Jamf Nation Community

qsodji · ‎02-12-2015

I wrote a couple of scripts to ensure my managed macs were getting apple critical updates for XProtect and Gatekeeper.
It is a set of attribute and policy script which handles the update and also ensuring the needed settings are set.
https://jumpt.wordpress.com/2015/02/12/enforcing-critical-osx-system-updates-via-casper/
Feedbacks are welcome.
Cheers

qsodji · ‎02-16-2015

@makander: The key was to ensure security and critical updates were been taken care of.
My script only ensures that the check for automatic updates is enabled but it doesn't do any downloading or installing of neither os X updates or App store apps. Once a week, I have a policy that install all available os X updates.
I have written a piece on how I gracefully accomplish that.
https://jumpt.wordpress.com/2015/02/13/leverage-software-updates-via-casper/

View solution in original post

davidacland · ‎02-13-2015

Thanks! Just tried the EA, worked fine for me.

The only change I would go for would be to use a config profile to set the actual com.apple.SoftwareUpdate keys. Preference caching can get in the way sometimes if you are writing straight into the plist.

Thanks for the code though!

qsodji · ‎02-13-2015

Thank you for the feedback, I will look into it.

bentoms · ‎02-13-2015

@davidacland, defaults is cfprefsd aware.. So should be fine as works with preference caching.

davidacland · ‎02-14-2015

Thanks @bentoms good point.

hcodfrie · ‎02-14-2015

Nice one thx

adamcodega · ‎02-14-2015

Thanks @qsodji for this blog post! The importance can't be stressed enough, as we've seen in the past few months if you turn off automatic updates and manage them yourself, XProtect won't get updates. It can be one of the first security tools you can rely on regularly.

Not only is it important to know how to manage these settings this a great demonstration on how to do it with the Casper Suite.

Can we make this required reading in Jumpstarts? :)

adamcodega · ‎02-14-2015

Clarifying question: For critical_status and config_status I am getting

The domain/default pair of (/Library/Preferences/com.apple.SoftwareUpdate, CriticalUpdateInstall)
does not exist

Even though my user does have those updates enabled. After I run Update_enabler.sh then the defaults read works.

qsodji · ‎02-14-2015

@adamcodega][/url Are you getting this on all reports or just on your machine?

adamcodega · ‎02-14-2015

Just on my machine, I'm testing it on mine before deploying.

com.apple.SoftwareUpdate exists it just did not have the line entry CriticalUpdateInstall

qsodji · ‎02-14-2015

@adamcodega That's because install system data files and security updates option wasn't checked in System Preferences App Store.

makander · ‎02-16-2015

@qsodji][/url][/url

Does this mean that you're not managing your updates by yourself anymore and that you are using the automatic update function instead?

Edit: Perhaps one way of doing it is to set schedule off and then at a certain time change it to schedule on and run all SW-updates and then turn them off a hour later.

qsodji · ‎02-16-2015

@makander: The key was to ensure security and critical updates were been taken care of.
My script only ensures that the check for automatic updates is enabled but it doesn't do any downloading or installing of neither os X updates or App store apps. Once a week, I have a policy that install all available os X updates.
I have written a piece on how I gracefully accomplish that.
https://jumpt.wordpress.com/2015/02/13/leverage-software-updates-via-casper/

makander · ‎02-16-2015

@qsodji Alright, but doesn't OS X notify the user that there are available software updates once you change it to "softwareupdate --schedule on"? Or perhaps I am mistaken.

qsodji · ‎02-16-2015

@makander: I believe only when you have the download option also checked.

makander · ‎02-16-2015

@qsodji I just tested in a VM, it does prompt the user with a notification if it's just set to "Automatically check for updates".

That's exactly why I have it set to not automatically check, since I don't want the users to be prompted. As seamless as possible.

dpertschi · ‎02-18-2015

So, bottom line then; if we do want to automatically receive the XProtect updates, than we have to accept Notification Center prompting our users about (other) available updates. Correct?

rtrouton · ‎02-18-2015

@dpertschi,

If your Macs are pointing at Apple's software update service, or if you're using OS X Server's Software Update service, that's correct. I have a post on this issue available here:

https://derflounder.wordpress.com/2014/12/27/managing-automatic-installation-of-configdata-and-secur...

If you're using the latest Reposado to host Apple software updates, that's not necessarily correct:

https://managingosx.wordpress.com/2015/01/30/gatekeeper-configuration-data-and-xprotectplistconfigda...

adamcodega · ‎02-18-2015

@dpertschi Well you can enable only system data files and security updates this way without enabling OS X and app updates.

ocla__09 · ‎03-03-2015

@qsodji the extension attribute does not seem to report machines that have the correct setting enabled in System Preferences. As @adamcodega mentioned, CriticalUpdateInstall does not seem to appear in that plist, even though the options are checked as they should be in System Preferences.

Is there something I am missing?

qsodji · ‎03-03-2015

Check softwareupdate.plist in /Library and ~/Library

TomDay · ‎03-09-2016

@qsodji Wow this is terrific, exactly what I need to implement at our org. Running into an issue where all my machines are reporting as "disabled" even though they are enabled. Looking through the script I see CriticalUpdateInstall and ConfigDataInstall, however I don't see those 2 options in the com.apple.softwareupdate.plist file.

Can you offer some advice?

Jamf Nation Community

Apple Critical system updates