Apple Security Announcement Email Workflow

This repository provides a simple, repeatable way to turn Apple security announcements into short internal email notifications.

All generated mail content is plain-text only with UTF-8 encoding. No rich text and no HTML are used.

Goal

Keep the internal notification format stable and concise:

• what Apple released
• which internally used versions are affected
• which versions fix the issue
• how colleagues should update
• when the update should be completed

Files

• templates/apple-security-announcement-email.txt: plain text email template
• examples/apple-security-announcement.sample.json: example structured input for a notification
• examples/announcement-automation-config.sample.json: example automation config for scheduled fetches
• examples/apple-security-releases.sample.txt: sample Apple release text for extractor input
• scripts/generate_email_draft.py: converts structured JSON into an email draft

The template uses a small set of UTF-8 icons to draw attention to the most important sections, especially affected versions and the required update action.

Recommended workflow

1. Collect the source announcement

Use Apple's release overview page as the primary source:

• https://support.apple.com/en-us/100100

For each release cycle, collect:

• release date
• product names
• fixed versions published by Apple
• Apple reference links
• Apple update instructions links

Note: the included extractor is designed for copied Apple release text or markdown, not raw website HTML. A practical approach is to paste the relevant part of the Apple page into a text file first, then run extraction.

2. Enrich with internal device inventory

Apple's announcement usually tells you the fixed version and the supported devices, but not which of your colleagues are still on older versions.

To produce the "affected versions" section, compare the Apple release against internal inventory from your MDM or endpoint platform, for example:

• Jamf Pro
• Microsoft Intune
• Kandji
• Mosyle
• Workspace ONE

Recommended rule:

• affected_versions = versions currently installed internally that are below the new fixed version
• fixed_versions = version(s) announced by Apple as the remediation target

3. Normalize into JSON

Create a JSON file shaped like examples/apple-security-announcement.sample.json.

This becomes the reviewable source of truth for the email draft.

4. Generate the draft

Run:

python3 scripts/generate_email_draft.py render examples/apple-security-announcement.sample.json

Optional file output:

python3 scripts/generate_email_draft.py render examples/apple-security-announcement.sample.json -o draft.txt

To generate an .eml draft that can be opened directly in mail clients:

python3 scripts/generate_email_draft.py render-eml examples/apple-security-announcement.sample.json -o draft.eml

To generate a calendar entry for the update deadline:

python3 scripts/generate_email_draft.py render-ics examples/apple-security-announcement.sample.json -o apple-security-deadline.ics

To fetch the current Apple release page and build a fresh normalized JSON draft automatically:

python3 scripts/generate_email_draft.py prepare-latest examples/announcement-automation-config.sample.json -o out/latest-announcement.json

5. Send it with your normal mail tool

Recommended options:

• copy the generated draft into Outlook or Apple Mail
• or generate draft.eml and open/import it in Outlook or Apple Mail
• the generated .eml includes a plain .ics calendar attachment for the deadline when a deadline is present
• attach the Apple source link in the message
• use a mailing list for the relevant colleagues

If command line sending is desired, keep it simple and auditable, for example with mailx or a ticketing/automation platform. The generation step should stay separate from the send step so a human can review the draft first.

Strategy

Parsing strategy

Use a two-stage process:

1. extract release data from Apple's announcement
2. enrich it with internal inventory before sending

Why this split matters:

• Apple provides fixed versions and device scope
• internal tools provide the actually affected installed versions
• mixing both too early makes validation harder

Recommended extracted fields from Apple:

• release_date
• product
• fixed_versions
• available_for
• reference_url
• update_url
• has_published_cves

Recommended enrichment fields from internal systems:

• affected_versions
• audience_scope
• deadline
• notes

Conversion strategy

Render the final email from structured data instead of editing free text each time.

Benefits:

• stable wording
• lower risk of missing products or versions
• easier approval and audit trail
• possible future automation

Sending strategy

Use a light approval flow:

1. script generates draft
2. security or workplace team reviews wording and affected scope
3. approved draft is sent to the mailing list

This keeps the process easy while preventing accidental over-notification.

Suggested operating model

• P1: actively exploited or emergency Apple advisory -> send same day
• P2: major security release for managed devices -> send within one business day
• P3: niche or unsupported product release -> track, but do not broadcast broadly unless relevant

Future automation ideas

• fetch Apple's release page automatically on a schedule
• compare latest release entries with previous saved JSON
• enrich affected scope from MDM exports automatically
• open a pre-addressed Outlook draft or create a .eml file
• post the same content to Teams or Slack

macOS scheduler example

The repository includes a sample launchd setup for macOS:

• scripts/run_scheduled_check.sh - wrapper that generates draft.txt, draft.eml, and apple-security-deadline.ics
• launchd/com.qbic.apple-security-announcements.plist.template - user-path-independent LaunchAgent template
• scripts/install_launchd_agent.sh - installer that expands the template for the current local repo path

What the sample job does:

• runs at 08:00, 12:00, and 16:00
• fetches the Apple security release page and builds out/latest-announcement.json
• compares that prepared JSON hash with the last processed hash
• only generates new artifacts when the input changed
• shows a macOS notification when a new draft is ready
• opens draft.eml automatically for review

Install it as the logged-in user:

chmod +x scripts/run_scheduled_check.sh
chmod +x scripts/install_launchd_agent.sh
mkdir -p out
./scripts/install_launchd_agent.sh

Useful commands:

launchctl kickstart -k "gui/$(id -u)/com.qbic.apple-security-announcements"
launchctl print "gui/$(id -u)/com.qbic.apple-security-announcements"
launchctl bootout "gui/$(id -u)" "$HOME/Library/LaunchAgents/com.qbic.apple-security-announcements.plist"

Important:

• the sample uses examples/announcement-automation-config.sample.json for audience, deadline, support, and sender defaults
• web fetching is done inside prepare-latest, which pulls https://support.apple.com/en-us/100100 on each scheduled run
• the current automation derives affected versions from Apple's fixed versions; add MDM enrichment later for exact internal impact
• notifications and open draft.eml work best when the job runs in the logged-in user session
• the installer resolves the local repo path automatically, so different users do not need to edit hardcoded /Users/... paths