Determine if an EFI Security Update was installed

stephanpeterson
Contributor

I'm looking for a way to determine that an EFI update was installed, ie Mac EFI Security Update 2015-001. I can tell which machines need it based on waiting Apple Software Updates, but am interested in knowing which machines it was applied to.

Thanks!
Stephan

6 REPLIES 6

davidacland
Honored Contributor II

I haven't got a Mac to and with that update on but it might be in /Library/Receipts/InstallHistory.plist.

You could create an extension attribute to read it out.

Josh_Smith
Valued Contributor

You could read the receipts like David suggested to see if the install of the firmware update was logged:

 cat /Library/Receipts/InstallHistory.plist | grep "Mac EFI Security Update 2015-001"

A more accurate option is to check which version of EFI is actually installed. This would take a bit more work to put together, since the versions are different for each model. You can see the current EFI version per model in the Apple KB article here: About EFI and SMC firmware updates for Intel-based Mac computers

You'd just need to match up the versions in that KB with what the machine reports is installed, which you can gather with this:

system_profiler SPHardwareDataType | grep "Boot ROM Version"
      Boot ROM Version: IM142.0118.B02

StoneMagnet
Contributor III

Seems like checking the boot ROM version would be the simple way to determine that (although you'd need to know the before and after boot ROM versions on all your different Mac types)

brockma9
New Contributor II

After seeing this discussion I had the idea for an extension attribute. See the code below.

GitHub

#!/bin/bash

model=`system_profiler SPHardwareDataType | grep "Model Identifier" | awk '{ print $3 }'`
appleSite=https://support.apple.com/en-us/HT201518
machineVersion=`system_profiler SPHardwareDataType | grep "Boot ROM Version" | awk '{ print $4 }'`
currentVersion=`curl $appleSite | grep -A1 "$model" | tail -n 1 | sed 's/>/ /g' | awk '{ print $4 }'`

if [[ $machineVersion == $currentVersion ]]; then
  echo "<result>Current</result>"
else
  echo "<result>Update</result>"
fi

exit 0

Wagener
New Contributor

Thanks @brockma9, this works well as of October '15 on Mavericks... j

chad_fox
Contributor II

@brockma9 thanks for sharing!

Unfortunately, Apple hasn't updated the page since March so the EA shows current machines as update :(