Enforcing macOS security updates

New Contributor

I've seen a couple of old threads regarding ways of enforcing macOS security updates but not much for the recent version of Jamf Pro 10.x

We are exploring the use of Patch Management currently. Does anyone have any best practice recommendations on enforcing devices to update to the latest critical or security updates on macOS when they are released?


Contributor II

I use a Profile to enforce Apple updates with a deferral also so make it easier on the users incase its a bad time.

You can also use a config profile to do this. But I like having the deferral because it will show a message on screen etc. f043e7ec8163423fb4ba225c558f746d



New Contributor

I know this is old but I have the same question as the original poster... How do we only address and enforce only the security updates? Not all major OS updates.

This is such a great resource ... thank you everyone who helps others.

New Contributor III

I would also like to know this. Updates seem to be a bit of a mess lately. There are some threads mentioning new things coming (no timeline though) and the general rule seems to be MDM commands, but, you can only update to specific OS versions (only very recent ones too) and nothing specific to security updates. 

New Contributor III

Instead of using the Software Update configure process couldn't you instead configure the Files & Processes to use:

softwareupdate -i -r

which should just look for security updates.   
Then also configure Restart Options to restart if needed for both when a user is logged in or not and give them a certain time to save files prior to restarting? 

New Contributor

For the Profile Software update policy, I know we can customize the user interaction message but can we be able to add any personal logo on that?

New Contributor

this may be a dumb question but how do I get apple software update server to be an option. its not in our environment