2019-002 Mojave Security Update / Required Shutdown instead of Restart on 2018 machines

New Contributor

I generally send out security updates by calling the softwareupdate -i command and the specific update I'm running. I then I have Jamf restart the computer with a restart message. The past few updates this has worked fine (I stopped packaging the updates myself after the combo update forced a restart and ignored displaying the message through Jamf).

However, with the 2019-002 Security update, I noticed that on a number of machines (all 2018 models), I see the following in the logs:

To install these updates, your computer must shut down. Your computer will automatically start up to finish installation.
Installation will not complete successfully if you choose to restart your computer instead of shutting down.
Please call halt(8) or select Shut Down from the Apple menu. To automate the shutdown process with softwareupdate(8), use --restart.

The other non-2018 machines say the following:

You have installed one or more updates that requires that you restart your computer.
Please restart immediately.
To automate the restart process with softwareupdate(8), use --restart.

I'm guessing that there was some sort of firmware update required on the 2018 machines that required the shutdown, but I don't know. Is there any way to know when a shutdown is required?


Contributor III

It is the bridgeos update that requires a halt

Contributor III

So what are good practices around this - 2 separate policies scoped to non-T2-equipped and T2-equipped Macs respectively, running slight variations on the software update command? It feels like there ought to be a better way!

New Contributor III

You could use Install or Defer, which alerts the end-user about the update(s), allows deferral (with an adjustable deadline), and restarts or shuts down as needed by the script and the Apple Security Chip: