Custom Config profile set once would be the way to go.. Alternatively, although people are shying away from it is writing them as defaults write

Rich has a great Blog post describing how to go about doing it with defaults write
Here

I have a unique solution to a unique problem.

I have a custom plist for a piece of 3rd party software.

Here is how I manage this...

1. I enabled hidden folders on my target Mac. I'll refer to the target Mac as the "Gold Master". - You can do this with Terminal or with a utility like TinkerTool
2. I then configured the Gold Master the way I wanted it.
3. I moved (not copied) the custom plist from it's default location to the Desktop (i.e. /Library/Preferences/MyCustom.plist to ~/Desktop/MyCustom.plist)
4. I then ran Casper Composer on the Gold Master and I created a "Normal Snapshot"
5. I gave it a unique package name like "my_custom_plist_v1.0"
6. Casper Composer took a snapshot...
7. I then copied the custom plist from the Desktop back to the proper location (i.e. ~/Desktop/MyCustom.plist to /Library/Preferences/MyCustom.plist)
8. I then clicked on "Create Package Source"
9. Casper Composer takes an "After" snapshot... wait for it...
10. I deleted everything not relevant within the snapshot. - I only want /Library/Preferences/MyCustom.plist
11. I then built the file as a DMG (not a PKG) and saved to my Desktop on the Gold Master
12. Casper Composer created the my_custom_plist_v1.0.dmg file onto my Desktop
13. I then uploaded my_custom_plist_v1.0.dmg to my JSS under "Settings > Computer Management > Packages"
14. I filled out the information on the General Tab the way I needed it.
15. I then saved the package within the JSS
16. I created a policy to deploy the dmg file to all relevant systems

This workflow is simple and effective.

If @rderewianko's suggestion doesn't work for you, perhaps this manual method will...

Good luck and feel free to ask any questions you may have.

I believe it will overwrite the entire client plist. (not just modify it) Using a defaults write command may be a better option.

defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticDownload -boolean FALSE

Either way, I’d first test your package or script with one or two clients before deploying in mass.

@mark.sampers - In my particular example, the 3rd party plist did not exist prior. That being said, I completely agree with you. Testing before rolling into production is key!

right now i'm running a script that does this.

softwareupdate --schedule off
softwareupdate --background-critical --force

if i create a configuration profile. would i used the. 'custom settings' payload and upload the .plist ?

@tcandela

if i create a configuration profile. would i used the. 'custom settings' payload and upload the .plist ?

Yes, that is exactly what you'd use. Only because it's not a built in option to manage those settings. Once you get familiar with how to use the Custom settings payload in a Configuration Profile, there is very little you can't add to it to manage things that are not provided out of the box.

@LSinNY I'm going to test out your default write commands in a script and have it run in my configuration at reboot.

!/bin/sh

/usr/bin/defaults write /Library/Preferences/com.apple.appstore restrict-store-softwareupdate-only -bool yes
softwareupdate --schedule on
defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticDownload -bool False
defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -bool TRUE
defaults write /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -bool TRUE
defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -bool TRUE

exit $?

@LSinNY it set the correct App Store updates !! when i run a configuration that installs 10.12.4 and enrolls

Automatically check for updates
&
Install system data files and security updates

but now I wonder what would happen if I run the script on currently enrolled macs ?? I'll let you know. that's next