Posted on 11-29-2017 08:27 AM
What’s the best way to do this. Apple pushed out the fix just now. How can I tell which of my Macs has installed it?
Posted on 11-29-2017 08:30 AM
Assuming that your Macs have submitted inventory, you can look for High Sierra build 17B1002.
Posted on 11-29-2017 08:36 AM
Posted on 11-29-2017 08:58 AM
@irobinso Thanks for that information. Fortunately, none of our macs are running that build yet.
Does anybody know how to disable the App Store so that my users don't accidentally install this update?
Posted on 11-29-2017 09:02 AM
@isterling.goaaa Say what?? Why would you not want to have this update installed? It fixes a major security issue in 10.13.x that allows trivial access to the root account. Not understanding. :-/
Posted on 11-29-2017 09:04 AM
Just make the High Sierra installer restricted software if your clients are not @ 10.13.x yet. Don't disable the App Store.
Posted on 11-29-2017 09:06 AM
@mm2270 I think @isterling.goaaa meant none of his clients are running High Sierra yet, or at least that's how I interpreted it.
Posted on 11-29-2017 09:11 AM
I have 23 computers running the exploitable version. Im just waiting for Apple to publish the PKG file so i can push it via a policy.
Posted on 11-29-2017 09:18 AM
Maybe I misunderstood... It's build 17B1002 that is affected, yes? If so, why would I want to install a security update that opens a great big hole on my systems? Currently, none of us running 17B48 in my office (there are four of us out of 120 deployed machines running High Sierra) seem to be affected by this issue ... or at least we're unable to replicate it.
Posted on 11-29-2017 09:20 AM
@isterling.goaaa , 17B1002 fixes an issue that is present in all High Sierra versions before it, it doesn't introduce the issue.
Posted on 11-29-2017 09:20 AM
See the post here for the downloadable package.
It shows up in the App Store on a 10.13.1 system, but it shows up rather strangely in the softwareupdate command line.
Posted on 11-29-2017 09:23 AM
Posted on 11-29-2017 09:27 AM
Posted on 11-29-2017 09:31 AM
Posted on 11-29-2017 09:35 AM
@DylanMurphy There goes Apple naming updater .pkg's the same again.... https://support.apple.com/en-us/HT208315
Posted on 11-29-2017 09:43 AM
@geekyink yeah, i downloaded that package and pushed it to my test computer. When it failed it realized that it was the wrong package because it complained about needing OS 10.12. Very annoying!
Posted on 11-29-2017 09:46 AM
And..... for once the Security Update DOESN'T REQUIRE A REBOOT!!!!! Yay!
Posted on 11-29-2017 09:57 AM
Posted on 11-29-2017 10:10 AM
@cashman.tech Not yet. i'm still waiting for the Apple official version. i found this but i'm not sure how much i trust it. https://twitter.com/_inside/status/935910171888508929
Posted on 11-29-2017 10:11 AM
I downloaded the 10.13.1 Supplimental update in dmg format and was unable to install it locally onto my machine either by policy or just simply running the package. Any suggestions?
Posted on 11-29-2017 10:12 AM
@cashman.tech Use this link
It's a direct download from Apple's swcdn, not from an article on their site, but it's the real thing, as the certificate verifies it's from Apple
The best thing would be for Apple to publish it as a standalone download from a posting on their support site. I don't see one out there yet, but hopefully they will do that soon.
Posted on 11-29-2017 10:19 AM
Posted on 11-29-2017 10:20 AM
I found the DMG of the supplemental update here, but the .pkg file within didn't want to run on my mac.
Posted on 11-29-2017 10:30 AM
@DylanMurphy When you get the pkg install, double click it to open it in Installer.app. Before clicking any buttons, there's a lock icon in the upper right hand corner of the Installer window. Click that to see the certificate chain.
Posted on 11-29-2017 10:50 AM
Posted on 11-29-2017 10:55 AM
FWIW, it looks like the the receipt for the update is
For those looking for reporting around it being installed, you can use that receipt for a smart group. Probably need to give machines time to check in for inventory to get a real idea, though.
Posted on 11-29-2017 11:34 AM
For anyone looking for standalone, it's there, but takes some digging (as in, it's not featured): https://support.apple.com/kb/DL1942?viewlocale=en_US&locale=en_US
Posted on 11-29-2017 11:33 PM
FWIW, a 2017 MacBook Touch ID model laptop is showing
17B1003, in case anyone is using build number to determine if the fix is applied.
Posted on 11-30-2017 03:54 AM
Has it broken the ability to create an admin account for anyone else?
Posted on 11-30-2017 04:26 AM
Yep, it's broken for me as well:
Posted on 11-30-2017 05:37 AM
Agree, since installing the second release of the Security Update 2017-001, which results in 10.13.1 build 17B1003, our local admin account can not create standard or admin accounts via System Preferences >> Users & Groups.
Also fails when logging in with a mobile (AD) Admin account and trying the same steps to create an account.
Both types of accounts can be successfully added using Casper Remote (9.101.0).
Posted on 11-30-2017 05:46 AM
FWIW I am able to create a new admin account after the patch.
Posted on 11-30-2017 05:50 AM
@donmontalvo How come I can never see the build number in my "About This Mac" windows?
@rich.thomas I can't create an admin user through the System Preferences either, but I was able to login with an LDAP account that's in the admin group and it made the account an admin. So it appears to be just something with the GUI.
What are people installing to get 17B1003? I've re-downloaded 2017-001 for 10.13.1 and it still installs 17B1002. The other 2017-001 update only works for 10.13.0 it appears.
Posted on 11-30-2017 05:55 AM
Posted on 11-30-2017 06:01 AM
@grahamrpugh I learned something new today!
On a side note, the App Store update brings it to 17B1003, but not the dmg download.
Posted on 11-30-2017 06:07 AM
To those having issues creating admin accounts (@rich.thomas, @PhillyPhoto, @adhuston), I had the same issue at first but it worked normally after a reboot. Have you tried that already?
Posted on 11-30-2017 06:22 AM
It does appear this update required a reboot afterall for the create new accounts to work.
Posted on 11-30-2017 06:23 AM
Posted on 11-30-2017 06:34 AM
The receipt for the second update is
com.apple.pkg.update.os.10.13.1Supplemental.17B1003. I'm not sure if there is a separate update for 10.13 (meaning, if the update installer is unique to 10.13 with a unique receipt name) as I haven't seen a 10.13.0 machine with any comparable receipt listed so far. If someone has a 10.13.0 machine that has gotten a security update and wants to share the receipt name I'm sure that'd help folks out.
Posted on 11-30-2017 06:35 AM
From what I can see on my 10.13.0 machines the receipt is com.apple.pkg.update.os.10.13Supplemental.17A501.