Posted on
08:39 AM
- last edited
Hi Everyone
Hoping someone may have idea's or solutions using Jamf to help me determine OSX patches have been installed on a Mac.
IE - Security Update 2017 002 ( Is there something i can use in SmartGroup that is unique to that patch that can be used ? )
Help would be appreciated!
Posted on 01-05-2018 08:49 AM
The security updates, as with the OS updates, change the OS build number. For example:
16G1036 = 10.12.6 with Security Update 2017-001
16G1114 = 10.12.6 with Security Update 2017-002
You could create a smart group based on that.
Posted on 01-05-2018 08:51 AM
Seems to work for me!
Source: @crytallized via macadmins slack
Posted on 01-05-2018 02:21 PM
@georgecm12 Thanks very much, thats exactly I needed and have created a smart group. Is there somewhere I can reference the build number when there is a new patch update etc?
Posted on 01-05-2018 03:49 PM
Stick with using Operating System Build for your criteria for the most reliable indicator
Receipts are only written when you install those packages in a standalone way like via Policy Relying on Packages Installed By is not going to work if updates are installed via Mac App Store or if you run softwareupdate at the command line.
15G18013 = 10.11.6 with Security Update 2017-005
16G1114 = 10.12.6 with Security Update 2017-002
The last bit though is that while you can make a Smart Group based on these values, once the build changes due to another Security update, it'll 'break' so an Extension Attribute that is able to do Greater Than/Less Than with build would require less maintenance... but yeah let's just get stuff patched now, right?
Posted on 01-06-2018 07:40 AM
@brunerd Good idea! Sticking with the build is probably wisest. While I haven't tested the Mac App Store yet, I can say that running our software update script (which does use softwareupdate via command line) has resulted in receipts being written for these security updates.
Posted on 01-06-2018 08:40 AM
How do you determine what the build number of a update will be?
if "16G1114" is the build number for 10.12.6 with Security Update 2017-002. Is there somewhere like a official page/url that confirms when a update is applied the build number will be XXXXXX?
Posted on 01-08-2018 11:39 AM
@andymcp As a matter of fact the receipts for 10.13.2 Supplemental did show up in /System/Library/Receipts
I was working on 10.12.6 machine and it just didn't seem that they were getting there... weird.
@Quan.nong I haven't Google searched for the saint who would keep track of all these build numbers... so if Receipts work then go with that...
17C205 = 10.13.2 with Supplemental Patch
Double FYI - Apple removed all references to 10.11.6 and 10.12.6 for CVE-2017-5754 "Meltdown" fix in
"About the security content of macOS High Sierra 10.13.2, Security Update 2017-002 Sierra, and Security Update 2017-005 El Capitan"
Posted on 01-08-2018 12:40 PM
@andymcp Thanks very much... Your advice has been greatly appreciated and much help!
Posted on 01-08-2018 12:42 PM
Thanks to everyone for their advice and assistance!!!
So so helpful