Definition
Patch management was a Windows-only discipline for two decades. Many of the major MSP RMMs were architected accordingly — strong patch automation for Windows, basic OS-update visibility on macOS, and limited or no Linux coverage. As fleets diversified, the gaps became operational liabilities: Linux file servers, RHEL-derived appliances, headless build agents, and macOS endpoints in BYOD fleets all became places where critical CVEs sat unpatched for months because nobody's patch tool covered them properly.
Cross-platform patch management addresses this by treating Windows, macOS, and Linux as first-class platforms. The same console handles operating-system updates and the long tail of third-party applications across all three. The same scheduling rules, reboot-management policies, and severity-based deferral logic apply uniformly. The same compliance reports map to CMMC 2.0, NIST CSF, CIS Controls, SOC 2, ISO 27001, HIPAA, and PCI DSS without manual re-mapping per platform.
Cyber-insurance assessors and CMMC C3PAOs increasingly ask about cross-platform patch hygiene specifically — they have noticed that the unpatched vulnerabilities in their incident data tend to live on Linux servers, on macOS endpoints, and in third-party applications the OS vendor will never push.
Core components
- Operating system updates. Windows quality and feature updates, macOS major and minor updates, Linux distribution package upgrades (apt, dnf, yum, zypper, pacman) and kernel updates.
- Third-party application updates. Updates to applications that the OS vendor does not push — browsers, productivity suites, runtime environments (Java, Python, Node), media plugins, line-of-business applications, developer tooling, and the long tail. The catalog size matters.
- Firmware and driver updates. BIOS / UEFI updates, Intel ME / AMD PSP updates, driver packages, network and storage firmware. Often vendor-specific and only available on certain platforms.
- Severity / CVSS-driven scheduling. Logic that defers low-risk patches to standard maintenance windows and accelerates critical CVEs to immediate or expedited deployment.
- Reboot management. Reboot deferral, user-prompt scheduling, scheduled reboot windows, and reboot-pending detection so endpoints actually finish their patch cycles.
- Compliance evidence mapping. Mapping patch state to control requirements in CMMC 2.0, NIST CSF, NIST SP 800-171, CIS Controls v8 (Control 7), SOC 2, ISO 27001, HIPAA, and PCI DSS, with continuous evidence collection.
- Coexistence with MDM and EDR. Cooperation with platform MDMs (Jamf, Mosyle, Kandji, Intune) and endpoint EDR / AV products so the patch tool does not fight the rest of the stack.
Why it matters
Patch management is consistently among the highest-impact preventive controls in any cybersecurity framework. CIS Controls v8 designates Control 7 (Continuous Vulnerability Management) at Implementation Group 1; NIST CSF places it in PR.MA and PR.IP; CMMC 2.0 covers it through SI.L1-3.14.1, SI.L2-3.14.1, and the SI control family more broadly.
Empirically, unpatched third-party applications are responsible for a substantial share of successful ransomware deployments. The attacker scans the internet for a known unpatched application version; finds an exposed instance; exploits it; pivots inside. The patch was available — sometimes for years — but the operations team's patch tool didn't cover that application.
For MSPs, cross-platform parity is also an audit-finding-prevention concern. A single tool covering Windows, macOS, and Linux uniformly produces clean compliance evidence; a fragmented stack of separate tools produces visible gaps that auditors flag.
How Lavawall® helps with Cross-platform patch management
Lavawall® patches 7,500+ applications across Windows, macOS, and Linux from a single agent and console. The catalog is published openly at /publicappdetails.php so MSPs can verify coverage before adoption — there is no opaque "thousands of applications" handwave.
Linux coverage spans Debian-family (Debian, Ubuntu, Mint) and Red Hat-family (RHEL, CentOS, AlmaLinux, Rocky, Fedora) distributions for both OS updates and third-party application updates. macOS coverage handles Intel and Apple Silicon and works on BYOD endpoints without requiring privacy & security permissions or MDM enrolment. Windows coverage handles all supported Windows 10 and 11 versions plus Windows Server.
Because Lavawall® is also the GRC, configuration-assessment, and breach-detection tool, patch state flows directly into compliance evidence (CMMC 2.0, NIST CSF, NIST SP 800-171, CIS Controls 7, SOC 2 CC7.1, ISO 27001 A.12.6.1, HIPAA Security Rule, PCI DSS 6) without manual re-mapping. Replacement prioritization closes the loop: when an endpoint cannot be patched (because its OS is end-of-life or its TPM is too old), Lavawall® scores it for replacement and surfaces it in the next QBR.
Frequently asked
- Why isn't Windows-only patching enough?
- Because the attack surface isn't Windows-only. Linux servers run substantial portions of every modern infrastructure stack; macOS endpoints in BYOD fleets are now common; and many critical line-of-business applications are cross-platform. A Windows-only patch tool leaves systematic gaps that cyber-insurance assessors and CMMC C3PAOs increasingly ask about.
- Does Lavawall® patch the Linux distribution itself?
- Yes. Lavawall® handles operating system updates and third-party application updates across Debian-family and Red Hat-family Linux distributions, alongside the equivalents on Windows and macOS.
- Does the macOS agent require privacy & security permissions?
- No. The Lavawall® macOS agent was designed so MSP clients in BYOD fleets can install it themselves or have it deployed via an existing RMM or MDM without granting privacy & security permissions.
- How is the patch catalog maintained?
- Lavawall® / ThreeShield maintains the 7,500+ application catalog continuously. New applications are added as they appear; the changelog records additions. The catalog is published openly so MSPs can verify coverage before adoption.