macOS - Software - Update VLC With Notifications

What the VLC Media Player update Worklet does

This Automox Worklet™ patches VLC Media Player on macOS endpoints to the latest version published by VideoLAN. The Worklet reads CFBundleShortVersionString from /Applications/VLC.app/Contents/Info.plist, compares it against the current VideoLAN release, and stages a fresh universal DMG when the endpoint is behind. The version comparison and the download run inside the Automox agent context, so no SSH session or remote desktop hand-off is required.

Before VLC is replaced, the remediation script checks whether the application is running with pgrep -x VLC. If a user is mid-playback, the Worklet shells out to osascript to fire an AppleScript display dialog under the logged-in user's loginwindow context, giving them an Update Now or Cancel choice. When VLC is closed (or no console user is logged in), the patch runs without prompting.

The DMG is mounted with hdiutil attach -nobrowse, the new VLC.app bundle is copied into /Applications, the disk image is detached with hdiutil detach, and the temporary download is removed. A backup of the previous /Applications/VLC.app is kept on disk for the duration of the run and discarded only after the new bundle launches cleanly. If any step fails, the backup is restored so the endpoint never lands in a half-patched state.

Why patch VLC Media Player at fleet scale

VLC is one of the most-installed third-party applications on knowledge-worker Macs. The VideoLAN security advisories list a steady cadence of CVEs (heap overflows, out-of-bounds reads, and parser bugs in the MKV, HLS, and MP4 demuxers) that ship as patched versions rather than out-of-band hotfixes. A laptop running a six-month-old VLC build will not self-update unless the user opens the app and clicks through the prompt, which means the long tail of installed VLC versions on a typical fleet drifts further behind every quarter. The Worklet picks up exactly that drift: a version-string check on every evaluation, a patch on every miss.

VLC ships a steady cadence of demuxer and codec CVEs that allow remote code execution through a crafted media file, and the macOS app does not self-update by default. Once VideoLAN publishes a fix, this Worklet evaluates the installed VLC.app version on every Mac in scope and applies the new dmg through the standard mount-and-copy flow, whether the endpoint is a developer's MacBook on a corporate network or a remote Mac mini running in a kiosk role.

How the VLC patch and notification flow works

1. Evaluation phase: The Worklet reads /Applications/VLC.app/Contents/Info.plist with defaults read or PlistBuddy to extract CFBundleShortVersionString. It fetches the current release version from VideoLAN (https://www.videolan.org/vlc/releases/) and normalizes both strings. If the installed and upstream versions match, the endpoint reports compliant and remediation is skipped. If the installed version is missing or older, the endpoint is flagged and the remediation script is scheduled.

2. Remediation phase: The Worklet downloads the universal VLC DMG into /var/tmp via curl, mounts it with hdiutil attach -nobrowse -quiet, and verifies the VLC.app bundle inside the mount point. It runs pgrep -x VLC to see whether the application is in use. If VLC is running and a console user is logged in, the script invokes osascript via launchctl asuser <uid> to display an AppleScript dialog (with -title VLC Update Available) under the user's session. If the user clicks Cancel, the Worklet detaches the DMG, cleans up the download, and exits non-zero so Automox records the deferral. If the user clicks Update Now or VLC is not running, the script moves the existing /Applications/VLC.app to a backup path, copies the new bundle into /Applications, runs hdiutil detach on the mount point, removes the staged DMG, and re-launches VLC under the user session if it was running before the swap.

VLC update Worklet requirements

• macOS 11 Big Sur or later on Intel or Apple Silicon, with /Applications/VLC.app already present (the Worklet patches existing installs rather than seeding new ones)

• Network reachability to https://www.videolan.org/vlc/releases/ for the version probe and to the VideoLAN CDN (or Automox cache) for the DMG download

• Root context for the Automox agent so the script can write into /Applications, run hdiutil, and shell out to osascript through launchctl asuser

• Roughly 250 MB of free space in /var/tmp for the DMG download and the staged /Applications/VLC.app.backup directory

• Automox agent paired with Automox Notifier (or an equivalent user-context shim) when you want the AppleScript dialog to surface; without it, the Worklet falls back to patching only when VLC is not running

Expected VLC state after the Worklet runs

On success, /Applications/VLC.app/Contents/Info.plist reports the latest CFBundleShortVersionString from VideoLAN, and the next evaluation pass returns compliant without staging another DMG. The .backup directory is removed, the DMG is deleted from /var/tmp, and no mount point remains attached. You can confirm the new version with defaults read /Applications/VLC.app/Contents/Info.plist CFBundleShortVersionString or by opening About VLC media player from the VLC menu bar.

When a user defers the patch, the Worklet exits non-zero and the endpoint stays flagged in Automox so the next policy run prompts again. User preferences in ~/Library/Preferences/org.videolan.vlc.plist, the recent files list, and any installed VLC extensions are preserved across the swap because only the /Applications/VLC.app bundle is replaced. Audit evidence can be captured by exporting the Automox activity log for the policy run alongside the pre- and post-patch version strings.