Jamf Nation Community

YMMV, but for anyone else who has clients 10.9.4 who can't easily update them to 10.9.5 - you can update a test machine to 10.9.5 and download the update in terminal running

sudo softwareupdate -d "OSX NTP Security Update-1.0"

Then the install downloads to /Library/Updates, and this .pkg installs for me on 10.9.4 machines without repackaging. To confirm it installs, in terminal run ```
what /usr/sbin/ntpd
```

After running, it should return ntp-88.1.1 for Mavericks.

So now Apple has "pushed" this update to machines. http://www.reuters.com/article/2014/12/23/us-apple-cybersecurity-idUSKBN0K108W20141223
How does this work if we host our own SUS appliance and JAMF policies to force users to update? How does this affect IT Administrators? So far I haven't found any posts on how Apple is doing this push, so not sure if it will work in our environment.

What annoys me is the blithe assumption on Apple's part that we are all running Yosemite just because it is free. Perhaps it hasn't occurred to them that we can't update for various reasons, like the many bugs and incompatibilities it brings to our lives...

FWIW, I deployed the patch to a test machine (10.9.5) that had already been "pushed" by Apple, and saw no issues.

It doesn't get pushed if you don't have "Install system data files and security updates" checked in app store prefs according to cnet.

http://www.cnet.com/uk/news/apple-updates-macs-without-asking-but-its-to-foil-hackers/

FYI I created an extension attribute that I'm sure could be more elegantly done, but seems to work for anyone interested

#!/bin/sh
NTPVersion=`what /usr/sbin/ntpd| awk 'END{print}' | tr -d "  PROGRAM:ntpd JECT-"`
echo "<result>$NTPVersion</result>"

Based on the information I'm seeing, this update is being pushed using the same mechanism that Apple uses to automatically push XProtect updates.

external image link

I have a post on how you can force XProtect updates, which also talks about the delivery mechanism via Software Update:

http://derflounder.wordpress.com/2014/12/17/forcing-xprotect-blacklist-updates-on-mavericks-and-yose...

For the sake of trading Bash script methods, @CasperSally][/url][/url:

#!/bin/sh
NTPVersion=`what /usr/sbin/ntpd | tail -1 | cut -f2 -d"-"`
echo "<result>$NTPVersion</result>"

I was getting weird white space printing results at first.

@adamcodega - much more elegant :)

Combined with this smart group, I believe:

external image link

Or just

#!/bin/sh

echo "<result>$(what /usr/sbin/ntpd | awk -F- '{getline; print $NF}')</result>"

FWIW, my Mac is running 10.9.5, and I have the setting enabled in App Store preferences to install system data files and security updates, but my ntpd version is still at 88 so far. I'll need to keep an eye on it. I assume 10.9.5 should get the auto update, and not just Yosemite.

there's no single package for deployment across all os's is there?
I tried the one linked in the apple kb article, but it appeared to be only 10.10.x, and it errors out when I try on 10.9.x

Edit: nevermind, found it :)
http://support.apple.com/downloads/

Yep, there's a package for Mountain Lion, Mavericks, and Yosemite.

No word on whether Mountain Lion or Mavericks are installing themselves the way Yosemite did though.

hmm bummer I missed those downloads on Apple's site when I looked earlier.

@mm2270 if the Yosemite machines here are any indication, you'll see a little notification that says something like "a new security update has been installed" in the top corner where push notifications show up.

@emilykausalik,
Yes, oddly enough, another test Mavericks Mac I have here got the update nearly immediately after I got it connected to the internet. And I saw the Notification Center message. It came down to my primary Mac as well, but I didn't see a Notification about it. I only know because I re-ran the command to pull the ntpd version and its now at 88.1.1. Strange, but at least its working.

@rtrouton confirmed on Mountain Lion that it appears in Software Update as "going to be installed soon"

FYI, even though Apple only makes these updates available to the latest patch levels (10.8.5, 10.9.5, 10.10.1), the packages will install onto older versions. Direct download links:

http://swcdn.apple.com/content/downloads/08/25/zzz031-15311/ka6aog9hkkerhk71sugqqfuzgojq6lwg0s/NTPUp...

http://swcdn.apple.com/content/downloads/40/01/zzz031-15352/4cvorafegnrim82vcazio5r7p9wienvf8c/NTPUp...

http://swcdn.apple.com/content/downloads/46/35/zzz031-15347/7mq66ox6wzz189b71kg0zyyj7wza9kr140/NTPUp...

For clarity, you can find all Apple security update information here:
http://support.apple.com/en-us/HT1222

Download updates manually if need be here:
http://support.apple.com/downloads/

@adamcodega, d'oh, didn't realize that Apple posted these as standalone downloads via their support site. My face is red.

No worries right? Great to bookmark because I always lose track of what is where.

@andyinindy I'm not having any luck installing the packages onto older patch levels, I'm seeing this:

Installation failed. The installer reported: installer: Cannot install on volume / because it is disabled.
installer: This update requires OS X version 10.9.5 or later.

Where you installing it onto 10.9.4?

Yes, I was installing it on both 10.9.3 and 10.9.4 with the packages downloaded from Apple.

FYI, if you have older OS X iterations to update, this page has the code, but no fancy Apple packages.

http://www.ntp.org/downloads.html

I ran ```
softwareupdate –background-critical
``` and that seemed to work on 10.9 and 10.10 boxes. The update is marked as critical in the installer .plist so it seems to make sense based on Rich's blog post.

The folks in the ##osx-server IRC room put their heads together this afternoon to help figure this out. I've got a post on the findings available from the link below:

http://derflounder.wordpress.com/2014/12/24/managing-os-xs-automatic-security-updates/