macadmin.fraserhess.com

You should be opinionated about Apple’s stock apps

In a recent post, I covered the differences between Macs from the factory and those that were wiped and macOS was reinstalled. A major difference is that the factory Macs include 5 additional applications: Keynote, Pages, Numbers, iMovie, and GarageBand.

I’ve discovered that there’s a very good reason to be opinionated about whether or not these stock apps are installed. If you’re not opinionated about this, as I was, they will rot in place. Let me explain.

Having not had an opinion about the stock apps prior to now, I decided to look into them when we were updating our provisioning processes for Jamf Setup Manager. I was surprised by what I found. Around half our Macs had stock apps installed. That part was expected. But only 22% of the installations had the current versions of these apps. Only 22%? I expected they would all be current considering we have AutomaticallyInstallAppUpdates set in our Software Update configuration. If a Mac has the stock apps but don’t have the current version, they appear to have the version that shipped from the factory. This resulted in, for example, ten different versions of Keynote across our Macs. It goes without saying that old software versions have known vulnerabilities and can be exploited. Many of our GarageBand installations were vulnerable to arbitrary code execution and privilege escalation.

So far I have two theories about the affected Macs:

  1. No one is logged into the App Store
  2. The user logged into the App Store does not have the stock apps in their Apple Account

The root cause may not matter. To have a consistent experience across our Macs, and keep the stock apps updated, the fix is either to delete the app(s), which we did for iMovie and GarageBand; or, to have our MDM install the App Store app(s), which we did for Keynote, Pages, and Numbers. UPDATE Feb 11 2025 After a helpful comment by Graham Pugh (thanks, Graham!) I pulled this post and rechecked that our MDM is updating stock apps not owned by an App Store account. Even so, out of an abundance of caution, I updated our process for new computers to delete all the stock apps and have MDM reinstall the iWork apps.

So, don’t leave the installation/removal of these apps to chance. Decide which ones you want to have and create processes to install, update, or remove them.

2 responses to “You should be opinionated about Apple’s stock apps”

  1. Graham Avatar
    Graham

    Hi Fraser, it’s worse than that. MDM won’t adopt the pre-installed versions of the stock apps, so they will remain on the initially installed version unless the user adopts them themselves in the App Store with their own Apple Account. So, you have to delete them first anyway even if you want to manage them. I’ve long used a script to remove them at enrollment.

    Cheers, Graham

    Like

    Reply
    1. Fraser Hess Avatar
      Fraser Hess

      Graham, Thanks for the comment. This article was originally posted prematurely when I didn’t have enough testing to confirm that our MDM is adopting and updating the pre-installed versions of the stock apps. But it is, at least on macOS 15.2/Jamf Pro 11.13.1. Nevertheless, I updated our processes to delete all the stock apps on new Macs, just in case that fails.

      Like

      Reply

Leave a comment