Has anyone seen the trend of the "Payloads" folder showing up at the root level of Macintosh HD after Apples recent "Security Update 2015-004 1.0 update with Yosemite? We are on Mac OS 10.10.5 and it is showing up on all systems after our software update policy.
It also showed up when running the update manually thru Apple's App Store. The system was getting the update directly from Apple, not one of our internal SUS servers.
I had found this (http://macops.ca/security-updates-leaving-mach_kernel-visible/), that seemed related, but didn't quite equate to what I was seeing in Yosemite users that hadn't received the update yet. If Yosemite does NOT store this at root anymore, then this appears to be a pre-Yosemite update that ran in Yosemite.
@ronb I've seen that show up on our systems after the last Security Update is applied on 10.10 systems. It seems like Apple is properly cleaning up after the firmware update is applied. I've been deleting the folder without any ill affects. Hopefully I'm not going to regret deleting that folder.
I have found this thread as well, from Apple's support user forum - https://discussions.apple.com/thread/7297524?start=0&tstart=0.
We are still being (probably overly) cautious, and are testing it with lab and now our own systems. After a few days/weeks of indulgence, we'll probably build a policy to delete it company wide.
I looked into this a little bit by expanding the SecUpd2015-004Yosemite.pkg using:
pkgutil --expand /Volumes/Security Update 2015-004/SecUpd2015-004Yosemite.pkg ~/Downloads/SecUpd2015-004Yosemite/
This results in a folder with two non-flat sub-packages: SecUpd2015-004Yosemite.pkg, and FirmwareUpdate.pkg. I then did an lsbom on each of these:
lsbom ~/Downloads/SecUpd2015-004Yosemite/FirmwareUpdate.pkg/Bom . 40755 0/0 ./private 40755 0/0 ./private/tmp 41777 0/0 ./private/tmp/RecoveryUpdatePayload 100644 501/20 1 397289535
Note: I removed results from the following that don't relate to the /Payloads folder so as to avoid having a ten page long list of files.
lsbom ~/Downloads/SecUpd2015-004Yosemite/SecUpd2015-004Yosemite.pkg/Bom ... ./Payloads 40755 0/0 ./Payloads/External 40755 0/0 ./Payloads/External/System 40755 0/0 ./Payloads/External/System/Library 40755 0/0 ./Payloads/External/System/Library/CoreServices 40755 0/0 ./Payloads/External/System/Library/CoreServices/FirmwareUpdates 40755 0/0 ./Payloads/External/System/Library/CoreServices/FirmwareUpdates/Packages 40755 0/0 ./Payloads/External/System/Library/CoreServices/FirmwareUpdates/Packages/EFIJSONs 40755 0/0 ./Payloads/External/System/Library/CoreServices/FirmwareUpdates/Packages/EFIJSONs/EFIROM_J40.json 100644 0/0 261 3381299827 ./Payloads/External/System/Library/CoreServices/FirmwareUpdates/Packages/EFIJSONs/EFIROM_K21K78.json 100644 0/0 177 2545554930 ./Payloads/External/System/Library/CoreServices/FirmwareUpdates/Packages/EFIJSONs/EFIROM_K60K62.json 100644 0/0 177 650315817 ./Payloads/External/System/Library/CoreServices/FirmwareUpdates/Packages/EFIJSONs/EFIROM_K9x.json 100644 0/0 351 3232015353 ./Payloads/External/System/Library/CoreServices/FirmwareUpdates/Packages/EFIPayloads 40755 0/0 ./Payloads/External/System/Library/CoreServices/FirmwareUpdates/Packages/EFIPayloads/IM121_0047_21B_LOCKED.scap 100644 0/0 8454768 1323735681 ./Payloads/External/System/Library/CoreServices/FirmwareUpdates/Packages/EFIPayloads/MBA41_0077_B12_LOCKED.scap 100644 0/0 8454768 858918531 ./Payloads/External/System/Library/CoreServices/FirmwareUpdates/Packages/EFIPayloads/MBP81_0047_2AB_LOCKED.scap 100644 0/0 8454768 2749242055 ./Payloads/External/System/Library/CoreServices/FirmwareUpdates/Packages/EFIPayloads/MM51_0077_B12_LOCKED.scap 100644 0/0 8454768 1740353849 ...
As you can see it shows that the /Payloads folder comes from the SecUpd2015-004Yosemite.pkg and not the FirmwareUpdate.pkg. This makes me less confident in removing the /Payloads folder.