Help

Apple Security Patches

KyleEricson
Valued Contributor II

Posted on ‎07-18-2018 07:21 AM

I have this script, but I don't think it's working, I ran it on a 10.11 Mac that a pending patch and it didn't do anything.

#!/bin/bash


### Environment Variables ###

# For OS updates use OSXUpd
# For Security updates use SecUpd

# Get any OS updates
getosupd=$(softwareupdate -l | grep OSXUpd | awk 'NR==1 {print $2}')

# Get any security updates
getsecupd=$(softwareupdate -l | grep SecUpd | awk 'NR==1 {print $2}')


MSG1='OS Software updates have been installed and require a restart. Please save your work and restart your machine'

MSG2='Security updates have been installed and require a restart. Please save your work and restart your machine'

### DO NOT MODIFY BELOW THIS LINE ###

# Install OS updates
if 
softwareupdate -i $getosupd | grep "restart"
then 

sudo /Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper 
-windowType utility -title "WARNING" -description "$MSG1" -icon /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/AlertCautionIcon.icns -iconSize 96 -button1 "OK" -defaultButton 1

fi

# Install Security updates
if 
softwareupdate -i $getsecupd | grep "restart"
then 

sudo /Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper 
-windowType utility -title "WARNING" -description "$MSG2" -icon /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/AlertCautionIcon.icns -iconSize 96 -button1 "OK" -defaultButton 1
fi

exit 0
Read My Blog: https://www.ericsontech.com
Labels:
0 Kudos
Reply
13 REPLIES 13

KyleEricson
Valued Contributor II

Posted on ‎07-18-2018 07:29 AM

JAMF says the policy ran, look on machine and patch is still there.

596904d1da4f4e6d9b44caee30710ffb
dab550ed5019429aa562587f35b9f6f6

Read My Blog: https://www.ericsontech.com
0 Kudos
Reply

therealmacjeezy
New Contributor III

Posted on ‎07-18-2018 08:11 AM

I'll have to take a look at your script after I'm off work, but I do have a script that accomplishes this on jamf nation if you'd wanna take a look at that and see if that helps too.

Apple Software Update Search v2

"Saying 'uhh..' is the human equivalent to buffering."
0 Kudos
Reply

KyleEricson
Valued Contributor II

Posted on ‎07-19-2018 08:17 AM

How are you doing the reboots for Apple Security updates?

Read My Blog: https://www.ericsontech.com
0 Kudos
Reply

ryan_ball
Valued Contributor

Posted on ‎07-19-2018 10:41 AM

Specifically for the security update part, this will not work:

getsecupd=$(softwareupdate -l | grep SecUpd | awk 'NR==1 {print $2}')

You need the exact name of the update in order to install it with softwareupdate -i [item]. The name of the update will be something like "Security Update 2018-003010.12.6" and grepping for SecUpd will bring back zilch.

0 Kudos
Reply

KyleEricson
Valued Contributor II

Posted on ‎07-19-2018 10:43 AM

@therealmacjeezy How do you have your Reboot policy setup?

Read My Blog: https://www.ericsontech.com
0 Kudos
Reply

KyleEricson
Valued Contributor II

Posted on ‎07-19-2018 11:24 AM

Looks like this doesn't install patches. I ran the policy710f98557af848afa8eb95571601b53a
20fcc4d03f984515a44be4126a8c006e with a reboot and these still show up under updates and I click update and they install.

Read My Blog: https://www.ericsontech.com
0 Kudos
Reply

ryan_ball
Valued Contributor

Posted on ‎07-19-2018 11:37 AM

You'd have to do something like this:

#!/bin/bash

updates=$(/usr/sbin/softwareupdate -l)
getsecupd="$(echo "$updates" | /usr/bin/grep -B1 recommended | /usr/bin/grep -v recommended | grep Security | sed -n 's/   * //p')"

/usr/sbin/softwareupdate -i "$getsecupd"

exit 0
0 Kudos
Reply

Nix4Life
Valued Contributor

Posted on ‎07-19-2018 02:42 PM

Hey Guys, just gotta ask why the script and not the built in mechanism? many use the following settings via defaults write and/or config profiles to accomplish the same thing in an Apple approved way:

Settings

which depending on your choices may look like this:

c3c28a2a8cfb40caae3dcb6daf675eae

I chose to not download OS Updates in this example. JSS reporting will tell you what's patched and what's not

Reply

KyleEricson
Valued Contributor II

Posted on ‎07-20-2018 10:34 AM

I want more control.

Read My Blog: https://www.ericsontech.com
0 Kudos
Reply

Nix4Life
Valued Contributor

Posted on ‎07-20-2018 01:50 PM

optional image ALT text

0 Kudos
Reply

KyleEricson
Valued Contributor II

Posted on ‎07-23-2018 01:26 PM

Does anyone have a mdm profile for the critical updates?

Read My Blog: https://www.ericsontech.com
0 Kudos
Reply

UESCDurandal
Contributor II

Posted on ‎07-24-2018 09:29 AM

@therealmacjeezy Taking a look at utilizing your script. Is there a reason why "security" is the only detectable label when determining whether a restart is needed? Wouldn't you want macOS updates included as well?

0 Kudos
Reply

KyleEricson
Valued Contributor II

Posted on ‎07-24-2018 09:32 AM

More my use case on want to push security updates.

Read My Blog: https://www.ericsontech.com
0 Kudos
Reply