Apple Critical system updates

Thanks! Just tried the EA, worked fine for me.

The only change I would go for would be to use a config profile to set the actual com.apple.SoftwareUpdate keys. Preference caching can get in the way sometimes if you are writing straight into the plist.

Thanks for the code though!

Thank you for the feedback, I will look into it.

@davidacland, defaults is cfprefsd aware.. So should be fine as works with preference caching.

Thanks @bentoms good point.

Nice one thx

Thanks @qsodji for this blog post! The importance can't be stressed enough, as we've seen in the past few months if you turn off automatic updates and manage them yourself, XProtect won't get updates. It can be one of the first security tools you can rely on regularly.

Not only is it important to know how to manage these settings this a great demonstration on how to do it with the Casper Suite.

Can we make this required reading in Jumpstarts? :)

Clarifying question: For critical_status and config_status I am getting

The domain/default pair of (/Library/Preferences/com.apple.SoftwareUpdate, CriticalUpdateInstall)
does not exist

Even though my user does have those updates enabled. After I run Update_enabler.sh then the defaults read works.

@adamcodega][/url Are you getting this on all reports or just on your machine?

Just on my machine, I'm testing it on mine before deploying.

com.apple.SoftwareUpdate exists it just did not have the line entry CriticalUpdateInstall

@adamcodega That's because install system data files and security updates option wasn't checked in System Preferences App Store.

@qsodji][/url][/url

Does this mean that you're not managing your updates by yourself anymore and that you are using the automatic update function instead?

Edit: Perhaps one way of doing it is to set schedule off and then at a certain time change it to schedule on and run all SW-updates and then turn them off a hour later.

@qsodji Alright, but doesn't OS X notify the user that there are available software updates once you change it to "softwareupdate --schedule on"? Or perhaps I am mistaken.

@makander: I believe only when you have the download option also checked.

@qsodji I just tested in a VM, it does prompt the user with a notification if it's just set to "Automatically check for updates".

That's exactly why I have it set to not automatically check, since I don't want the users to be prompted. As seamless as possible.

So, bottom line then; if we do want to automatically receive the XProtect updates, than we have to accept Notification Center prompting our users about (other) available updates. Correct?

@dpertschi,

If your Macs are pointing at Apple's software update service, or if you're using OS X Server's Software Update service, that's correct. I have a post on this issue available here:

https://derflounder.wordpress.com/2014/12/27/managing-automatic-installation-of-configdata-and-security-software-updates-on-yosemite/

If you're using the latest Reposado to host Apple software updates, that's not necessarily correct:

https://managingosx.wordpress.com/2015/01/30/gatekeeper-configuration-data-and-xprotectplistconfigdata-and-munki-and-reposado-oh-my/

@dpertschi Well you can enable only system data files and security updates this way without enabling OS X and app updates.

@qsodji the extension attribute does not seem to report machines that have the correct setting enabled in System Preferences. As @adamcodega mentioned, CriticalUpdateInstall does not seem to appear in that plist, even though the options are checked as they should be in System Preferences.

Is there something I am missing?

Check softwareupdate.plist in /Library and ~/Library

@qsodji Wow this is terrific, exactly what I need to implement at our org. Running into an issue where all my machines are reporting as "disabled" even though they are enabled. Looking through the script I see CriticalUpdateInstall and ConfigDataInstall, however I don't see those 2 options in the com.apple.softwareupdate.plist file.

Can you offer some advice?