How to create a "Smart Computer Group" for Security Update 2016-00x

clegger06
New Contributor III

JAMF NATION,

I have searched the community for previous discussion etc on this but i haven't quite found what I need.

I need to create a "Smart Computer Group" that can report what security updates are installed on each managed Mac.

We use a SUS to roll out selected updates. What is the best way to configure this group? I have tried "Number of available updates" and set it to "more than" 0, but that report comes back with 1 Mac needing updates. I know that is wrong though because the Policy we have slated to roll out updates to all Mac's still has 50/200 left needing the install.

I feel like i am missing something here. Can someone assist?

2 ACCEPTED SOLUTIONS

AVmcclint
Honored Contributor

If you want to create a smart group that depends on the existence (or lack) of the Security update, you can install the update on one mac then do About This Mac and in the window that pops up, click on the Version and it will display the build.
544da7a0619445768fa17a0cf0455200
Once you have the build of the OS that HAS the security update installed, then in the criteria for the smart group, choose "Operating System" then the build number. In this particular example, you'd put 15G1212. Then you can choose wether you want the group to be based on having that build or not having that build. Here's one I made to keep track of Macs that got 2016-003 c98628c9db2742259ed6fa2eb9f91579

View solution in original post

AVmcclint
Honored Contributor

Because build numbers can vary depending on the hardware and if certain updates are installed, I don't go by the list on Apple's site. There isn't enough information there. Sometimes Apple doesn't update that list to include any patches that could apply. I take a brand new piece of hardware (if I have one) and get it updated as far as it will go thought Softwareupdate and note the build number, then I take "old" hardware and get it updated as much as possible through Softwareupdate and note the build number. I build my smart groups based on those build numbers. What I usually do is make a smart group of Macs that "are not" the latest build number and apply Security updates and other things based on that. When the count gets down to zero, then I know I'm done updating them.

If your information varies wildly, there may be other factors in play. I'd suggest letting a couple Macs connect to Softwareupdate and update until there are no more updates to find. If you're using SUS, make sure that you have all applicable updates enabled for the Macs to see.
Also note that the JSS doesn't record the build numbers until after an inventory or recon is run on each Mac.

View solution in original post

15 REPLIES 15

mm2270
Legendary Contributor III

We might need a little more info on your setup. For example, is that Security Update enabled on your SUS to show up from for those Macs?
What is determining that 50 of your 200 Macs need this update? Do you have Software Updates being collected properly in your JSS' inventory collection settings? Because that would be needed for a Smart Group to be able to see all available updates. If that setting is off, inventory won't gather the available updates during a recon, which might be why its only showing 1 Mac or something.

There are certainly other approaches you can take to this outside of using the built in inventory options, such as having a once a day policy run that gathers a value for the number of Security updates available to that Mac, writes it into a local file and then that value gets picked up by an Extension Attribute during each recon. This avoids needing to have Software Update collection enabled all the time, although I'm not sure how much that really saves you.

CAJensen01
Contributor

If you're talking about individual Smart Groups for each update, you should be able to create one with criteria such as:

Title: Security Update 2016-002 Needed - El Capitan
Criteria: Available SWUs has Security Update 2016-002-10.11.6

Ex for Safari:
Criteria: Available SWUs has Safari10.0.1ElCapitan-10.0.1

AVmcclint
Honored Contributor

If you want to create a smart group that depends on the existence (or lack) of the Security update, you can install the update on one mac then do About This Mac and in the window that pops up, click on the Version and it will display the build.
544da7a0619445768fa17a0cf0455200
Once you have the build of the OS that HAS the security update installed, then in the criteria for the smart group, choose "Operating System" then the build number. In this particular example, you'd put 15G1212. Then you can choose wether you want the group to be based on having that build or not having that build. Here's one I made to keep track of Macs that got 2016-003 c98628c9db2742259ed6fa2eb9f91579

EdLuo
Contributor II

@clegger06 The Numbers of available updates is not working properly. see Link for work around

As for Smart Group, you can use the criteria Packages Installed By Installer.app/SWU does not have and click on the ... to select the package. Example package {com.apple.pkg.update.os.SecUpd2016-003ElCapitan.15G1212}

EdLuo
Contributor II

Forgot to mention that Collect Package receipts needs to be enabled under Computer Inventory Collection

sean
Valued Contributor

It doesn't cover the caveats that @mm2270 mentioned, but as a strict response to your question, you could create an EA

#!/bin/bash

RESULT=$(pkgutil --pkgs=com.apple.pkg.update.*2016.*)

if [[ "$RESULT" == "" ]]
then
        RESULT="N/A"
fi

echo "<result>$RESULT</result>"

exit 0

Apple has changed the format of the id over time, so depending on the range you wish to cover, you may wish to edit the REGEXP

clegger06
New Contributor III

Thank you all for responding, @AVmcclint you heard me loud and clear. So just to clear something else up on this topic... When Apple release a security update like 2016-003, the OS build version number is updated? So each round, for example, I will need to update the OSX 10.11.6 report with the new build version for that new security update?

Thank again.

AVmcclint
Honored Contributor

That is correct. The build number does change for each Security Update.

clegger06
New Contributor III

@AVmcclint or anyone else,

Smart Group A = OS X 10.12.2 and 10.11.6 2016-003
Smart Group B = OS X 10.10.5 2016-007

Using the instruction from the answer above, I built out a smart group to track the OS X 10.12.2 and 10.11.6 2016-003 updates. I also built out a group to track OS X 10.10.5 2016-007 for tracking all updates from this post [https://support.apple.com/en-us/HT207423](link URL) .

According to our SUS Policy (Security Policy for all Managed Mac's), 80 out of 100 macs have received the necessary updates. If Smart Group A reports 10 Macs need the updates... and Smart Group B reports, 15 need the update... We can tell something is broken. The "Smart Groups A and B" report a total of 25 Mac's need the patches altogether, which doesn't line up with the "Security Policy for All managed Mac's"... which says we only have 20 left to receive updates.

If Group A reports a number which falls in line with what I would expect, and Group B is off the charts ... I could assume group B could be my issue?

Is this the best site ( [https://support.apple.com/en-us/HT201260](link URL) ) for finding build versions for OS X?

It seems the Yosemite build version on our JSS are not matching exactly what Apple says is released (according to the link above). For example, the most up to date Yosemite "build" should be "14f27" (10.10.5) according to the link above. However, after having installed these patches, we do not have any build for "14f27" in our environment... but the JSS reports we have 10.10.5 on 30 Mac's. Does this issue make sense? How would you begin to troubleshoot this?

clegger06
New Contributor III

@CAJensen01 , I was looking at your response. I am new to the JAMF environment. I do not see the criteria you list but that is the right track as well.

Question, is there a way I can add this to my "New Criteria" section somehow?

AVmcclint
Honored Contributor

Because build numbers can vary depending on the hardware and if certain updates are installed, I don't go by the list on Apple's site. There isn't enough information there. Sometimes Apple doesn't update that list to include any patches that could apply. I take a brand new piece of hardware (if I have one) and get it updated as far as it will go thought Softwareupdate and note the build number, then I take "old" hardware and get it updated as much as possible through Softwareupdate and note the build number. I build my smart groups based on those build numbers. What I usually do is make a smart group of Macs that "are not" the latest build number and apply Security updates and other things based on that. When the count gets down to zero, then I know I'm done updating them.

If your information varies wildly, there may be other factors in play. I'd suggest letting a couple Macs connect to Softwareupdate and update until there are no more updates to find. If you're using SUS, make sure that you have all applicable updates enabled for the Macs to see.
Also note that the JSS doesn't record the build numbers until after an inventory or recon is run on each Mac.

AVmcclint
Honored Contributor

For clarification, I get the build number from recently released brand new hardware because many times Apple will have a special build of the OS just for that model. Usually after a 10.x.n OS update, the build numbers are more universal and apply to all currently shipping (and previous) Macs, but you should still test this to be sure.

sean
Valued Contributor

If you want to know if there are security patches not applied, just run:

software update -l

on a machine and make an EA for security updates. When you run this command, it populates

/Library/Preferences/com.apple.SoftwareUpdate.plist

with available updates. So you can use an EA to read this if you'd rather.

If there are none, then your system is up to date. You could wrap this with the above script I posted, such that if it did come back with an available update, you could subsequently query which update is currently installed and this would be totally automated and always up to date.

sean
Valued Contributor

Apple have release a new version of Security Update 2016-003 Supplemental Update-10.11.6 but it is still has the same version name. However, as mentioned previously, the following code will reveal which version you have:

Build: 15G1212
Version: 1.0.0.0.1.1479450169

$ pkgutil --pkgs=com.apple.pkg.update.*2016.*
com.apple.pkg.update.os.SecUpd2016-003ElCapitan.15G1212
$ pkgutil --pkg-info-plist com.apple.pkg.update.os.SecUpd2016-003ElCapitan.15G1212
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>groups</key>
    <array>
        <string>com.apple.securityfix.pkg-group</string>
        <string>com.apple.snowleopard-repair-permissions.pkg-group</string>
        <string>com.apple.FindSystemFiles.pkg-group</string>
    </array>
    <key>install-location</key>
    <string>/</string>
    <key>install-time</key>
    <integer>1483566641</integer>
    <key>pkg-version</key>
    <string>1.0.0.0.1.1479450169</string>
    <key>pkgid</key>
    <string>com.apple.pkg.update.os.SecUpd2016-003ElCapitan.15G1212</string>
    <key>receipt-plist-version</key>
    <real>1</real>
    <key>volume</key>
    <string>/</string>
</dict>
</plist>

After updating you'll see two 003 updates, the original and the supplemental:

$ pkgutil --pkgs=com.apple.pkg.update.*2016.*
com.apple.pkg.update.os.SecUpd2016-003ElCapitan.15G1212
com.apple.pkg.update.os.SecUpd2016-003Supplemental.15G1217

The easiest way to know if you have the newer update is to do as suggested previously and run:

software update -l

and grab the result.

ryan_peterson
New Contributor II
New Contributor II

This EA will also work: Address High Sierra Vulnerability

posted this on the wrong thread