Force Xprotect to update?

fgonzale
Contributor

Hi,

How do you force an Xprotect version update?

Trying:

softwareupdate --background-critical

outputted the following:

softwareupdate[92845]: Triggering background check with forced scan (critical and config-data updates only) ...

But running:

defaults read /Library/Apple/System/Library/CoreServices/XProtect.bundle/Contents/Info.plist CFBundleShortVersionString

shows an older version of XProtect

For our labs we updated to 10.15.7 using the Combo and Supplemental PKGs but the Xprotect version remained an old version.

We like to control the software update process so we have everything unchecked in Software Update
6de54a05746d43638db96c5dd8b98e5a

Not sure if that has something to do with Xprotect being unable to update even when running softwareupdate --background-critical from the Terminal.

1 ACCEPTED SOLUTION

fgonzale
Contributor

@mvu thanks for the feedback it pushed me towards an answer. In the end the final piece was

softwareupdate --background --include-config

in combination with the following Software Update PreferencePane configuration

a9db5f9ea0e14e2ab588713a4e92cdbf

This Software Update PreferencePane configuration is displayed after running the following (assuming nothing was selected before):

/usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist AutomaticCheckEnabled -bool true
/usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist AutomaticDownload -bool true
/usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist ConfigDataInstall -bool true

Basically if I tried to run

softwareupdate --background --include-config

without the above configuration for Software Update then the XProtect definitions would simply not update. Once I at least re-enabled the Mac's ability to check and download updates then running softwareupdate --background --include-config would finally grab the latest Xprotect data.

View solution in original post

7 REPLIES 7

obi-k
Valued Contributor III

Does this work?

a) softwareupdate --background --include-config
b) softwareupdate --background --include-config-data

If you want to install ALL Mac updates, including Xprotect and MRT:

c) softwareupdate --ia --include-config-data

fgonzale
Contributor

@mvu thanks for the feedback it pushed me towards an answer. In the end the final piece was

softwareupdate --background --include-config

in combination with the following Software Update PreferencePane configuration

a9db5f9ea0e14e2ab588713a4e92cdbf

This Software Update PreferencePane configuration is displayed after running the following (assuming nothing was selected before):

/usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist AutomaticCheckEnabled -bool true
/usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist AutomaticDownload -bool true
/usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist ConfigDataInstall -bool true

Basically if I tried to run

softwareupdate --background --include-config

without the above configuration for Software Update then the XProtect definitions would simply not update. Once I at least re-enabled the Mac's ability to check and download updates then running softwareupdate --background --include-config would finally grab the latest Xprotect data.

obi-k
Valued Contributor III

If you wanted to keep those unchecked for control, you can download the Xprotect and MRT packages directly and upload to Jamf to push. There are a few ways to get the packages if you want to go that route.

fgonzale
Contributor

@mvu ah, you're right I could have just downloaded the pkgs for that. I think in the past I've installed things on a build machine and then looked at the install.log to figure out the URL path for the installed pkgs.

c2698ed0523f4cf7b0e01cc7e7b24b73

Or is there a better way of extracting/parsing for the pkgs in Apple's software repository?

obi-k
Valued Contributor III

Yes, you can find the URL in the Console. You can also use Terminal and the softwareupdate -d command. I explain how I did this with Safari that in the link below. Someone mentioned the app SUS Inspector as well, which saves some work on digging for the URL.

Safari DL

mfletch
New Contributor III

@fgonzale I'm struggling to get this to work and all of our macOS devices are on the latest version of macOS (14.1.2..... I realize 14.2 was released yesterday...)  but a handful of devices have an old version of XProtect for some reason. Do you happen to have a script that works to update XProtect? I tried running softwareupdae - d but no luck, but I think that's just because it's downloading the update, but not actually installing the update and I'm not to sure how to kick off the install.

pete_c
Contributor III

Create a new configuration profile with a Software Update payload that enforces automatic installation of configuration data and system data files.  

Alternatively, package and deploy Eclectic Light's silnite utility, create a smart group based on XProtect Definitions Version (Computer Inventory > Security, currently version 2177), then create a policy scoped to that group to execute command "silnite au" (by default it installs to /usr/local/bin/) to check for and install updates.