- Jamf Nation Community
- Products
- Jamf Pro
- Payloads folder shows up after security update
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Payloads folder shows up after security update
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-30-2015 11:56 AM
Has anyone seen the trend of the "Payloads" folder showing up at the root level of Macintosh HD after Apples recent "Security Update 2015-004 1.0 update with Yosemite? We are on Mac OS 10.10.5 and it is showing up on all systems after our software update policy.
It also showed up when running the update manually thru Apple's App Store. The system was getting the update directly from Apple, not one of our internal SUS servers.
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-30-2015 12:24 PM
Hi, I saw your post and decided to have a look at a couple of computers I have available to me and they all have this Payload directory at the root. Interesting. Mine were all pushed via policy. I wonder what this is about?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-30-2015 12:30 PM
I had found this (http://macops.ca/security-updates-leaving-mach_kernel-visible/), that seemed related, but didn't quite equate to what I was seeing in Yosemite users that hadn't received the update yet. If Yosemite does NOT store this at root anymore, then this appears to be a pre-Yosemite update that ran in Yosemite.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-30-2015 01:26 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-30-2015 03:06 PM
@ronb I've seen that show up on our systems after the last Security Update is applied on 10.10 systems. It seems like Apple is properly cleaning up after the firmware update is applied. I've been deleting the folder without any ill affects. Hopefully I'm not going to regret deleting that folder.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-02-2015 09:01 AM
I have found this thread as well, from Apple's support user forum - https://discussions.apple.com/thread/7297524?start=0&tstart=0.
We are still being (probably overly) cautious, and are testing it with lab and now our own systems. After a few days/weeks of indulgence, we'll probably build a policy to delete it company wide.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-05-2015 12:03 PM
I looked into this a little bit by expanding the SecUpd2015-004Yosemite.pkg using:
pkgutil --expand /Volumes/Security Update 2015-004/SecUpd2015-004Yosemite.pkg ~/Downloads/SecUpd2015-004Yosemite/This results in a folder with two non-flat sub-packages: SecUpd2015-004Yosemite.pkg, and FirmwareUpdate.pkg. I then did an lsbom on each of these:
lsbom ~/Downloads/SecUpd2015-004Yosemite/FirmwareUpdate.pkg/Bom
. 40755 0/0
./private 40755 0/0
./private/tmp 41777 0/0
./private/tmp/RecoveryUpdatePayload 100644 501/20 1 397289535Note: I removed results from the following that don't relate to the /Payloads folder so as to avoid having a ten page long list of files.
lsbom ~/Downloads/SecUpd2015-004Yosemite/SecUpd2015-004Yosemite.pkg/Bom
...
./Payloads 40755 0/0
./Payloads/External 40755 0/0
./Payloads/External/System 40755 0/0
./Payloads/External/System/Library 40755 0/0
./Payloads/External/System/Library/CoreServices 40755 0/0
./Payloads/External/System/Library/CoreServices/FirmwareUpdates 40755 0/0
./Payloads/External/System/Library/CoreServices/FirmwareUpdates/Packages 40755 0/0
./Payloads/External/System/Library/CoreServices/FirmwareUpdates/Packages/EFIJSONs 40755 0/0
./Payloads/External/System/Library/CoreServices/FirmwareUpdates/Packages/EFIJSONs/EFIROM_J40.json 100644 0/0 261 3381299827
./Payloads/External/System/Library/CoreServices/FirmwareUpdates/Packages/EFIJSONs/EFIROM_K21K78.json 100644 0/0 177 2545554930
./Payloads/External/System/Library/CoreServices/FirmwareUpdates/Packages/EFIJSONs/EFIROM_K60K62.json 100644 0/0 177 650315817
./Payloads/External/System/Library/CoreServices/FirmwareUpdates/Packages/EFIJSONs/EFIROM_K9x.json 100644 0/0 351 3232015353
./Payloads/External/System/Library/CoreServices/FirmwareUpdates/Packages/EFIPayloads 40755 0/0
./Payloads/External/System/Library/CoreServices/FirmwareUpdates/Packages/EFIPayloads/IM121_0047_21B_LOCKED.scap 100644 0/0 8454768 1323735681
./Payloads/External/System/Library/CoreServices/FirmwareUpdates/Packages/EFIPayloads/MBA41_0077_B12_LOCKED.scap 100644 0/0 8454768 858918531
./Payloads/External/System/Library/CoreServices/FirmwareUpdates/Packages/EFIPayloads/MBP81_0047_2AB_LOCKED.scap 100644 0/0 8454768 2749242055
./Payloads/External/System/Library/CoreServices/FirmwareUpdates/Packages/EFIPayloads/MM51_0077_B12_LOCKED.scap 100644 0/0 8454768 1740353849
...As you can see it shows that the /Payloads folder comes from the SecUpd2015-004Yosemite.pkg and not the FirmwareUpdate.pkg. This makes me less confident in removing the /Payloads folder.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-10-2015 04:30 AM
I notice that the 2015-005 update for Yosemite does not put a Payloads folder on /. Go figure.
