macOS - Software Lifecycle - Update Zoom With Notifications

What the Zoom update Worklet does on Mac

This Automox Worklet™ keeps the Zoom desktop client current on every Mac endpoint under Automox management. The evaluation script reads CFBundleVersion from /Applications/zoom.us.app/Contents/Info.plist, queries the redirect target of https://zoom.us/client/latest/zoomusInstallerFull.pkg to learn the latest version number, and compares the two. When the endpoint is behind, the remediation script downloads the installer package and runs installer -pkg against the system volume.

When Zoom is open, the remediation phase routes a notification through the Automox Notifier helper at /Library/Application Support/Automox/Automox Notifier.app, presenting an Update / Cancel dialog to the signed-in console user with a 180-second timeout. If the user accepts, the Worklet sends pkill zoom, waits up to 30 seconds for the process tree to clear, backs up the existing app to /Applications/zoom.us.bak, installs the new pkg, and relaunches Zoom in the user's session through su -l … open. If the user cancels, the Worklet exits non-zero and reschedules cleanly on the next evaluation.

The Worklet is idempotent: when CFBundleVersion already matches the latest tag, evaluation exits 0 with a no-action message and remediation is never scheduled. The same script is FixNow-compatible, so a Zoom CVE published mid-day can be pushed to every Mac in the fleet without waiting for the next patch window.

Why patch Zoom on Mac endpoints with a user prompt

Zoom is one of the most active vendors in the Mac CVE feed. The Zoom Security Bulletins have shipped patches for buffer overflows, signed-installer abuse, sandbox escapes, and meeting-token replay across the last several quarters. Several of those CVEs carried CVSS scores in the 8.0 to 9.9 range. An out-of-date Zoom client on a knowledge-worker laptop is a direct path to credential theft and meeting interception, and Zoom's own auto-update mechanism only fires when the user opens the app and clicks through a dialog. On a fleet of busy Macs, that dialog gets dismissed for weeks.

Zoom on macOS holds the camera and microphone for the active meeting, which makes a silent forced upgrade an easy way to drop a customer call mid-sentence. This Worklet evaluates the installed zoom.us.app version on every Mac under management, defers only when the signed-in user explicitly says "not now," and reschedules itself on the next evaluation so the patch eventually lands. The result is a coordinated path to the latest Zoom build without interrupting the meeting that is already running.

How Zoom update detection and user prompting works

1. Evaluation phase: The Worklet runs curl -si against https://zoom.us/client/latest/zoomusInstallerFull.pkg and parses the redirect Location header to extract the latest version segment. It then reads CFBundleVersion from /Applications/zoom.us.app/Contents/Info.plist via the defaults command. If the two strings match, evaluation exits 0 and remediation is skipped. If they differ, evaluation exits 1 and the endpoint is queued for remediation on the policy's next run.

2. Remediation phase: The remediation script identifies the console user with scutil show State:/Users/ConsoleUser, resolves their UID, downloads the latest Zoom installer to a temp path, and counts running zoom processes with pgrep. If Zoom is running, it launches the Automox Notifier helper through launchctl asuser with -title "Update Required" and -actions "Update,Cancel" to present the prompt in the user's session. On Update, the script pkills Zoom, waits up to 30 seconds for processes to exit, backs up /Applications/zoom.us.app to /Applications/zoom.us.bak, runs installer -pkg "${installer_path}" -target "/Volumes/Macintosh HD", relaunches Zoom under the console user, and re-reads CFBundleVersion to confirm success. On Cancel, on installer failure, or on a missing /Applications/zoom.us.app, the script restores the backup and exits non-zero.

Zoom update Worklet requirements

• macOS endpoint with Zoom already installed at /Applications/zoom.us.app. The Worklet does not perform a first-time install; pair it with the Deploy Zoom Worklet for greenfield Macs.

• Automox agent 1.42.22 or later. Earlier agents do not ship the Automox Notifier helper at /Library/Application Support/Automox/Automox Notifier.app and the user prompt will fail silently.

• Outbound HTTPS reachability to zoom.us so the Worklet can read the redirect header and download the installer pkg.

• Root privileges for the Automox agent (the default agent context already meets this) so installer -pkg can write into /Applications and pkill can stop the running Zoom process tree.

• An active console user session for the prompt path. If no user is logged in, the Worklet skips the dialog and proceeds straight to the install, which is the safer default for shared or unattended Macs.

• Optional: pre-stage a fallback for managed environments that block direct downloads from zoom.us by mirroring the installer to an internal HTTPS host and adjusting the curl target in remediation.sh.

Expected state after a successful Zoom patch

After a clean run, defaults read /Applications/zoom.us.app/Contents/Info.plist CFBundleVersion returns the same value as the version segment in the Location header from https://zoom.us/client/latest/zoomusInstallerFull.pkg. The remediation script removes /Applications/zoom.us.bak and any transient /Applications/zoom.us.new directory on success, and the next evaluation run reports the endpoint as compliant without re-downloading the installer. Exit code 0 means CFBundleVersion matches and Zoom is running (or was relaunched cleanly under the console user).

Validate by opening Zoom and selecting About Zoom, or by running defaults read /Applications/zoom.us.app/Contents/Info.plist CFBundleVersion in Terminal. Cross-check against https://zoom.us/download to confirm parity with the published release. Exit code 1 with a message in the Automox activity log means one of three things: the user clicked Cancel on the prompt, the installer pkg failed mid-install (in which case the backup at /Applications/zoom.us.bak is automatically restored), or Zoom failed to terminate inside the 30-second wait loop. The next policy evaluation re-flags the endpoint, the prompt is re-presented on the next cycle, and the patch eventually lands without administrator intervention.