Apple Security Patches

KyleEricson
Valued Contributor II

I have this script, but I don't think it's working, I ran it on a 10.11 Mac that a pending patch and it didn't do anything.

#!/bin/bash


### Environment Variables ###

# For OS updates use OSXUpd
# For Security updates use SecUpd

# Get any OS updates
getosupd=$(softwareupdate -l | grep OSXUpd | awk 'NR==1 {print $2}')

# Get any security updates
getsecupd=$(softwareupdate -l | grep SecUpd | awk 'NR==1 {print $2}')


MSG1='OS Software updates have been installed and require a restart. Please save your work and restart your machine'

MSG2='Security updates have been installed and require a restart. Please save your work and restart your machine'

### DO NOT MODIFY BELOW THIS LINE ###

# Install OS updates
if 
softwareupdate -i $getosupd | grep "restart"
then 

sudo /Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper 
-windowType utility -title "WARNING" -description "$MSG1" -icon /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/AlertCautionIcon.icns -iconSize 96 -button1 "OK" -defaultButton 1

fi

# Install Security updates
if 
softwareupdate -i $getsecupd | grep "restart"
then 

sudo /Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper 
-windowType utility -title "WARNING" -description "$MSG2" -icon /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/AlertCautionIcon.icns -iconSize 96 -button1 "OK" -defaultButton 1
fi

exit 0
Read My Blog: https://www.ericsontech.com
13 REPLIES 13

KyleEricson
Valued Contributor II

JAMF says the policy ran, look on machine and patch is still there.

596904d1da4f4e6d9b44caee30710ffb
dab550ed5019429aa562587f35b9f6f6

Read My Blog: https://www.ericsontech.com

therealmacjeezy
New Contributor III

I'll have to take a look at your script after I'm off work, but I do have a script that accomplishes this on jamf nation if you'd wanna take a look at that and see if that helps too.

Apple Software Update Search v2

"Saying 'uhh..' is the human equivalent to buffering."

KyleEricson
Valued Contributor II

How are you doing the reboots for Apple Security updates?

Read My Blog: https://www.ericsontech.com

ryan_ball
Valued Contributor

Specifically for the security update part, this will not work:

getsecupd=$(softwareupdate -l | grep SecUpd | awk 'NR==1 {print $2}')

You need the exact name of the update in order to install it with softwareupdate -i [item]. The name of the update will be something like "Security Update 2018-003010.12.6" and grepping for SecUpd will bring back zilch.

KyleEricson
Valued Contributor II

@therealmacjeezy How do you have your Reboot policy setup?

Read My Blog: https://www.ericsontech.com

KyleEricson
Valued Contributor II

Looks like this doesn't install patches. I ran the policy710f98557af848afa8eb95571601b53a
20fcc4d03f984515a44be4126a8c006e with a reboot and these still show up under updates and I click update and they install.

Read My Blog: https://www.ericsontech.com

ryan_ball
Valued Contributor

You'd have to do something like this:

#!/bin/bash

updates=$(/usr/sbin/softwareupdate -l)
getsecupd="$(echo "$updates" | /usr/bin/grep -B1 recommended | /usr/bin/grep -v recommended | grep Security | sed -n 's/   * //p')"

/usr/sbin/softwareupdate -i "$getsecupd"

exit 0

Nix4Life
Valued Contributor

Hey Guys, just gotta ask why the script and not the built in mechanism? many use the following settings via defaults write and/or config profiles to accomplish the same thing in an Apple approved way:

Settings

which depending on your choices may look like this:

c3c28a2a8cfb40caae3dcb6daf675eae

I chose to not download OS Updates in this example. JSS reporting will tell you what's patched and what's not

KyleEricson
Valued Contributor II

I want more control.

Read My Blog: https://www.ericsontech.com

Nix4Life
Valued Contributor

optional image ALT text

KyleEricson
Valued Contributor II

Does anyone have a mdm profile for the critical updates?

Read My Blog: https://www.ericsontech.com

UESCDurandal
Contributor II

@therealmacjeezy Taking a look at utilizing your script. Is there a reason why "security" is the only detectable label when determining whether a restart is needed? Wouldn't you want macOS updates included as well?

KyleEricson
Valued Contributor II

More my use case on want to push security updates.

Read My Blog: https://www.ericsontech.com