Security Update 2016-001 El Capitan & Security Update 2016-005 Yosemite

The build #'s for both 10.10.5 and 10.11.6 change after this security upgrade.
10.11.6 becomes: 15G1004
10.10.5 becomes: 14F1912
If you do a search for machines not these builds and apply your preferred method of updating to that you should get them all.

No official word on 10.9.5 yet.

The PKG versions are here:

10.11: http://swcdn.apple.com/content/downloads/50/35/031-75159/4vr88oyevm1r0p30oz6tx3ygo689whk1f4/SecUpd2016-001ElCapitan.pkg
10.10: http://swcdn.apple.com/content/downloads/31/50/031-74572/d6rg3uuihx9tfvsavc7i4vk1ay6q15hvmt/SecUpd2016-005Yosemite.pkg

This is what works for me for 10.11.6. For 10.10.5, use that + build 14F1912.

@RobertHammen, do you know if the OS build number gets updated immediately after applying the update, or is a reboot needed?

@andyinindy I know that /System/Library/CoreServices/SystemVersion.plist gets updated immediately after the install. The relevant key (for /usr/bin/defaults read) is ProductBuildVersion

You might want to try running this on a Mac, then forcing a recon/inventory update before reboot, to see if it reports the new version before the restart. I think it will. Of course, most security updates tend to make the Macs unstable/unable to authenticate/potentially unable to open apps, so you should do a restart as part of the policy.

Manual package installer for 10.11.6: https://support.apple.com/kb/DL1891?viewlocale=en_US&locale=en_US
Manual package installer for 10.10.5: https://support.apple.com/kb/DL1890?viewlocale=en_US&locale=en_US

Thanks @RobertHammen, I verified that the build number gets updated if you recon after applying the update. Cheers!

--Andy

I know a lot of folks don't like the simple answers, but the pictured and/or the equivalent configuration profiles are the most reliable way to ensure all patches and updates are applied in a timely manner.

If your network has bandwidth issues, Caching Server is a wonderful thing.

+1

Unless your client has a stringent change control process mandate that all changes be vetted and approved.

¯_(ツ)_/¯

@donmontalvo True, but then educating the "keepers of the requirements" becomes a priority.

Apple devices and their associated operating systems are a closed system. The fully patched OS for the device in question is the starting point for vetting the org's chosen settings and 3rd party software. Participating in the Apple Developer Programs grants access to early builds of updates so the vetting team can vet ahead of time and lean on noncompliant 3rd party vendors to fix their software. I'll just leave this here so as not to continue to hijack this thread. I'm glad to discuss elsewhere.

I agree with all your points, including discussing elsewhere.