Enable / Disable Software Update (System) in Mojave

rpcuenco
New Contributor II

Is there a way to setup a configuration profile to control the new "Software Update" preference pane in Mojave?

If not, when will support added to Jamf Pro?

b442f8f492624915a2f152314630dfa4
b4ce748b6faa46dd95a4b2b0b5200f42

36 REPLIES 36

wmehilos
Contributor

I'm running 10.7.1 and it's already in my Restrictions payload options, as well as in the profile itself until the DisablePreferencePane key with the value: "<string>com.apple.preferences.softwareupdate</string>". If you're running something older than 10.7 I'd imagine it's not in there yet, but you can always add that value to that key in the XML and reupload it.

jmariani
Contributor

Add the following to your own custom /Library/Preferences/com.apple.SoftwareUpdate.plist, upload and push through Jamf.

/usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist AutomaticallyInstallMacOSUpdates -bool true
/usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist AutomaticCheckEnabled -bool true
/usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist AutomaticDownload -bool true
usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist CriticalUpdateInstall -bool true

This worked for us to enable all the options above and keep them greyed out. Although @wmehlios' suggestion would work to remove access to the "Software Update" pane all together...I'm still looking for a way to "grey" out the button and block a user from un-checking the "Automatically keep my mac up to date" button.

5ea079ee709b49efb3ceb2188a0a358c

Even with the above pushed through a configuration profile, I'm still able to deselect the option.

e356e1cdd7d54376bd5086b0a942a6eb

karengarner
New Contributor II

has anyone found a way to block a user from un-checking the "Automatically keep my mac up to date" button as @ jmariani was asking, besides what @wmehlios' suggested?

jchin-ro
New Contributor III

Can you help a newbie here and provide a little more details as to how to push this file to all the computers? Thanks.

abdo_iracheta
New Contributor III

I need help too with this topic, I want to do an activation for this preference because some users are hard to push the updates, also, they don't want to do this updates by themselves.

Thnx.

lrabotteau
New Contributor III

Hello ,

You can restrict access with Jamf Pro V10.7 with a configuration Profiles under Restrictions.

Also , you can use this : => usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist AutomaticallyInstallMacOSUpdates -bool false

/usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist AutomaticCheckEnabled -bool false

/usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist AutomaticDownload -bool false

/usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist CriticalUpdateInstall -bool false

to uncheck all options , after that , when user's try to check : Automatically... , an admin password its needed.

You can write a script with it to deploy on all computer you need.

jchin-ro
New Contributor III

So do we create a script in Jamf Pro with all those /usr/bin/defaults commands?

mack525
Contributor II

@lrabotteau How did you get this added through confir profiles?

Nix4Life
Valued Contributor

Only apply the above defaults or profile if you have a SUS or another way to handle Apple updates. With those settings applied you will miss Apple's silent security updates; Xprotect,Gatekeeper,Malware Removal Tool and EFi

os-x-admins-your-clients-are-not-getting-background-security-updates

afzanjamalgt
New Contributor II

I found that I had to do these 6 in order to get all boxes checked (the last 2 are in addition to the ones previously mentioned in this thread):

#!/bin/sh
/usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist AutomaticallyInstallMacOSUpdates -bool true
/usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist AutomaticCheckEnabled -bool true
/usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist AutomaticDownload -bool true
/usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist CriticalUpdateInstall -bool true
/usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist ConfigDataInstall -bool true
/usr/bin/defaults write /Library/Preferences/com.apple.commerce.plist AutoUpdate -bool true

mack525
Contributor II

@afzanjamalgt worked like a charm. Thank you!

lmeinecke
New Contributor III

I wrote a bash script I'm using for an extension attribute to create a smart group that shows compliance for the six settings that @afzanjamalgt referenced. The idea being if you land in that non-compliant group it runs a bash script to set all six values to true.

My question is more about the behavior of each setting. Does anyone know will it reboot on its own? Does the user get a chance to defer? Will it reboot if the host is idle, say overnight? I did read it won't download anything unless the laptop is on wired power (https://support.apple.com/guide/mac-help/get-macos-updates-mchlpx1065/mac).

We're testing this out on a couple machines and will know behavior in a while. Thought someone might of already went down this path and could speak to the user experience.

I'm doing all of this because in JamF 10.8 my auto update policy that hit each day dropped my custom reboot message and timer. It stared giving generic reboot in 5 min messages (was 4hrs) which is not acceptable for us. JamF says this is a known issue PI-006540

jwstyles
New Contributor II

@lmeinecke
This generic 5 minutes update thing has been going on for a while and nobody at Jamf seems to have any urgency about fixing it. This problem came up right at the same time we pushed our entire company to managed updates... Rebooted everyone in the middle of the day and a total disaster for us. We had selected "if user is logged in, do not restart" and it ignored that setting completely.

Has anyone come up with a way to push a custom plist to force automatic updates on at the computer level? I don't want my users to be able to turn this feature off and I can't get that checkbox to grey out at all.

I've analyzed the existing plist and the changes in it when hitting that checkbox... but when I recreate that file and push it with jamf, it only effects the advanced options...

lmeinecke
New Contributor III

I have policy to enable automatic updates like @ACMT mentioned on around a dozen hosts but it doesn't seem to work. I get the impression that having apps open like Outlook seems to break the automatic update setting. I have hosts that are still on 10.14.0-2 which is not ideal seeing 10.14.3 is out.

itguy001
New Contributor

I am trying to manage this with a profile instead of running a script on every user. I added custom settings payload and then added all the values. Everything works and is locked down except the "Automatically keep my Mac up to date?"

According to the article, this isn't possible and can only be scripted which is a huge bummer:
"Unfortunately, it is not yet possible to set these automatic update settings using a profile. The com.apple.commerce preference domain can’t be managed by a profile and the AutomaticallyInstallMacOSUpdates setting in the com.apple.SoftwareUpdate preference domain should be manageable with a profile, but for unknown reasons, it can’t be."

My only resolution is to lock down the pane completely and then create our own internal/signed Software Update wrapper for the terminal commands.

itguy001
New Contributor

@ afzanjamalgt
The last one doesn't work for me: /usr/bin/defaults write /Library/Preferences/com.apple.commerce.plist AutoUpdate -bool true

monaronyc
Contributor

Just curious... after everything is said and done and all that we want has been set and enabled, this pops up:

880943565d63420ba5a9eecddf7d4997

How would one stop/suppress this notification from popping up on the user end?

mconners
Valued Contributor

Hello @monaronyc I started looking in my scripts and configuration profiles for the answer and somehow, I don't have anything set to disable this popup. I am surprised as my lab coordinators aren't calling me asking to disable this.

monaronyc
Contributor

Thanks @mconners ! Everything works great except for this piece. and if you click not now, comes right back up. Weird.

mconners
Valued Contributor

@monaronyc at one point I had this disabled. I thought it was done via a configuration profile. At the moment, I don't recall how though...strange.

monaronyc
Contributor

FOUND IT!

defaults write /Library/Preferences/com.apple.commerce.plist AutoUpdate -bool FALSE

thomH
New Contributor III

Is there a defaults write for the
0b98706a04cb40bc8061a9c86830605e

Chris
Valued Contributor

@piagetblix

defaults write /Library/Preferences/com.apple.commerce.plist AutoUpdate -bool TRUE

MacAdminLala
New Contributor II

Is it functional to leave CriticalUpdateInstall intact and allow the security updates to come from a caching server then manage all others through Repesado?

macdadmin
New Contributor II

@lmeinecke Could you share the script you are using for the extension attribute?

rqomsiya
Contributor III

Does this command allow a Mac to auto install 10.15 when it is made available??

/usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist AutomaticallyInstallMacOSUpdates -bool true

Thanks,
R

lmeinecke
New Contributor III

https://docs.jamf.com/10.14.0/jamf-pro/release-notes/Bug_Fixes_and_Enhancements.html

Looks like this issue has finally been fixed.

jayke
New Contributor II

Can this be accomplished with configuration profiles?

bradtchapman
Valued Contributor II

@jayke : There are some new profile payloads in Catalina for managing the software update settings shown above. Expect Jamf to integrate them in a future release.

tlarkin
Honored Contributor

I have been using a script from @haircut to set the desired SWU state of my systems once per a day. There is currently no way to manage this via config profile, yet unfortunately. This has been running in prod for a few months now. There are some caveats though:

  • The system must be powered on and plugged in for auto update to trigger
  • It only seems to happen after 2AM (yes I tested this at 2AM lol)
  • If the lid is closed, or the device is not active it will not run
  • The user can still interrupt this process

script:

#!/usr/bin/python
'''
Checks macOS software update settings and remediates deviations from a 
specified desired state
'''

from Foundation import (
    CFPreferencesAppSynchronize, CFPreferencesCopyAppValue,
    CFPreferencesCopyValue, CFPreferencesSetAppValue, CFPreferencesSetValue,
    CFPreferencesCopyKeyList, kCFPreferencesAnyHost, kCFPreferencesAnyUser, NSDate)


DESIRED_STATE = [
    {
        'domain': 'com.apple.commerce',
        'prefs': {
            'AutoUpdate': True,
            'AutoUpdateRestartRequired': True
        }
    },
    {
        'domain': 'com.apple.SoftwareUpdate',
        'prefs': {
            'CriticalUpdateInstall': True,
            'AutomaticDownload': True,
            'ConfigDataInstall': True,
            'AutomaticCheckEnabled': True,
            'AutomaticallyInstallMacOSUpdates': True
        }
    }
]


def check_pref(key, value, domain):
    '''Checks if 'key' is set to 'value' in 'domain' '''
    p = CFPreferencesCopyValue(key, domain, kCFPreferencesAnyUser, 
                               kCFPreferencesAnyHost)
    return True if p == value else False


def set_desired_state(config):
    '''Sets preferences according to provided config'''
    for domain in config:
        for key, value in domain['prefs'].iteritems():
            if not check_pref(key, value, domain['domain']):
                CFPreferencesSetValue(key, value, domain['domain'],
                                      kCFPreferencesAnyUser, 
                                      kCFPreferencesAnyHost)
                print "Set - {} - {}: {}".format(domain['domain'], key, value)

    CFPreferencesAppSynchronize(domain['domain'])


def main():
    '''Main'''
    set_desired_state(DESIRED_STATE)


if __name__ == '__main__':
    main()

roeland_de_wind
New Contributor II

Now that Catalina has been released, I want someone to confirm that everything discussed above (all about upDATES) will NOT perform an automatic upGRADE (from 10.14 to 10.15).

Regardless of settings, NO upgrade should be performed automatically in our environment, but I want to keep the benefits of auto-updating 10.14 with security updates, App store etc etc.

Please enlighten me.

chas_tinker
New Contributor

@roeland.de.windt This was a concern of ours as well. I tested this on a machine that was on 10.14.5 with a long deferral of Software Updates. Just last week, it updated itself to 10.14.6, however, Catalina is still sitting in Software Update awaiting my trigger.

scottb
Honored Contributor

Your Mac is not going to upgrade unless "told" to do so. This process works and the badge shows update, but it's not in SU pref pane. If you combine that with a process kill for Catalina, you should be fine.

1019979
New Contributor II

Did anyone try restricted software?

llitz123
Contributor III

It looks like this line:
/usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist AutomaticCheckEnabled -bool false

Does the same as this line that was deprecated?
softwareupdate --schedule off

In my testing it turns off/unchecks Check for updates
393137ef9d8e4ac2a1312c722e3cad52
Is that accurate?