Payloads folder shows up after security update

New Contributor II

Has anyone seen the trend of the "Payloads" folder showing up at the root level of Macintosh HD after Apples recent "Security Update 2015-004 1.0 update with Yosemite? We are on Mac OS 10.10.5 and it is showing up on all systems after our software update policy.

It also showed up when running the update manually thru Apple's App Store. The system was getting the update directly from Apple, not one of our internal SUS servers.



Hi, I saw your post and decided to have a look at a couple of computers I have available to me and they all have this Payload directory at the root. Interesting. Mine were all pushed via policy. I wonder what this is about?

New Contributor II

I had found this (, that seemed related, but didn't quite equate to what I was seeing in Yosemite users that hadn't received the update yet. If Yosemite does NOT store this at root anymore, then this appears to be a pre-Yosemite update that ran in Yosemite.

Esteemed Contributor
Esteemed Contributor

@ronb I've a similar post here & that has a link to @rtrouton's method.

Perhaps one of those will help you devise a method to hide it?

Valued Contributor II

@ronb I've seen that show up on our systems after the last Security Update is applied on 10.10 systems. It seems like Apple is properly cleaning up after the firmware update is applied. I've been deleting the folder without any ill affects. Hopefully I'm not going to regret deleting that folder.

New Contributor II

I have found this thread as well, from Apple's support user forum -

We are still being (probably overly) cautious, and are testing it with lab and now our own systems. After a few days/weeks of indulgence, we'll probably build a policy to delete it company wide.

Contributor III

I looked into this a little bit by expanding the SecUpd2015-004Yosemite.pkg using:

pkgutil --expand /Volumes/Security Update 2015-004/SecUpd2015-004Yosemite.pkg ~/Downloads/SecUpd2015-004Yosemite/

This results in a folder with two non-flat sub-packages: SecUpd2015-004Yosemite.pkg, and FirmwareUpdate.pkg. I then did an lsbom on each of these:

lsbom ~/Downloads/SecUpd2015-004Yosemite/FirmwareUpdate.pkg/Bom
.   40755   0/0
./private   40755   0/0
./private/tmp   41777   0/0
./private/tmp/RecoveryUpdatePayload 100644  501/20  1   397289535

Note: I removed results from the following that don't relate to the /Payloads folder so as to avoid having a ten page long list of files.

lsbom ~/Downloads/SecUpd2015-004Yosemite/SecUpd2015-004Yosemite.pkg/Bom
./Payloads  40755   0/0
./Payloads/External 40755   0/0
./Payloads/External/System  40755   0/0
./Payloads/External/System/Library  40755   0/0
./Payloads/External/System/Library/CoreServices 40755   0/0
./Payloads/External/System/Library/CoreServices/FirmwareUpdates 40755   0/0
./Payloads/External/System/Library/CoreServices/FirmwareUpdates/Packages    40755   0/0
./Payloads/External/System/Library/CoreServices/FirmwareUpdates/Packages/EFIJSONs   40755   0/0
./Payloads/External/System/Library/CoreServices/FirmwareUpdates/Packages/EFIJSONs/EFIROM_J40.json   100644  0/0 261 3381299827
./Payloads/External/System/Library/CoreServices/FirmwareUpdates/Packages/EFIJSONs/EFIROM_K21K78.json    100644  0/0 177 2545554930
./Payloads/External/System/Library/CoreServices/FirmwareUpdates/Packages/EFIJSONs/EFIROM_K60K62.json    100644  0/0 177 650315817
./Payloads/External/System/Library/CoreServices/FirmwareUpdates/Packages/EFIJSONs/EFIROM_K9x.json   100644  0/0 351 3232015353
./Payloads/External/System/Library/CoreServices/FirmwareUpdates/Packages/EFIPayloads    40755   0/0
./Payloads/External/System/Library/CoreServices/FirmwareUpdates/Packages/EFIPayloads/IM121_0047_21B_LOCKED.scap 100644  0/0 8454768 1323735681
./Payloads/External/System/Library/CoreServices/FirmwareUpdates/Packages/EFIPayloads/MBA41_0077_B12_LOCKED.scap 100644  0/0 8454768 858918531
./Payloads/External/System/Library/CoreServices/FirmwareUpdates/Packages/EFIPayloads/MBP81_0047_2AB_LOCKED.scap 100644  0/0 8454768 2749242055
./Payloads/External/System/Library/CoreServices/FirmwareUpdates/Packages/EFIPayloads/MM51_0077_B12_LOCKED.scap  100644  0/0 8454768 1740353849

As you can see it shows that the /Payloads folder comes from the SecUpd2015-004Yosemite.pkg and not the FirmwareUpdate.pkg. This makes me less confident in removing the /Payloads folder.

Honored Contributor

I notice that the 2015-005 update for Yosemite does not put a Payloads folder on /. Go figure.