Apple Security Patches

KyleEricson
Valued Contributor

I have this script, but I don't think it's working, I ran it on a 10.11 Mac that a pending patch and it didn't do anything.

#!/bin/bash


### Environment Variables ###

# For OS updates use OSXUpd
# For Security updates use SecUpd

# Get any OS updates
getosupd=$(softwareupdate -l | grep OSXUpd | awk 'NR==1 {print $2}')

# Get any security updates
getsecupd=$(softwareupdate -l | grep SecUpd | awk 'NR==1 {print $2}')


MSG1='OS Software updates have been installed and require a restart. Please save your work and restart your machine'

MSG2='Security updates have been installed and require a restart. Please save your work and restart your machine'

### DO NOT MODIFY BELOW THIS LINE ###

# Install OS updates
if 
softwareupdate -i $getosupd | grep "restart"
then 

sudo /Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper 
-windowType utility -title "WARNING" -description "$MSG1" -icon /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/AlertCautionIcon.icns -iconSize 96 -button1 "OK" -defaultButton 1

fi

# Install Security updates
if 
softwareupdate -i $getsecupd | grep "restart"
then 

sudo /Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper 
-windowType utility -title "WARNING" -description "$MSG2" -icon /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/AlertCautionIcon.icns -iconSize 96 -button1 "OK" -defaultButton 1
fi

exit 0
13 REPLIES 13

KyleEricson
Valued Contributor

JAMF says the policy ran, look on machine and patch is still there.

596904d1da4f4e6d9b44caee30710ffb
dab550ed5019429aa562587f35b9f6f6

therealmacjeezy
New Contributor III

I'll have to take a look at your script after I'm off work, but I do have a script that accomplishes this on jamf nation if you'd wanna take a look at that and see if that helps too.

Apple Software Update Search v2

KyleEricson
Valued Contributor

How are you doing the reboots for Apple Security updates?

ryan_ball
Valued Contributor

Specifically for the security update part, this will not work:

getsecupd=$(softwareupdate -l | grep SecUpd | awk 'NR==1 {print $2}')

You need the exact name of the update in order to install it with softwareupdate -i [item]. The name of the update will be something like "Security Update 2018-003010.12.6" and grepping for SecUpd will bring back zilch.

KyleEricson
Valued Contributor

@therealmacjeezy How do you have your Reboot policy setup?

KyleEricson
Valued Contributor

Looks like this doesn't install patches. I ran the policy710f98557af848afa8eb95571601b53a
20fcc4d03f984515a44be4126a8c006e with a reboot and these still show up under updates and I click update and they install.

ryan_ball
Valued Contributor

You'd have to do something like this:

#!/bin/bash

updates=$(/usr/sbin/softwareupdate -l)
getsecupd="$(echo "$updates" | /usr/bin/grep -B1 recommended | /usr/bin/grep -v recommended | grep Security | sed -n 's/   * //p')"

/usr/sbin/softwareupdate -i "$getsecupd"

exit 0

Nix4Life
Valued Contributor

Hey Guys, just gotta ask why the script and not the built in mechanism? many use the following settings via defaults write and/or config profiles to accomplish the same thing in an Apple approved way:

Settings

which depending on your choices may look like this:

c3c28a2a8cfb40caae3dcb6daf675eae

I chose to not download OS Updates in this example. JSS reporting will tell you what's patched and what's not

KyleEricson
Valued Contributor

I want more control.

Nix4Life
Valued Contributor

optional image ALT text

KyleEricson
Valued Contributor

Does anyone have a mdm profile for the critical updates?

UESCDurandal
Contributor II

@therealmacjeezy Taking a look at utilizing your script. Is there a reason why "security" is the only detectable label when determining whether a restart is needed? Wouldn't you want macOS updates included as well?

KyleEricson
Valued Contributor

More my use case on want to push security updates.