anything to add about. I think you know a little bit more about Mozel. It’s kinda choose choose however you wanna update your apps and choose one so we’re not fighting each other. But we don’t really we’re not really aware of other agents or other things acting on a device. Yeah. And we can definitely reach out to you, explaining further in detail what the, differences are. But overall, I’d say, like, high level, it’s gonna be our, like, real time offerings also with our custom reporting. You know, there’s a lot more flexibility overall. That’s specifically what other, folks have highlighted, of that use Atogee every day who’ve come from Mosul. Yeah. I know we are at time. I still have some time to stick on for q and a. I knew q and a was gonna be here, but I wanted to make sure you guys see the recording will be sent. We may need to talk internally because we started a little late. So me and Mikaela may need to rerecord the beginning of it. But we will get you a recording of this information, some more information just here. I’m gonna leave this on, but I’m gonna stick around and answer some some q and a still. But I know if people need to drop, you can, and this part will be recorded. So should I stick with ABM to update Slack or switch to prebuilt apps? I have a lot of opinions about using ABM to update apps. It though so the way it works is Atigi checks where we say, hey. What’s the version in the App Store, and what’s version on the device? If there is a mismatch, we send an install application command to the device. If the device is locked, has passcode on in power and app, something like that, the device says, not now. I’m busy. Atigee will try again next time we do the audits. If the device is unlocked when that command is received, but the app is open, the device is gonna process that command and be like, alright. Cool. I’m gonna do the thing. But if you actually look in the logs, it complains about the app being open, and there’s no way to close the app. And this will keep happening forever. There is a perfect timing that needs to happen of the device being unlocked, the install application command being received by the device, and the app being closed. And that is something you can coordinate with your end users if it’s a critical update, or prebuilt apps doesn’t care about how the app with everything except for OneDrive, every we don’t care how the app got on the device. If it’s there, it’s gonna be updated. But using ABM and m the MDM workflow today is a little difficult. I will say with macOS, there is a software updates MDM profile where you can have apps auto update. This uses Apple’s, like, machine learning type thing that you would use on your your personal computers that’s outside of management. Mixed success, if I were to talk to Apple, that’s usually what they respond when I talk to them, or they’ll point me to to the future of DDM. But that I I find prebuilt apps is more reliable than using ABM. And if you don’t wanna use prebuilt apps, I’m not offended. The helper tool is probably better for you as well, making sure auto updates is turned on on the the for that app itself. It can get a little messy with the timing of it. So I personally recommend using prebuilt apps, though. And OneDrive is the one that’s unique. That’s the only one we care about because of Microsoft. Are there any plans to implement notifications for new updates similar to the public apps notifications, the policies page? Ah, good point. Right now, we so this is, I think, about new app updates or new applications being added to Adigee. Right now, we publish them new app updates to the releases page, and that can get pretty overwhelming pretty quickly if you’re looking because we we have so many apps. When new apps are added to catalog, right now, we’re notifying folks through the releases page and through the Slack, the Mac admin Slack, and a few other places will update, you know, what new apps have been added. But it is something I can look at of how else to let you guys know if new apps are added to the catalog. I know I’ve kinda gotten that question before. I don’t really wanna add new app versions to any type of notifications outside of the releases. But if there’s enough demand, have people reach out to product at Addigy because I’m kinda curious on what your perfect world would look like. Just know that there is a lot of app updates that happen. And if you’re curious, Mikaela dropped the link in the chat of what the releases dot adigy dot com looks like. We have a separate tab specifically for software releases. Very niche case here, but I don’t wanna give all my users access to all the apps in the prebuilt list, but I would love to let them update on their own. Any hopes that someday the self-service might only show the apps that are present and allowed to update? Mikaela. Yeah. So if you don’t wanna give them access to the full list, if you do know the applications that you at least do wanna give them access to, you can do that today, And then they will see that update, option, that button. The only downside about it is that it’s not in a it’s still in the whole, catalog or that install page, so they will need to scroll and see. But, absolutely, that is something that we’re looking at. We’re seeing if there’s two different places potentially in the menu bar app option where you click on the icon and you see them there, and then also a separate tab for just updates in general. So if there’s something in particular you would like to see, though, let us know. Thank you, Steven. And sixty two questions in the q and a. That’s pretty large. I see there is a conversation kinda happening in the chat, Hans. This one, just to make sure that we’re clear, if you have an app that you need a critical update, everyone needs to go out immediately and and update this app because there’s an actively exploited zero day, whatever it may be. You can set next deployment. And no matter what, that app is open. If that app is closed, if the computer’s online, that app is gonna update. It’s gonna close out and update and reopen. If we close an app, we reopen the app. It’s pretty aggressive, but it is an option of of making sure the apps are updated. It’s kinda going back to that balancing of the security and the end user experience. It’s not a great experience to have your app closed in the middle of you doing something in your browser, for example, but and it can be we do give a little pop up saying what’s gonna happen, but it’s something that sometimes needs to happen if it’s a big enough security vulnerability. But, yeah, hopefully, that makes it a little bit easier. And another one for you, Mikaela. I love a fix my Mac button in self-service. Something we could program a tune up kind of button and program in, like, a restart update, clear caches, something to get the end users feeling. I I actually have seen some customers set something like this up. Yeah. I’ve I’ve also seen them use a mix of, Addigy Assist, checking all the versions, clearing it out along with, like, a script and stuff to first deploy it, check everything, and then whatever you know, if you wanna empty the trash, all that. I definitely say, next steps here for you, Tim, we’d, definitely be chatting with, the solution architect, that works with you on your success team, and then they can take a look and make any, like, recommendations on how to actually implement that. Yeah. And then to set it so a user can’t defer an update, I’m gonna go back really quickly because I think this will just be right here. If you have this set to next deployment, this is really aggressive. If you’re using this, probably use an update schedule because it’s it is very aggressive. I the app will close the next time. The the policy runs. The app will User can’t defer it, but that’s where that lives. It’s not something I recommend having your default settings to, but if you need to update an app, that’s the best way to do it. So yeah. And our removable scripts for prebuilt apps on the road map. I don’t have it on the road map mainly because I haven’t gotten that many requests about it. The thing about the the removal scripts is it can be a little dangerous if you don’t know they’re there, but I do hear you about adding one manually. That’s something I can consider. And if there are other folks on this call that would like that, please email us at product at Addigy because I’m kinda curious how many people want that. We haven’t done it because, you know, what if you unassigned something and then you’ve uninstalled Chrome from everyone on your production machine? Like, that’s not a great experience. So it’s something we can consider if there’s a lot of demand for it too. Alright. And I think through great effort thank you, Ponce and Ben for and Bryce, I see you answered a few too, for helping out in the q and a. If there are no other questions, I wanna thank everyone for spending time. Remind everyone to email us at product.addigy or file in at product. And let us know what you love, what you hate. And if you are filing feedback for new features, if you could also it would help me a lot if you put in what your perfect world is. Not just thinking about Atigi, what’s possible today, but if it’s something like reports, tell me what what is your dream report that you would like to have. That kinda gives us a good idea of the vision and fills in some blanks for us. So yeah. Thank you, Selena, Miguel. Thank you, Selena, for It’s not just me, to be clear. Prebuild apps is more than me. Ben and Ponce do a lot of it. Ben is the person behind the scenes doing a lot of the app updates. So when new apps get added to the catalog, you can thank Ben for that. And the whole engineering team too did a lot of work. I was just one of many product managers to touch this and talk to a lot of people on this call. So yeah. Thanks, everyone. I hope everyone has happy holidays. Stay safe in the winter, and reach out to us if there is anything that you wanna see.