Managing Mojave Updates

ICT-JPC
New Contributor III

Afternoon,

I am after some help around managing Mojave Updates please, if anyone could provide any assitance.

We've imaged the majority of our machines with Mojave 10.14.5 during our summer refresh and we've packaged, tested and will be installing our Apps based on this version. Now 10.14.6 has been released, we're seeing prompts for our Macs wanting to install this latest version, which I would want to prevent/supress. We have discovered that if the update is initiated, then it does install, using a non admin account.

In an attempt to configure our Update settings to disable any macOS auto updates and manage other updates, we have configured "com.apple.SoftwareUpdate.plist" to:
- Automatically keep my Mac up to date - disabled/unticked
- Check for updates - disabled/unticked
- Download new updates when available - disabled/unticked
- Install macOS updates - disabled/unticked
- Install app updates from the App Store - disabled/unticked

  • Install system data files and security updates - enabled/ticked

But we've seen that this has no effect!

Also the reason for us leaving the 'Install system data files and security updates' was in the hope that XProtect and Gatekeeper would still maintain there updates, but they don't seem to be updating either with this option enabled.

What I have discovered is that if I enable 'Check for updates' and 'Download new updates when available', then XProtect does seem to update.

I have also come across this, which seems to suggest that we can edit the plist file with the relevant options: https://derflounder.wordpress.com/2018/12/28/enabling-automatic-macos-software-updates-for-os-x-yosemite-through-macos-mojave/

Any input would be gratefully received. Thanks.

7 REPLIES 7

apizz
Valued Contributor

@ICT-JPC Even though you've disabled auto softwareupdate checks on your Macs, Jamf still runs a softwareupdate -l as part of inventory collection to determine available updates.

Your best bet would be to implement something like reposado (https://github.com/wdas/reposado/) so you can point your Macs to your own Apple Software Update server and control what updates your Macs can and cannot see. Definitely worth your while.

We implemented this last year and it has been a huge help to avoid those nagging software update prompts and control when and if our Macs get updates. Super useful when Apple pushes updates and recalls them a couple days later (this happened recently with the 2019-0004 security update).

mm2270
Legendary Contributor III

@aporlebeke

Even though you've disabled auto softwareupdate checks on your Macs, Jamf still runs a softwareupdate -l as part of inventory collection to determine available updates.

No, this is only true if you have specifically enabled Software Inventory collection on your Jamf server. (see screenshot below)
Otherwise, to my knowledge it does not automatically run a softwareupdate -l command as part of normal inventory. I may be wrong about that, but I don't think so, since I know some people have had trouble getting their Jamf Pro to show available SWUs until they checked that box and allowed inventory to take place.
ee2ead48f31040829e1f4bcc8aeb39d2

But I agree with the rest of the post in that running a reposado server is a good idea. Apple has depreciated the Software Update service in macOS Server so it's no longer an option to use an Apple server directly for this, not that it's even been a great idea now for several years.

@ICT-JPC Outside of this suggestion, it IS possible to tell your Macs to ignore certain specific updates in a pinch, until you are ready to have the update installed. For example, running something like this will tell the Mac to not see the 10.14.6 update:
sudo software update --ignore "macOS 10.14.6 Update" That can of course be run via a Jamf policy (minus the sudo) to all 10.14.5 Macs.
After running the above, if you run sudo softwareupate -l on one of those Macs you'll see that it will no longer list 10.14.6 as an available update. Other updates may still show up depending on what is still available for that system though.

One additional thing I found on using the --ignore flag. If a Mac is still on an older version, like say, 10.14.4, ignoring 10.14.6 will suddenly make 10.14.5 as an available update, which may actually be desirable, but that depends on your specific needs. Since you mentioned they are all on 10.14.5 this is probably enough to temporarily disable it. You can then reset it back to defaults at a later time using softwareupdate --reset-ignored

apizz
Valued Contributor

Good call @mm2270, I had forgotten about that setting.

seann
Contributor

Alternatively you could set up your own SUS so as to control what and when gets rolled out to your fleet.

ICT-JPC
New Contributor III

Hi,

Thanks for all the input. I am still relatively new to the Mac setup in our organisation, so whilst the idea of a Software Updare Server sounds good, this is something I'll need to broach as time allows.

For now I'll look into blocking the update, as @mm2270 has suggested.

Thanks.

mm2270
Legendary Contributor III

@ICT-JPC Glad to help.
Keep in mind that using the --ignore flag to ignore updates should only be a temporary solution to get you through the immediate issue. I would encourage you to look into reposado and begin exploring it when that's possible for you. It's not all that difficult to set up. The GitHub and wiki pages have good initial setup walkthroughs you can follow. And it can be run on just about anything. Most people use a virtualized system to run it on, but that's not a requirement.
Also, if storage space is an issue for you when looking at reposado, since downloading all of Apple's updates does take up many GBs of disk space, you should know it's possible to configure it so you can control which updates appear to your Mac clients, but still have them pull the updates themselves down from Apple's distribution network, so you're in effect only storing the "catalog" of updates locally and managing that, which requires very little space.

There is also a front end GUI you can run to help with management of the updates called Margarita that you should check out.

ICT-JPC
New Contributor III

Hi, I'd like to ask an additional question please.

So I've implemented a script utilising the softwareupdate command to ignore Mojave 10.14.6 without issue.

It has also been identified that there are updates for Gatekeeper, MRT and XProtect available too. Automatic updating within Mojave has been disabled as part of the MDS build config, as the thought around was around how updates could potentially be controlled going forward. I am definitley going to look into Reposado when not so busy, but in the mean time I have identified the updates the build requires and am trying to create a script utilising the 'softwareupdate' command and the '--include-config-data' option. However when I create a script and attempt to deploy it as a policy with Jamf, it seems to fail. All I see in the logs is 'Excuting Policy <name>' and nothing else, no failure or error. If I run each command manually in terminal, it runs through fine. The script is literally:

softwareupdate -i TCCConfigData-17.0 --include-config-data
softwareupdate -i XProtectPlistConfigData-2103 --include-config-data
softwareupdate -i CompatibilityNotificationData_10_14-1.0.6 --include-config-data
softwareupdate -i MRTConfigData_10_14-1.47 --include-config-data
softwareupdate -i GatekeeperConfigData-140 --include-config-data
softwareupdate -i GatekeeperConfigData-174 --include-config-data

I have tried adding sudo, #!/bin/bash etc (I am still quite new to the world of scripting for macOS!) but no joy. It is as if the policy kicks in, but then just falls over. As I've mentioned, annoyingly the 'softwareupdate' script I have used to block Mojave 10.14.6 update is seemingly working fine, so the Macs are acknowledging the 'softwareupdate' command and as a script/policy it is working from Jamf.

Any advice would be most welcome.

Thanks.