Skip to main content
Question

Enable / Disable Software Update (System) in Mojave


Forum|alt.badge.img+3

Is there a way to setup a configuration profile to control the new "Software Update" preference pane in Mojave?

If not, when will support added to Jamf Pro?


36 replies

wmehilos
Forum|alt.badge.img+11
  • Valued Contributor
  • 69 replies
  • October 3, 2018

I'm running 10.7.1 and it's already in my Restrictions payload options, as well as in the profile itself until the DisablePreferencePane key with the value: "<string>com.apple.preferences.softwareupdate</string>". If you're running something older than 10.7 I'd imagine it's not in there yet, but you can always add that value to that key in the XML and reupload it.


Forum|alt.badge.img+13
  • Contributor
  • 42 replies
  • October 3, 2018

Add the following to your own custom /Library/Preferences/com.apple.SoftwareUpdate.plist, upload and push through Jamf.

/usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist AutomaticallyInstallMacOSUpdates -bool true
/usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist AutomaticCheckEnabled -bool true
/usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist AutomaticDownload -bool true
usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist CriticalUpdateInstall -bool true

This worked for us to enable all the options above and keep them greyed out. Although @wmehlios' suggestion would work to remove access to the "Software Update" pane all together...I'm still looking for a way to "grey" out the button and block a user from un-checking the "Automatically keep my mac up to date" button.

Even with the above pushed through a configuration profile, I'm still able to deselect the option.


Forum|alt.badge.img+7
  • Contributor
  • 11 replies
  • October 6, 2018

has anyone found a way to block a user from un-checking the "Automatically keep my mac up to date" button as @ jmariani was asking, besides what @wmehlios' suggested?


Forum|alt.badge.img+6
  • Contributor
  • 18 replies
  • October 30, 2018

Can you help a newbie here and provide a little more details as to how to push this file to all the computers? Thanks.


Forum|alt.badge.img+3
  • New Contributor
  • 9 replies
  • November 2, 2018

I need help too with this topic, I want to do an activation for this preference because some users are hard to push the updates, also, they don't want to do this updates by themselves.

Thnx.


Forum|alt.badge.img+6
  • Contributor
  • 16 replies
  • November 5, 2018

Hello ,

You can restrict access with Jamf Pro V10.7 with a configuration Profiles under Restrictions.

Also , you can use this : => usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist AutomaticallyInstallMacOSUpdates -bool false

/usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist AutomaticCheckEnabled -bool false

/usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist AutomaticDownload -bool false

/usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist CriticalUpdateInstall -bool false

to uncheck all options , after that , when user's try to check : Automatically... , an admin password its needed.

You can write a script with it to deploy on all computer you need.


Forum|alt.badge.img+6
  • Contributor
  • 18 replies
  • November 19, 2018

So do we create a script in Jamf Pro with all those /usr/bin/defaults commands?


Forum|alt.badge.img+7
  • Contributor
  • 91 replies
  • November 19, 2018

@lrabotteau How did you get this added through confir profiles?


Forum|alt.badge.img+13
  • Honored Contributor
  • 550 replies
  • November 20, 2018

Only apply the above defaults or profile if you have a SUS or another way to handle Apple updates. With those settings applied you will miss Apple's silent security updates; Xprotect,Gatekeeper,Malware Removal Tool and EFi

os-x-admins-your-clients-are-not-getting-background-security-updates


Forum|alt.badge.img+3
  • New Contributor
  • 2 replies
  • December 7, 2018

I found that I had to do these 6 in order to get all boxes checked (the last 2 are in addition to the ones previously mentioned in this thread):

#!/bin/sh
/usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist AutomaticallyInstallMacOSUpdates -bool true
/usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist AutomaticCheckEnabled -bool true
/usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist AutomaticDownload -bool true
/usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist CriticalUpdateInstall -bool true
/usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist ConfigDataInstall -bool true
/usr/bin/defaults write /Library/Preferences/com.apple.commerce.plist AutoUpdate -bool true

Forum|alt.badge.img+7
  • Contributor
  • 91 replies
  • December 7, 2018

@afzanjamalgt worked like a charm. Thank you!


Forum|alt.badge.img+5
  • Contributor
  • 23 replies
  • December 17, 2018

I wrote a bash script I'm using for an extension attribute to create a smart group that shows compliance for the six settings that @afzanjamalgt referenced. The idea being if you land in that non-compliant group it runs a bash script to set all six values to true.

My question is more about the behavior of each setting. Does anyone know will it reboot on its own? Does the user get a chance to defer? Will it reboot if the host is idle, say overnight? I did read it won't download anything unless the laptop is on wired power (https://support.apple.com/guide/mac-help/get-macos-updates-mchlpx1065/mac).

We're testing this out on a couple machines and will know behavior in a while. Thought someone might of already went down this path and could speak to the user experience.

I'm doing all of this because in JamF 10.8 my auto update policy that hit each day dropped my custom reboot message and timer. It stared giving generic reboot in 5 min messages (was 4hrs) which is not acceptable for us. JamF says this is a known issue PI-006540


Forum|alt.badge.img+4
  • New Contributor
  • 5 replies
  • January 28, 2019

@lmeinecke
This generic 5 minutes update thing has been going on for a while and nobody at Jamf seems to have any urgency about fixing it. This problem came up right at the same time we pushed our entire company to managed updates... Rebooted everyone in the middle of the day and a total disaster for us. We had selected "if user is logged in, do not restart" and it ignored that setting completely.

Has anyone come up with a way to push a custom plist to force automatic updates on at the computer level? I don't want my users to be able to turn this feature off and I can't get that checkbox to grey out at all.

I've analyzed the existing plist and the changes in it when hitting that checkbox... but when I recreate that file and push it with jamf, it only effects the advanced options...


Forum|alt.badge.img+6
  • Contributor
  • 22 replies
  • January 28, 2019

Forum|alt.badge.img+5
  • Contributor
  • 23 replies
  • February 7, 2019

I have policy to enable automatic updates like @ACMT mentioned on around a dozen hosts but it doesn't seem to work. I get the impression that having apps open like Outlook seems to break the automatic update setting. I have hosts that are still on 10.14.0-2 which is not ideal seeing 10.14.3 is out.


Forum|alt.badge.img+1
  • New Contributor
  • 2 replies
  • February 8, 2019

I am trying to manage this with a profile instead of running a script on every user. I added custom settings payload and then added all the values. Everything works and is locked down except the "Automatically keep my Mac up to date?"

According to the article, this isn't possible and can only be scripted which is a huge bummer:
"Unfortunately, it is not yet possible to set these automatic update settings using a profile. The com.apple.commerce preference domain can’t be managed by a profile and the AutomaticallyInstallMacOSUpdates setting in the com.apple.SoftwareUpdate preference domain should be manageable with a profile, but for unknown reasons, it can’t be."

My only resolution is to lock down the pane completely and then create our own internal/signed Software Update wrapper for the terminal commands.


Forum|alt.badge.img+1
  • New Contributor
  • 2 replies
  • February 8, 2019

@ afzanjamalgt
The last one doesn't work for me: /usr/bin/defaults write /Library/Preferences/com.apple.commerce.plist AutoUpdate -bool true


Forum|alt.badge.img+6
  • Contributor
  • 90 replies
  • March 22, 2019

Just curious... after everything is said and done and all that we want has been set and enabled, this pops up:

How would one stop/suppress this notification from popping up on the user end?


Forum|alt.badge.img+20
  • Valued Contributor
  • 427 replies
  • March 22, 2019

Hello @monaronyc I started looking in my scripts and configuration profiles for the answer and somehow, I don't have anything set to disable this popup. I am surprised as my lab coordinators aren't calling me asking to disable this.


Forum|alt.badge.img+6
  • Contributor
  • 90 replies
  • March 22, 2019

Thanks @mconners ! Everything works great except for this piece. and if you click not now, comes right back up. Weird.


Forum|alt.badge.img+20
  • Valued Contributor
  • 427 replies
  • March 22, 2019

@monaronyc at one point I had this disabled. I thought it was done via a configuration profile. At the moment, I don't recall how though...strange.


Forum|alt.badge.img+6
  • Contributor
  • 90 replies
  • March 23, 2019

FOUND IT!

defaults write /Library/Preferences/com.apple.commerce.plist AutoUpdate -bool FALSE


Forum|alt.badge.img+5
  • Contributor
  • 30 replies
  • April 25, 2019

Is there a defaults write for the


Forum|alt.badge.img+13
  • Valued Contributor
  • 268 replies
  • April 26, 2019

@piagetblix

defaults write /Library/Preferences/com.apple.commerce.plist AutoUpdate -bool TRUE

Forum|alt.badge.img+1
  • New Contributor
  • 5 replies
  • April 26, 2019

Is it functional to leave CriticalUpdateInstall intact and allow the security updates to come from a caching server then manage all others through Repesado?


Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings