Help

Determine Mac Patches installed

Quan_nong
Contributor

Posted on ‎01-05-2018 08:39 AM

Hi Everyone

Hoping someone may have idea's or solutions using Jamf to help me determine OSX patches have been installed on a Mac.

IE - Security Update 2017 002 ( Is there something i can use in SmartGroup that is unique to that patch that can be used ? )

Help would be appreciated!

Labels:
0 Kudos
Reply
9 REPLIES 9

georgecm12
Contributor III

Posted on ‎01-05-2018 08:49 AM

The security updates, as with the OS updates, change the OS build number. For example:
16G1036 = 10.12.6 with Security Update 2017-001
16G1114 = 10.12.6 with Security Update 2017-002

You could create a smart group based on that.

Reply

andymcp
New Contributor III

Posted on ‎01-05-2018 08:51 AM

33f5f2abc89c41a68284406c2eb861ef

Seems to work for me!

Source: @crytallized via macadmins slack

0 Kudos
Reply

Quan_nong
Contributor

Posted on ‎01-05-2018 02:21 PM

@georgecm12 Thanks very much, thats exactly I needed and have created a smart group. Is there somewhere I can reference the build number when there is a new patch update etc?

0 Kudos
Reply

brunerd
Contributor

Posted on ‎01-05-2018 03:49 PM

Stick with using Operating System Build for your criteria for the most reliable indicator

Receipts are only written when you install those packages in a standalone way like via Policy Relying on Packages Installed By Installer.app/SWU is not going to work if updates are installed via Mac App Store or if you run softwareupdate at the command line.

15G18013 = 10.11.6 with Security Update 2017-005
16G1114 = 10.12.6 with Security Update 2017-002

The last bit though is that while you can make a Smart Group based on these values, once the build changes due to another Security update, it'll 'break' so an Extension Attribute that is able to do Greater Than/Less Than with build would require less maintenance... but yeah let's just get stuff patched now, right?

0 Kudos
Reply

andymcp
New Contributor III

Posted on ‎01-06-2018 07:40 AM

@brunerd Good idea! Sticking with the build is probably wisest. While I haven't tested the Mac App Store yet, I can say that running our software update script (which does use softwareupdate via command line) has resulted in receipts being written for these security updates.

0 Kudos
Reply

Quan_nong
Contributor

Posted on ‎01-06-2018 08:40 AM

How do you determine what the build number of a update will be?

if "16G1114" is the build number for 10.12.6 with Security Update 2017-002. Is there somewhere like a official page/url that confirms when a update is applied the build number will be XXXXXX?

0 Kudos
Reply

brunerd
Contributor

Posted on ‎01-08-2018 11:39 AM

@andymcp As a matter of fact the receipts for 10.13.2 Supplemental did show up in /System/Library/Receipts
I was working on 10.12.6 machine and it just didn't seem that they were getting there... weird.

@Quan.nong I haven't Google searched for the saint who would keep track of all these build numbers... so if Receipts work then go with that...

FYI
17C205 = 10.13.2 with Supplemental Patch

Double FYI - Apple removed all references to 10.11.6 and 10.12.6 for CVE-2017-5754 "Meltdown" fix in
"About the security content of macOS High Sierra 10.13.2, Security Update 2017-002 Sierra, and Security Update 2017-005 El Capitan"
https://support.apple.com/en-us/HT208331

0 Kudos
Reply

Quan_nong
Contributor

Posted on ‎01-08-2018 12:40 PM

@andymcp Thanks very much... Your advice has been greatly appreciated and much help!

0 Kudos
Reply

Quan_nong
Contributor

Posted on ‎01-08-2018 12:42 PM

Thanks to everyone for their advice and assistance!!!

So so helpful

0 Kudos
Reply