macOS - Software - Update Slack With Notifications

What the Slack upgrade Worklet does on macOS

This Automox Worklet™ upgrades Slack on macOS endpoints to the latest universal build published by Slack. The Worklet reads the CFBundleShortVersionString value from /Applications/Slack.app/Contents/Info.plist and compares it to the version advertised on Slack's macOS release feed. When the installed version is already current, the Worklet exits cleanly and no notification is shown to the signed-in user.

When an upgrade is available, the remediation script downloads the universal DMG, mounts it with hdiutil attach, and copies the new Slack.app into /Applications/. Before the swap, the script checks whether Slack is currently running with pgrep -x Slack. If Slack is open, an osascript display dialog appears in the user session offering Update Now or Postpone, so an unattended laptop never has its Slack window force-quit mid-call.

The Worklet stages a backup of the previous Slack.app under /var/tmp/Slack-backup before the move. If hdiutil detach, ditto, or codesign verification fails at any point, the script restores the backup, detaches the DMG, removes the staged installer, and exits non-zero so the failure surfaces in Automox activity logs. After a successful upgrade, the Worklet relaunches Slack as the console user with launchctl asuser, returning the laptop to the same working state the user left it in.

Why upgrade Slack on every Mac in the fleet

Slack ships frequent security fixes for the Electron runtime that powers the desktop client, and each version Slack publishes typically supersedes one or more advisories in the Slack security bulletins. An out-of-date Slack.app on a developer laptop is also an entry point for token theft and OAuth-flow tampering, because Slack's session tokens live inside the app's local storage. Internal patch baselines that align with CIS macOS Benchmarks and the change management criteria in SOC 2 CC7.1 commonly require end user applications to receive vendor updates on a defined cadence, and a stale Slack version is one of the easier audit findings to spot.

Slack on macOS holds open file handles on the running Slack.app bundle, which is why a silent replace-in-place rarely succeeds while a user is signed in. This Worklet evaluates the installed Slack.app version on every cycle, then prompts the signed-in user through osascript to save any active conversations before it closes Slack and lays down the latest DMG build. The result is a coordinated upgrade across your Mac fleet that respects the user's session while still moving the laptop to the patched build.

How the Slack upgrade and user prompt flow works

1. Evaluation phase: The script reads /Applications/Slack.app/Contents/Info.plist with defaults read to capture CFBundleShortVersionString. It then fetches the latest macOS release identifier from the Slack release feed and compares the two values. If /Applications/Slack.app does not exist, the endpoint exits compliant because this Worklet only upgrades existing installations. If the installed version matches the latest, the endpoint returns exit 0 and no remediation runs. Any older version returns a non-zero exit so the remediation script is scheduled on the next policy run.

2. Remediation phase: The script downloads the universal DMG from Slack's release URL into /var/tmp/Slack.dmg with curl --location --fail. It mounts the image with hdiutil attach -nobrowse -quiet, copies the existing /Applications/Slack.app to /var/tmp/Slack-backup, then runs pgrep -x Slack to detect a live session. When Slack is running, the script calls launchctl asuser <uid> /usr/bin/osascript -e 'display dialog ...' with Update Now and Postpone buttons. On approval, the script quits Slack with osascript tell application "Slack" to quit, copies the new bundle into /Applications/ with ditto, detaches the DMG with hdiutil detach, removes /var/tmp/Slack.dmg, and relaunches Slack as the console user. On Postpone, the script unmounts, leaves the backup in place, and exits 0 so the next evaluation re-offers the upgrade.

Slack upgrade requirements on macOS

• macOS 11 Big Sur or later (Slack drops support for older releases as new versions ship)

• Slack installed at the canonical path /Applications/Slack.app with a valid CFBundleShortVersionString in Info.plist

• At least 500 MB free under /var/tmp for the DMG download, the /var/tmp/Slack-backup staging copy, and the mounted disk image

• Outbound HTTPS to slack.com and downloads.slack-edge.com for the version feed and the universal DMG

• Automox agent running as root so hdiutil attach, ditto into /Applications/, and launchctl asuser can complete without sudo prompts

• A signed-in console user when the osascript prompt is expected; with no console user, the script proceeds silently because there is no session to interrupt

Expected Slack state after the upgrade

After remediation completes, /Applications/Slack.app reports the latest CFBundleShortVersionString and codesign --verify --deep --strict /Applications/Slack.app returns exit 0. The Automox activity log records the previous and new version strings, the DMG checksum, and the user's prompt response (Update Now or Postpone). If the user picked Postpone, Slack is still running on the previous version and the next evaluation cycle will re-offer the upgrade until accepted or until the endpoint passes a deadline you can layer on with a separate enforcement policy.

Verification: From the Mac, open Slack and choose Slack > About Slack from the menu bar to confirm the version number matches Slack's published release. From a shell, run defaults read /Applications/Slack.app/Contents/Info.plist CFBundleShortVersionString to capture the same value programmatically, and pgrep -x Slack to confirm the relaunched process is running under the console user. If remediation failed mid-flight, /var/tmp/Slack-backup will still contain the previous .app; the script restores it automatically on any non-zero step, but you can verify by running mdls /Applications/Slack.app and confirming the kMDItemVersion attribute matches the pre-upgrade value. Once the endpoint passes evaluation cleanly, the Worklet remains idle on future policy runs until Slack publishes the next release.