Help

Determine if an EFI Security Update was installed

stephanpeterson
Contributor

Posted on ‎08-20-2015 12:15 PM

I'm looking for a way to determine that an EFI update was installed, ie Mac EFI Security Update 2015-001. I can tell which machines need it based on waiting Apple Software Updates, but am interested in knowing which machines it was applied to.

Thanks!
Stephan

0 Kudos
Reply
6 REPLIES 6

davidacland
Honored Contributor II

Posted on ‎08-20-2015 12:30 PM

I haven't got a Mac to and with that update on but it might be in /Library/Receipts/InstallHistory.plist.

You could create an extension attribute to read it out.

0 Kudos
Reply

Josh_Smith
Valued Contributor

Posted on ‎08-20-2015 12:47 PM

You could read the receipts like David suggested to see if the install of the firmware update was logged:

 cat /Library/Receipts/InstallHistory.plist | grep "Mac EFI Security Update 2015-001"

A more accurate option is to check which version of EFI is actually installed. This would take a bit more work to put together, since the versions are different for each model. You can see the current EFI version per model in the Apple KB article here: About EFI and SMC firmware updates for Intel-based Mac computers

You'd just need to match up the versions in that KB with what the machine reports is installed, which you can gather with this:

system_profiler SPHardwareDataType | grep "Boot ROM Version"
      Boot ROM Version: IM142.0118.B02
0 Kudos
Reply

StoneMagnet
Contributor III

Posted on ‎08-20-2015 12:48 PM

Seems like checking the boot ROM version would be the simple way to determine that (although you'd need to know the before and after boot ROM versions on all your different Mac types)

0 Kudos
Reply

brockma9
New Contributor II

Posted on ‎08-28-2015 11:59 AM

After seeing this discussion I had the idea for an extension attribute. See the code below.

GitHub

#!/bin/bash

model=`system_profiler SPHardwareDataType | grep "Model Identifier" | awk '{ print $3 }'`
appleSite=https://support.apple.com/en-us/HT201518
machineVersion=`system_profiler SPHardwareDataType | grep "Boot ROM Version" | awk '{ print $4 }'`
currentVersion=`curl $appleSite | grep -A1 "$model" | tail -n 1 | sed 's/>/ /g' | awk '{ print $4 }'`

if [[ $machineVersion == $currentVersion ]]; then
  echo "<result>Current</result>"
else
  echo "<result>Update</result>"
fi

exit 0
0 Kudos
Reply

Wagener
New Contributor

Posted on ‎10-14-2015 11:53 AM

Thanks @brockma9, this works well as of October '15 on Mavericks... j

0 Kudos
Reply

chad_fox
Contributor II

Posted on ‎11-15-2016 05:22 PM

@brockma9 thanks for sharing!

Unfortunately, Apple hasn't updated the page since March so the EA shows current machines as update :(

0 Kudos
Reply