Apple Critical system updates

qsodji
Contributor

I wrote a couple of scripts to ensure my managed macs were getting apple critical updates for XProtect and Gatekeeper.
It is a set of attribute and policy script which handles the update and also ensuring the needed settings are set.
https://jumpt.wordpress.com/2015/02/12/enforcing-critical-osx-system-updates-via-casper/
Feedbacks are welcome.
Cheers

1 ACCEPTED SOLUTION

qsodji
Contributor

@makander: The key was to ensure security and critical updates were been taken care of.
My script only ensures that the check for automatic updates is enabled but it doesn't do any downloading or installing of neither os X updates or App store apps. Once a week, I have a policy that install all available os X updates.
I have written a piece on how I gracefully accomplish that.
https://jumpt.wordpress.com/2015/02/13/leverage-software-updates-via-casper/

View solution in original post

21 REPLIES 21

davidacland
Honored Contributor II
Honored Contributor II

Thanks! Just tried the EA, worked fine for me.

The only change I would go for would be to use a config profile to set the actual com.apple.SoftwareUpdate keys. Preference caching can get in the way sometimes if you are writing straight into the plist.

Thanks for the code though!

qsodji
Contributor

Thank you for the feedback, I will look into it.

bentoms
Release Candidate Programs Tester

@davidacland, defaults is cfprefsd aware.. So should be fine as works with preference caching.

davidacland
Honored Contributor II
Honored Contributor II

Thanks @bentoms good point.

hcodfrie
Contributor

Nice one thx

adamcodega
Valued Contributor

Thanks @qsodji for this blog post! The importance can't be stressed enough, as we've seen in the past few months if you turn off automatic updates and manage them yourself, XProtect won't get updates. It can be one of the first security tools you can rely on regularly.

Not only is it important to know how to manage these settings this a great demonstration on how to do it with the Casper Suite.

Can we make this required reading in Jumpstarts? :)

adamcodega
Valued Contributor

Clarifying question: For critical_status and config_status I am getting

The domain/default pair of (/Library/Preferences/com.apple.SoftwareUpdate, CriticalUpdateInstall)
does not exist

Even though my user does have those updates enabled. After I run Update_enabler.sh then the defaults read works.

qsodji
Contributor

@adamcodega][/url Are you getting this on all reports or just on your machine?

adamcodega
Valued Contributor

Just on my machine, I'm testing it on mine before deploying.

com.apple.SoftwareUpdate exists it just did not have the line entry CriticalUpdateInstall

qsodji
Contributor

@adamcodega That's because install system data files and security updates option wasn't checked in System Preferences App Store.

makander
Contributor

@qsodji][/url][/url

Does this mean that you're not managing your updates by yourself anymore and that you are using the automatic update function instead?

Edit: Perhaps one way of doing it is to set schedule off and then at a certain time change it to schedule on and run all SW-updates and then turn them off a hour later.

qsodji
Contributor

@makander: The key was to ensure security and critical updates were been taken care of.
My script only ensures that the check for automatic updates is enabled but it doesn't do any downloading or installing of neither os X updates or App store apps. Once a week, I have a policy that install all available os X updates.
I have written a piece on how I gracefully accomplish that.
https://jumpt.wordpress.com/2015/02/13/leverage-software-updates-via-casper/

makander
Contributor

@qsodji Alright, but doesn't OS X notify the user that there are available software updates once you change it to "softwareupdate --schedule on"? Or perhaps I am mistaken.

qsodji
Contributor

@makander: I believe only when you have the download option also checked.

makander
Contributor

@qsodji I just tested in a VM, it does prompt the user with a notification if it's just set to "Automatically check for updates".

That's exactly why I have it set to not automatically check, since I don't want the users to be prompted. As seamless as possible.

dpertschi
Valued Contributor

So, bottom line then; if we do want to automatically receive the XProtect updates, than we have to accept Notification Center prompting our users about (other) available updates. Correct?

rtrouton
Release Candidate Programs Tester

@dpertschi,

If your Macs are pointing at Apple's software update service, or if you're using OS X Server's Software Update service, that's correct. I have a post on this issue available here:

https://derflounder.wordpress.com/2014/12/27/managing-automatic-installation-of-configdata-and-secur...

If you're using the latest Reposado to host Apple software updates, that's not necessarily correct:

https://managingosx.wordpress.com/2015/01/30/gatekeeper-configuration-data-and-xprotectplistconfigda...

adamcodega
Valued Contributor

@dpertschi Well you can enable only system data files and security updates this way without enabling OS X and app updates.

ocla__09
Contributor

@qsodji the extension attribute does not seem to report machines that have the correct setting enabled in System Preferences. As @adamcodega mentioned, CriticalUpdateInstall does not seem to appear in that plist, even though the options are checked as they should be in System Preferences.

Is there something I am missing?

qsodji
Contributor

Check softwareupdate.plist in /Library and ~/Library

TomDay
Release Candidate Programs Tester

@qsodji Wow this is terrific, exactly what I need to implement at our org. Running into an issue where all my machines are reporting as "disabled" even though they are enabled. Looking through the script I see CriticalUpdateInstall and ConfigDataInstall, however I don't see those 2 options in the com.apple.softwareupdate.plist file.

Can you offer some advice?