With the updates released by Apple yesterday. I am trying to run a search to get a list of employees that have updated installed the updates. Does anyone have any recommendations of what would be the best way to get this report? (Example: Safari version 11.0.2 build 12604.4.7.1.6).
I setup an Extension Attribute to pull Safari exact version info then setup smart group set with that that extension attribute > is not > 12604.4.7.1.6. Then scoped a new policy pointed to that group and used the execute command under Files/Process to run sudo softwareupdate --install Safari11.0.2Sierra-11.0.2
#!/bin/sh if [ -d /Applications/Safari.app ] ; then RESULT=$( sudo defaults read /Applications/Safari.app/Contents/Info CFBundleVersion ) echo "<result>$RESULT</result>" else echo "<result>Not Installed</result>" fi
#!/bin/sh if [ -e /Applications/Safari.app ] then RESULT=$(plutil -p "/Applications/Safari.app/Contents/Info.plist" | grep "CFBundleVersion" |sed 's/.*> //g' | tr -d '"') echo "<result>$RESULT</result>" fi
Extension Attribute is the way to go. Jamf already collects the application version number — this will should give you the build number.
Yes, an EA seems to be the most logical way to get this info. Keep in mind though that depending on what OS versions you still have in the environment, you may need to build 2 separate Smart Groups from the value captured, since 10.11.6 and 10.12.6 have different Safari build numbers after the Spectre patch is applied. "11604.4.7.1.6" for El Capitan and "12604.4.7.1.6" for Sierra, per this Apple article.
So after using an EA like above, you can start create 2 Smart Groups (if needed)
For El Capitan:
Operating System | is | 10.11.6 and Safari Build | is not | 11604.4.7.1.6
Operating System | is | 10.12.6 and Safari Build | is not | 12604.4.7.1.6
Anything that is not running 10.11.6, 10.12.6 or 10.13.2 isn't going to be patched inherently since only those OSes can have the Spectre patches applied.
Also, there's no need for a
sudo in the EA as it will be running as root and should have no trouble reading the Safari Info.plist.
Is there any connection to the build number of the OS after the Safari update?
If a Sierra computer has the Safari Build 12604.4.7.1.6 installed, does that change the mac OS build to 16G1114
If a El Capitan computer that has the Safari Build 11604.4.7.1.6 installed, then the OS build is 15G18013
Or is the OS build number not an indicator?
UPDATE: The OS Build number is not an indicator that the updated Safari 12604.4.7.1.6 or 11604.4.7.1.6 has been installed.