I'm kind of confused about what you're asking. Are you looking to know which Macs only need certain specific Apple software updates? Not just any Apple software updates?

If so, are you collecting available Software Updates at inventory time? You can check on that in the Inventory Collection settings in your JSS. If you are, you should be able to plug in specific update names into the "Available SWUs" criteria in either an Advanced Search or Smart Group to gather machines with any of those available.

Or am I way off on this and you're looking for something else completely?

The built in criteria Number of Available Updates keys off softwareupdate. It will only report Apple updates available via software update. You can make a smart group for more than 0 for an update policy.

Ok great. That did it. I was originally exporting the results from the Number of Available Updates as Applications, but then I plugged it as to export as Available SWUs. That gave me a report based on a specific updates and which systems needed them.

An example would be the Security Updates with a priority over iTunesXPatch-12.6. Thanks!

FWIW, there are two items in softwareupate -l related to the iTunes 12.6 update.

iTunesX-12.6 and iTunesXPatch-12.6

Computers that show either (or both?) will need the iTunes 12.6 update.

Our policy lets Apple do the scoping, so we target computers that have either/both available to them.

I was looking for this also--e.g. find all computers that require Security Update 2017-005. I did not know that the search criteria is (non-obvious) "Available SWUs". Thanks for the info.