How to enforce Apple Security Updates?

ttruong
New Contributor

Is there any way to force clients to install only security updates from the App Store?
I can force all updates, recommended updates, or specific updates using the exact names, but I don't see a way to force general security updates.

Thanks,
TT

24 REPLIES 24

ttruong
New Contributor

So here's what I ended up doing:

-created an Extension Attribute that runs a softwareupdate -l and see if there's any words with Security in it.
-scope a policy that groups computers with security updates pending.
-create a script that uses sed command to extract the securityupdate filename, then installs it with softwareupdate -i securityupdatename

I might run into trouble if there's more than one security update, but in that case I just need to make my sed script more complex.

qsodji
Contributor

@ttruong I have put together a solution that will handle just that.
https://jumpt.wordpress.com/2015/02/12/enforcing-critical-osx-system-updates-via-casper/
Cheers

jubei
New Contributor II

@qsodji awesome scripts, just enabled them on my JSS. Thank you!

(btw, that link on your blog was broken, I had to go to your root Github)

qsodji
Contributor

@jubei Thanks, all fixed now...

cmahoney
New Contributor

@qsodji I have noticed that on your forced OS updates after 4 hours, you use. My experience is this doesn't allow the policy to submit the logs properly. Have you found it to be an issue?

shutdown -r now

johnmcnair
New Contributor III

Did this change now with SIP?

The softwareupdate command does not seem to offer --critical as an option any more:

$ softwareupdate --help | grep security
$ softwareupdate --help | grep critical
$

Is there still a way to "push" only Security Updates via softwareupdate command line (through a policy of course)?
Thank you,
John McNair

hkabik
Valued Contributor
sudo softwareupdate --background-critical

donmontalvo
Esteemed Contributor III

Not an option anymore...

softwareupdate --help
usage: softwareupdate <cmd> [<args> ...]

** Catalog Management:
    --set-catalog <URL>   Set the new catalog URL (requires privileges)
    --clear-catalog     Clear the catalog URL back to defaults (requires privileges)

** Manage Updates:
    -l | --list     List all appropriate update labels (options:  --no-scan)
    -d | --download     Download Only
    -e | --cancel-download      Cancel a download
    -i | --install      Install
        <label> ...   specific updates
        -a | --all      All appropriate updates
        -r | --recommended  Only recommended updates
    --background        Trigger a background scan and update operation
    --ignore <label> ...  Ignore specific updates
    --reset-ignored     Clear all ignored updates

** Other Tools:
    --suspend-background    Suspend background operations from occurring temporarily (use --duration to specify duration to suspend in seconds)
        --duration <duration>)        Optional duration in seconds to suspend background operations (defaults to 5*60 seconds)
    --dump-state        Log the internal state of the SU daemon to /var/log/install.log
    --evaluate-products     Evaluate a list of product keys specified by the --products option 

** Options:
    --no-scan       Do not scan when listing or installing updates (use available updates previously scanned)
    --products      A comma-separated (no spaces) list of product keys to operate on. 
    --force         Force an operation to complete.  Use with --background to trigger a background scan regardless of "Automatically check" pref 

--verbose   Enable verbose output
--help  Print this help

Ok, but yea, it does seem to work...

$ sudo softwareupdate --background-critical
softwareupdate[57863]: Triggering background check with forced scan (critical and config-data updates only) ...
--
https://donmontalvo.com

anthonytji
New Contributor III

so i am running the same ($ sudo softwareupdate --background-critical) update, and it shows software update triggering in the background but i still have a pending security update in the app store (security update 2017-001 10.12.6)

I just want to be able to force security updates in the background without having to force OS updates

osxadmin
Contributor II

I'm also interested on forcing background critical updates.

Posted: Today at 10:40 AM by anthonytji so i am running the same ($ sudo softwareupdate --background-critical) update, and it shows software update triggering in the background but i still have a pending security update in the app store (security update 2017-001 10.12.6) I just want to be able to force security updates in the background without having to force OS updates

monaronyc
Contributor

@qsodji Hi guys! Happy New Year! We enabled the security updates per the great scripts that were offered to use with Casper. Thanks a million! One thing we noticed now, when the notification pops up alerting the user that a security update is available, the High Sierra upgrade is also there. Any way to suppress the High Sierra OS upgrade alert and keep the security updates notifications?

cd602faa63de4bc7b0055e9d3a78c837

qsodji
Contributor

@monaronyc I believe if you delete the OS from Applications that message will no longer be an issue.
Not sure if there is a way to suppress just that.

donmontalvo
Esteemed Contributor III

@qsodji we can confirm, tested, removing the installer puts an end to the alerts.

--
https://donmontalvo.com

Nix4Life
Valued Contributor

@donmontalvo @qsodji,

That may not be a fix for all. My installer(s) live in /Applications/. I run a SUS at home/work. I have the same settings as mentioned to automatically get security updates installed. There is a OS installer notification pkg that will get installed by Apple if you are not running your own SUS and have it disabled. You can run the --ignore flag, but on the next point release, the alert may come back. I have not been notified since late 10.12 releases, God knows there are enough "how do i disable this Hi-C Notifications threads", but there will be more as soon as 10.13.3 is released,c'est la vie

9e5f2a05dba14abc8e7c449dee9d1ff6

Appstore settings:

cab4eb8c7d1a4e338fad662199545e90

jamesreynolds
New Contributor III

So you are saying that you are running a SUS and are downloading security updates and you aren't getting the notification center update alerts?

Nix4Life
Valued Contributor

Yes, as long as you have not downloaded the current version which will offer the point release. So if you set this up now, and you disable it in your SUS, you will not get the notification when 10.13.3 drops.

mostlikelee
Contributor

just to update this thread:

softwareupdate --background --force

is now documented in

softwareupdate --help

dgreening
Valued Contributor II

Regarding blocking the OS upgrade notice/download: I worked with AppleCare to figure out that blocking this update via script kills that off: "softwareupdate --ignore macOSInstallerNotification_GM"

mostlikelee
Contributor

Please vote up this addition to the Software Update payload!

SWUpdate

tdilossi
Contributor

I see that you all want to have this on, but I need this to be turned off across all of my devices. We will update all machines over summer, but don't want an update running on a machine while a student is trying to take a final exam. Any suggestions for scripting this behavior?

SGill
Contributor III

Try limiting the important updates to run only at logout, only at overnight hours, etc (a whole semesters wait could be viewed as a security lag).

Here, (with a different vendor's software), if a patch that is flagged this way is released, it will either not download at all, or download and wait to install until the user logs out.

If that feature is missing from jamf (or whatever you use for Apple software updates) make it a feature request!

87ff82851eee474ab608eeb6213551c9

Not applicable

Thank you for this valuable post

monaronyc
Contributor

@SGill Hi! What exactly is that screenshot of?

SGill
Contributor III

It's from Ivanti LANrev. I was only posting it for comparison purposes, and for ideas for feature requests/techniques for jamf.