Security Update 2015-002

@H3144-IT

Thanks for posting the links for the individual OSs. I'm definitely appreciating Apple has more often than not over the last year released security updates that are <100MB versus waiting and rolling them up into some big OS point upgrade. Makes it much more feasible for us to push out. Now to try to see if I can get the Mavericks one working on 10.9.4

Thanks for the links. I see there are two 10.10 updates....is Yosemite forked now? I'm thinking the "Early2015" version is just for the hardware that was announced yesterday, does that sound right? (I think only the Airs and 13" Pros are available for purchase as of today)

It's notable that this update, like the previous few security updates, require you to be on the latest version of whatever OS you have: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, or OS X Yosemite v10.10.2.

As an FYI, it is updating the build number for the OS:

10.8.5 is upgraded to 12F2501
10.9.5 is upgraded to 13F1066
10.10.2 is upgraded to 14C1510

@JRossA Thank you! was looking for this.

Anyone know if these can be applied to lesser versions i.e 10.8.3 or 10.9.4?

As listed above, it does require each OS to be at the latest version.

and one would wonder why you are worried about security update 2015.002 when you have not applied any of the most recent security updates to your old clients, you had to be at .5 for both 10.8 and 9 to apply the super scary bash update, or any of last years security updates to my recollection.

anybody check the boots to 50% error with this new build revision?

@nessts - in some environments, it isn't practical to push/install updates that are over a gig. I installed the bash update and a few others without being 10.9.5.

Worried because of the following. I am new to this environment and have inherited a mixed environment. I am currently working on getting everyone up to standards and I only got licensed to use casper in this environment 2 weeks ago. Answered your question?

Yup, new build numbers:

0.9.5 build numbers

10.9.5 build numbers

10.10.2 build numbers

well step one is to update them to the latest update that is available for each OS as they each have their own set of security updates embedded in them. then worry about the latter. @CasperSally you either worry about security updates or you worry about network speed and stability i suppose. I just find it ironic to worry about today's security update when you a machine is at a state that is more than a year and a half behind on security updates. Not trying to start a war. Just bringing up the inconsistency in my eyes.

And there are good reasons to stay not updated, the more updated my machines get the more unstable they seem to get, the boot stuck at 50% thing, random system freezes after the security update that was released in October, that go away with 10.10.2 but then some machines and users get the 50% boot stuck thing, why not all of them. Anyway until Apple focuses on stabilizing the OS and not on making a thinner laptop with fewer ports and slower processors and memory so it can have a longer battery life we will have to make those choices I guess.

@sardesm Depending on the client, I often deploy a set of policies that prompt people to update only if they have certain updates available that the IT department has deemed "critical." For example 10.8.5, 10.9.5, or 2015-002.

Smart groups collect the computers for which these critical updates are available, and a policy uses the jamfHelper to prompt the owner to either install now or defer for a day. People are given 3 deferrals before the updates are forced. (There are a few good JAMF Nation threads containing script snippets that can be used to accomplish this.)

In this way, we can make sure our Macs have the important updates, while leaving it up to the owner to install the unimportant updates at their discretion.

@nessts - For us, it's about having thousands of laptops in students hands where they open and close lids all day long. We would get a ton of JSS network related errors pushing something that big, but we could cache it for install later. Unfortunately, I can't trust a 2nd (or 10th) grader to wait for even a cached OS upgrade to properly install on a 3.5 year old white macbook, for example.

Our machines are imaged to latest OS once a year, 10.9.4 was released June 30th, so we're never a year and a half stale. We push the smaller updates (like bash and NTP) where we can. They didn't really require the latest, just a flag they looked for during install. This update is more complicated so still looking at it.

Ideally we'd be latest security wise. I too wish Apple would to forgo the thinner laptop with fewer ports and work on stability of OS and also instead make all security update separate from OS updates and small (i.e. microsoft model), but that'll never happen. Their way or the highway.

I do the same thing with one account where people open and close laptops all day long, and yes there are caching errors, but they get them eventually. As I said it depends on your priority.

@nessts I have been a casper admin twice certified for over 5 years and don't need advice on how to get my machines up to standards. I was just asking if it was confirmed the latest updates needed those revisions. Having found that out, i will proceed as i have been on getting all the machines in my environment up to date.

Thanks for the info.

@nessts was being helpful, this one seems like a curve ball, since the update doesn't show on all Macs.

@John.Smith asked:

is Yosemite forked now?

@magarvalp tweet:

Build less than 14C2043 is checked inside https://t.co/Nz36jf4Jet . Forked 10.10.2 builds coming for new macs. #macadmin

Someone in another post had mentioned a way to script Jamf helper to allow reboot deferments, anyone know where that thread is?

think i found it.

https://jamfnation.jamfsoftware.com/discussion.html?id=5404

@sardesm That's pretty close to what we're doing. The main difference is we're using defaults write instead of writing to a text file. That way we can save a bunch of useful information in the same plist.

FWIW, you may want to hide the /mach_kernel file on 10.8.5 & 10.9.5 post this update on clients to keep them booting.

Myself & @rtrouton have blog posts on 2 different ways to do this via the JSS.

Mine can be found here. & contains a link to Rich's post, as well as @timsutton's post explaining it.

@elliotjordan - you mentioned that you use

Smart groups collect the computers for which these critical updates are available, and a policy uses the jamfHelper to prompt the owner to either install now or defer for a day. People are given 3 deferrals before the updates are forced. (There are a few good JAMF Nation threads containing script snippets that can be used to accomplish this.)

Are you able to post your criteria or the threads to help create these groups. At the moment I'm populating a smart group based on the information available in the output from the terminal command: /usr/sbin/system_profiler SPInstallHistoryDataType

Thanks, James

HI @jazzyj,

Sure, here are the smart groups I've been using effectively for the generic OS updates:

• Critical update needed: Mac OS X 10.9.5:
  • Operating System like 10.9
  • and Operating System is not 10.9.5
• Critical update needed: Mac OS X 10.10.5:
  • Operating System like 10.10
  • and Operating System is not 10.10.5
• Critical update needed: Mac OS X 10.11.4:
  • Operating System like 10.11
  • and Operating System is not 10.11.4

And here's an example for a security update that, when installed, increments the OS build number. The build numbers listed below are for 10.8.5 and 10.9.5 without the security update applied:

• Critical update needed: Security Update 2015-002:
  • Operating System is 12F45
  • or Operating System is 13F34

And here's a more complex smart group for a security upgrade that doesn't increment the OS build number. We need to refer to installed receipts for this:

• Critical update needed: Security Update 2015-001 for Mavericks:
  • Operating System like 10.9
  • and Packages Installed By Installer.app/SWU does not have com.apple.pkg.update.security.10.9.5.13F1056.2015.001

Hope that helps.

Over time we've come up with a stack of Smart Computer Groups that have become Lego Blocks for policies. They come in handy for scoping, as well as exclusions. The first one was easy. Subsequent ones were cloned and edited.