Safari version and build version search?

New Contributor II

Hi All,

With the updates released by Apple yesterday. I am trying to run a search to get a list of employees that have updated installed the updates. Does anyone have any recommendations of what would be the best way to get this report? (Example: Safari version 11.0.2 build 12604.

Thank you,



I setup an Extension Attribute to pull Safari exact version info then setup smart group set with that that extension attribute > is not > 12604. Then scoped a new policy pointed to that group and used the execute command under Files/Process to run sudo softwareupdate --install Safari11.0.2Sierra-11.0.2


if [ -d /Applications/ ] ; then
    RESULT=$( sudo defaults read /Applications/ CFBundleVersion )
    echo "<result>$RESULT</result>"
    echo "<result>Not Installed</result>"

New Contributor III

if [ -e /Applications/ ]


    RESULT=$(plutil -p "/Applications/" | grep "CFBundleVersion" |sed 's/.*> //g' | tr -d '"')

    echo "<result>$RESULT</result>"


Extension Attribute is the way to go. Jamf already collects the application version number — this will should give you the build number.

New Contributor III

Yes. That. ^^

Legendary Contributor II

Yes, an EA seems to be the most logical way to get this info. Keep in mind though that depending on what OS versions you still have in the environment, you may need to build 2 separate Smart Groups from the value captured, since 10.11.6 and 10.12.6 have different Safari build numbers after the Spectre patch is applied. "11604." for El Capitan and "12604." for Sierra, per this Apple article.

So after using an EA like above, you can start create 2 Smart Groups (if needed)

For El Capitan:

Operating System | is | 10.11.6
Safari Build | is not | 11604.

For Sierra:

Operating System | is | 10.12.6
Safari Build | is not | 12604.

Anything that is not running 10.11.6, 10.12.6 or 10.13.2 isn't going to be patched inherently since only those OSes can have the Spectre patches applied.
Also, there's no need for a sudo in the EA as it will be running as root and should have no trouble reading the Safari Info.plist.

Valued Contributor

Is there any connection to the build number of the OS after the Safari update?

If a Sierra computer has the Safari Build 12604. installed, does that change the mac OS build to 16G1114
If a El Capitan computer that has the Safari Build 11604. installed, then the OS build is 15G18013

Or is the OS build number not an indicator?

UPDATE: The OS Build number is not an indicator that the updated Safari 12604. or 11604. has been installed.