Hooooo boy. We definitely have Automatic Updates enabled via config profile as, well, we want to have clients download their updates and then prompt users to install them. Having to turn that off would suck.
Wonder if it'll get caught in SUS before it hits clients.
"Hope you have caching server set up! You have all moved to that by now, right?" -Apple
Real Nice, so if I disable automatic updates, I miss Gatekeeper and XProtect updates, but block Sierra
@mrice that TARDIS is looking good right about now
Thanks for the heads up @AVmcclint
Larry
So what's the best way to disable automatic updates?
I've used a simple policy that pushes out the following command to turn on "Download newly available updates in the background" in the past:
defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist AutomaticDownload -bool YES
Change the YES to NO should do the trick. You can do a configuration profile to do the same.
My question is, if I want to keep download in the background enabled but not for that particular update. Has anyone seen the macOS Safari upgrade appear when running "softwareupdate --list --all"? I want to see if I can use --ignore to just prevent that upgrade from downloading in the background.
@LSinNY These are separate settings. You can have automatic downloads turned off but still have "Install system data files and security updates" enabled which is what xprotect and gatekeeper defs fall under.
@iJake hmmm so if you turn automatic downloads off but have ConfigDataInstall and CriticalUpdateInstall set to true, the Mac will still automatically download and install xprotect, gatekeeper, and critical updates automatically?
So if I have Sierra as a restricted software, will it download and then automatically delete itself...and then download again?
@dgreening Yes. We enforce via custom configuration profile
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>AutomaticCheckEnabled</key>
<true/>
<key>ConfigDataInstall</key>
<true/>
<key>CriticalUpdateInstall</key>
<true/>
</dict>
</plist>
I too have Sierra set as restricted software. My hope is it doesn't automatically open the installer app causing all users to get a pop up. Has anyone seen it in the wild yet?
I see the following in SUS 
I would guess that this is part of the mechanism to deliver the upgrader. Not sure if it's required or not.
We have it disabled for now.
Verified this can be downloaded from App Store.app's Updates tab WITHOUT being logged in with an Apple ID.
This package is getting picked up by local Caching Server but NOT SUS. When local Caching servers are disabled, the client will go out to Apple on the Internet despite local SUS catalog UR. My corp has a proxy so I'm not sure which Apple server... most likely AppStore CDN...
Is this the first App Store App from the App store that does not need an Apple ID?
Also, the App placeholder in the Applications folder while being downloaded is called "macOS Sierra" in stead of "Install macOS Sierra".
Did anyone get awareness from Apple?
That's the same name for the app when you push via VPP, btw.
Rather than stop this automatic download, I'd like to use it in place of caching an installESD.dmg to fuel a Self Service upgrade policy.
Anybody already doing this or have any ideas as I start to dig into that concept?
Yep, just showed up in my reposado box. @milesleacy that is interesting. @iJake liking the profile.
Just had a watchman alert telling me one of our developers updated. He claims it just installed on its own as well.
I have an El Capitan VM set to download but not automatically install all available updates (from App Store preferences).
I suspect if the Mac had Install OS X Updates selected, that it would upgrade on the next reboot.
(my production Macs have the top 5 boxes managed to enabled)
I hope not. The way I understood it that would only work for 10.x.x
updates but not an update to a new 10.x version
Can someone who knows that they have a Mac that has received the automatic download (and has not yet installed the update) report on the contents of that Mac's /Library/Updates/ directory?
Can everyone confirm this is only hitting El Cap Macs as the article states? Want to make sure earlier OS's aren't impacted.
> Just had a watchman alert telling me one of our developers updated. He claims it just installed on its own as well.
I find that very hard to believe. The information we have available on this automatic download all points to requiring the user to initiate or approve the upgrade.
I'm almost positive it required interaction.
Users lie.
Users also click "Ok" without reading dialogs or Notification Center messages.
I am waiting for my 10.11.6 Mac to get the automatic download so I can see the message, but I suspect it will be similar to the automatic update messaging in Notification Center.
Just spoke with Enterprise AppleCare and they pointed me to the following KB:
https://support.apple.com/en-us/HT201475
I also confirmed the following w/ AppleCare rep:
1.) As mentioned, only 10.11.5 and above will be auto downloaded
2.) Unchecking "Download newly available updates in the background" prevents the download
3.) The installer that is auto downloaded is still "Install macOS Sierra.app"
Our restrictions policy should catch the installer app and kill it. I pushed out a script yesterday afternoon to all El Cap clients based on the string above:
defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist AutomaticDownload -bool NO
