Posted on 06-18-2015 09:56 AM
Is there any way to force clients to install only security updates from the App Store?
I can force all updates, recommended updates, or specific updates using the exact names, but I don't see a way to force general security updates.
Thanks,
TT
Posted on 06-18-2015 04:59 PM
So here's what I ended up doing:
-created an Extension Attribute that runs a softwareupdate -l and see if there's any words with Security in it.
-scope a policy that groups computers with security updates pending.
-create a script that uses sed command to extract the securityupdate filename, then installs it with softwareupdate -i securityupdatename
I might run into trouble if there's more than one security update, but in that case I just need to make my sed script more complex.
Posted on 06-19-2015 10:05 AM
@ttruong I have put together a solution that will handle just that.
https://jumpt.wordpress.com/2015/02/12/enforcing-critical-osx-system-updates-via-casper/
Cheers
Posted on 06-19-2015 03:04 PM
@qsodji awesome scripts, just enabled them on my JSS. Thank you!
(btw, that link on your blog was broken, I had to go to your root Github)
Posted on 06-19-2015 05:13 PM
@jubei Thanks, all fixed now...
Posted on 01-17-2017 03:17 PM
@qsodji I have noticed that on your forced OS updates after 4 hours, you use. My experience is this doesn't allow the policy to submit the logs properly. Have you found it to be an issue?
shutdown -r now
Posted on 05-08-2017 01:31 PM
Did this change now with SIP?
The softwareupdate
command does not seem to offer --critical
as an option any more:
$ softwareupdate --help | grep security
$ softwareupdate --help | grep critical
$
Is there still a way to "push" only Security Updates via softwareupdate
command line (through a policy of course)?
Thank you,
John McNair
Posted on 05-08-2017 01:52 PM
sudo softwareupdate --background-critical
Posted on 05-09-2017 12:56 AM
Not an option anymore...
softwareupdate --help
usage: softwareupdate <cmd> [<args> ...]
** Catalog Management:
--set-catalog <URL> Set the new catalog URL (requires privileges)
--clear-catalog Clear the catalog URL back to defaults (requires privileges)
** Manage Updates:
-l | --list List all appropriate update labels (options: --no-scan)
-d | --download Download Only
-e | --cancel-download Cancel a download
-i | --install Install
<label> ... specific updates
-a | --all All appropriate updates
-r | --recommended Only recommended updates
--background Trigger a background scan and update operation
--ignore <label> ... Ignore specific updates
--reset-ignored Clear all ignored updates
** Other Tools:
--suspend-background Suspend background operations from occurring temporarily (use --duration to specify duration to suspend in seconds)
--duration <duration>) Optional duration in seconds to suspend background operations (defaults to 5*60 seconds)
--dump-state Log the internal state of the SU daemon to /var/log/install.log
--evaluate-products Evaluate a list of product keys specified by the --products option
** Options:
--no-scan Do not scan when listing or installing updates (use available updates previously scanned)
--products A comma-separated (no spaces) list of product keys to operate on.
--force Force an operation to complete. Use with --background to trigger a background scan regardless of "Automatically check" pref
--verbose Enable verbose output
--help Print this help
Ok, but yea, it does seem to work...
$ sudo softwareupdate --background-critical
softwareupdate[57863]: Triggering background check with forced scan (critical and config-data updates only) ...
Posted on 11-02-2017 08:40 AM
so i am running the same ($ sudo softwareupdate --background-critical) update, and it shows software update triggering in the background but i still have a pending security update in the app store (security update 2017-001 10.12.6)
I just want to be able to force security updates in the background without having to force OS updates
Posted on 11-02-2017 12:10 PM
I'm also interested on forcing background critical updates.
Posted: Today at 10:40 AM by anthonytji so i am running the same ($ sudo softwareupdate --background-critical) update, and it shows software update triggering in the background but i still have a pending security update in the app store (security update 2017-001 10.12.6) I just want to be able to force security updates in the background without having to force OS updates
Posted on 01-02-2018 09:40 AM
@qsodji Hi guys! Happy New Year! We enabled the security updates per the great scripts that were offered to use with Casper. Thanks a million! One thing we noticed now, when the notification pops up alerting the user that a security update is available, the High Sierra upgrade is also there. Any way to suppress the High Sierra OS upgrade alert and keep the security updates notifications?
Posted on 01-02-2018 12:06 PM
@monaronyc I believe if you delete the OS from Applications that message will no longer be an issue.
Not sure if there is a way to suppress just that.
Posted on 01-18-2018 12:23 PM
@qsodji we can confirm, tested, removing the installer puts an end to the alerts.
Posted on 01-18-2018 02:23 PM
That may not be a fix for all. My installer(s) live in /Applications/. I run a SUS at home/work. I have the same settings as mentioned to automatically get security updates installed. There is a OS installer notification pkg that will get installed by Apple if you are not running your own SUS and have it disabled. You can run the --ignore flag, but on the next point release, the alert may come back. I have not been notified since late 10.12 releases, God knows there are enough "how do i disable this Hi-C Notifications threads", but there will be more as soon as 10.13.3 is released,c'est la vie
Appstore settings:
Posted on 01-18-2018 03:07 PM
So you are saying that you are running a SUS and are downloading security updates and you aren't getting the notification center update alerts?
Posted on 01-19-2018 05:06 AM
Yes, as long as you have not downloaded the current version which will offer the point release. So if you set this up now, and you disable it in your SUS, you will not get the notification when 10.13.3 drops.
Posted on 06-27-2018 02:05 PM
just to update this thread:
softwareupdate --background --force
is now documented in
softwareupdate --help
Posted on 06-28-2018 05:39 AM
Regarding blocking the OS upgrade notice/download: I worked with AppleCare to figure out that blocking this update via script kills that off: "softwareupdate --ignore macOSInstallerNotification_GM"
Posted on 06-28-2018 06:19 AM
Please vote up this addition to the Software Update payload!
Posted on 01-18-2019 11:14 AM
I see that you all want to have this on, but I need this to be turned off across all of my devices. We will update all machines over summer, but don't want an update running on a machine while a student is trying to take a final exam. Any suggestions for scripting this behavior?
Posted on 01-18-2019 12:14 PM
Try limiting the important updates to run only at logout, only at overnight hours, etc (a whole semesters wait could be viewed as a security lag).
Here, (with a different vendor's software), if a patch that is flagged this way is released, it will either not download at all, or download and wait to install until the user logs out.
If that feature is missing from jamf (or whatever you use for Apple software updates) make it a feature request!
Posted on 01-22-2019 12:14 PM
Thank you for this valuable post
Posted on 02-15-2019 01:28 PM
@SGill Hi! What exactly is that screenshot of?
Posted on 02-15-2019 01:42 PM
It's from Ivanti LANrev. I was only posting it for comparison purposes, and for ideas for feature requests/techniques for jamf.