Jamf Nation Community

Add the following to your own custom /Library/Preferences/com.apple.SoftwareUpdate.plist, upload and push through Jamf.

/usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist AutomaticallyInstallMacOSUpdates -bool true
/usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist AutomaticCheckEnabled -bool true
/usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist AutomaticDownload -bool true
usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist CriticalUpdateInstall -bool true

This worked for us to enable all the options above and keep them greyed out. Although @wmehlios' suggestion would work to remove access to the "Software Update" pane all together...I'm still looking for a way to "grey" out the button and block a user from un-checking the "Automatically keep my mac up to date" button.

Even with the above pushed through a configuration profile, I'm still able to deselect the option.

has anyone found a way to block a user from un-checking the "Automatically keep my mac up to date" button as @ jmariani was asking, besides what @wmehlios' suggested?

Can you help a newbie here and provide a little more details as to how to push this file to all the computers? Thanks.

I need help too with this topic, I want to do an activation for this preference because some users are hard to push the updates, also, they don't want to do this updates by themselves.

Thnx.

Hello ,

You can restrict access with Jamf Pro V10.7 with a configuration Profiles under Restrictions.

Also , you can use this : => usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist AutomaticallyInstallMacOSUpdates -bool false

/usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist AutomaticCheckEnabled -bool false

/usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist AutomaticDownload -bool false

/usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist CriticalUpdateInstall -bool false

to uncheck all options , after that , when user's try to check : Automatically... , an admin password its needed.

You can write a script with it to deploy on all computer you need.

So do we create a script in Jamf Pro with all those /usr/bin/defaults commands?

@lrabotteau How did you get this added through confir profiles?

Only apply the above defaults or profile if you have a SUS or another way to handle Apple updates. With those settings applied you will miss Apple's silent security updates; Xprotect,Gatekeeper,Malware Removal Tool and EFi

os-x-admins-your-clients-are-not-getting-background-security-updates

I found that I had to do these 6 in order to get all boxes checked (the last 2 are in addition to the ones previously mentioned in this thread):

#!/bin/sh
/usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist AutomaticallyInstallMacOSUpdates -bool true
/usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist AutomaticCheckEnabled -bool true
/usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist AutomaticDownload -bool true
/usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist CriticalUpdateInstall -bool true
/usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist ConfigDataInstall -bool true
/usr/bin/defaults write /Library/Preferences/com.apple.commerce.plist AutoUpdate -bool true

@afzanjamalgt worked like a charm. Thank you!

I wrote a bash script I'm using for an extension attribute to create a smart group that shows compliance for the six settings that @afzanjamalgt referenced. The idea being if you land in that non-compliant group it runs a bash script to set all six values to true.

My question is more about the behavior of each setting. Does anyone know will it reboot on its own? Does the user get a chance to defer? Will it reboot if the host is idle, say overnight? I did read it won't download anything unless the laptop is on wired power (https://support.apple.com/guide/mac-help/get-macos-updates-mchlpx1065/mac).

We're testing this out on a couple machines and will know behavior in a while. Thought someone might of already went down this path and could speak to the user experience.

I'm doing all of this because in JamF 10.8 my auto update policy that hit each day dropped my custom reboot message and timer. It stared giving generic reboot in 5 min messages (was 4hrs) which is not acceptable for us. JamF says this is a known issue PI-006540

@lmeinecke
This generic 5 minutes update thing has been going on for a while and nobody at Jamf seems to have any urgency about fixing it. This problem came up right at the same time we pushed our entire company to managed updates... Rebooted everyone in the middle of the day and a total disaster for us. We had selected "if user is logged in, do not restart" and it ignored that setting completely.

Has anyone come up with a way to push a custom plist to force automatic updates on at the computer level? I don't want my users to be able to turn this feature off and I can't get that checkbox to grey out at all.

I've analyzed the existing plist and the changes in it when hitting that checkbox... but when I recreate that file and push it with jamf, it only effects the advanced options...

https://derflounder.wordpress.com/2018/12/28/enabling-automatic-macos-software-updates-for-os-x-yose...

I have policy to enable automatic updates like @ACMT mentioned on around a dozen hosts but it doesn't seem to work. I get the impression that having apps open like Outlook seems to break the automatic update setting. I have hosts that are still on 10.14.0-2 which is not ideal seeing 10.14.3 is out.

I am trying to manage this with a profile instead of running a script on every user. I added custom settings payload and then added all the values. Everything works and is locked down except the "Automatically keep my Mac up to date?"

According to the article, this isn't possible and can only be scripted which is a huge bummer:
"Unfortunately, it is not yet possible to set these automatic update settings using a profile. The com.apple.commerce preference domain can’t be managed by a profile and the AutomaticallyInstallMacOSUpdates setting in the com.apple.SoftwareUpdate preference domain should be manageable with a profile, but for unknown reasons, it can’t be."

My only resolution is to lock down the pane completely and then create our own internal/signed Software Update wrapper for the terminal commands.

@ afzanjamalgt
The last one doesn't work for me: /usr/bin/defaults write /Library/Preferences/com.apple.commerce.plist AutoUpdate -bool true

Just curious... after everything is said and done and all that we want has been set and enabled, this pops up:

How would one stop/suppress this notification from popping up on the user end?

Hello @monaronyc I started looking in my scripts and configuration profiles for the answer and somehow, I don't have anything set to disable this popup. I am surprised as my lab coordinators aren't calling me asking to disable this.

Thanks @mconners ! Everything works great except for this piece. and if you click not now, comes right back up. Weird.

@monaronyc at one point I had this disabled. I thought it was done via a configuration profile. At the moment, I don't recall how though...strange.

FOUND IT!

defaults write /Library/Preferences/com.apple.commerce.plist AutoUpdate -bool FALSE

Is there a defaults write for the

@piagetblix

defaults write /Library/Preferences/com.apple.commerce.plist AutoUpdate -bool TRUE

Is it functional to leave CriticalUpdateInstall intact and allow the security updates to come from a caching server then manage all others through Repesado?

@lmeinecke Could you share the script you are using for the extension attribute?

Does this command allow a Mac to auto install 10.15 when it is made available??

/usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist AutomaticallyInstallMacOSUpdates -bool true

Thanks,
R

https://docs.jamf.com/10.14.0/jamf-pro/release-notes/Bug_Fixes_and_Enhancements.html

Looks like this issue has finally been fixed.

Can this be accomplished with configuration profiles?

@jayke : There are some new profile payloads in Catalina for managing the software update settings shown above. Expect Jamf to integrate them in a future release.

I have been using a script from @haircut to set the desired SWU state of my systems once per a day. There is currently no way to manage this via config profile, yet unfortunately. This has been running in prod for a few months now. There are some caveats though:

• The system must be powered on and plugged in for auto update to trigger
• It only seems to happen after 2AM (yes I tested this at 2AM lol)
• If the lid is closed, or the device is not active it will not run
• The user can still interrupt this process

script:

#!/usr/bin/python
'''
Checks macOS software update settings and remediates deviations from a 
specified desired state
'''

from Foundation import (
    CFPreferencesAppSynchronize, CFPreferencesCopyAppValue,
    CFPreferencesCopyValue, CFPreferencesSetAppValue, CFPreferencesSetValue,
    CFPreferencesCopyKeyList, kCFPreferencesAnyHost, kCFPreferencesAnyUser, NSDate)


DESIRED_STATE = [
    {
        'domain': 'com.apple.commerce',
        'prefs': {
            'AutoUpdate': True,
            'AutoUpdateRestartRequired': True
        }
    },
    {
        'domain': 'com.apple.SoftwareUpdate',
        'prefs': {
            'CriticalUpdateInstall': True,
            'AutomaticDownload': True,
            'ConfigDataInstall': True,
            'AutomaticCheckEnabled': True,
            'AutomaticallyInstallMacOSUpdates': True
        }
    }
]


def check_pref(key, value, domain):
    '''Checks if 'key' is set to 'value' in 'domain' '''
    p = CFPreferencesCopyValue(key, domain, kCFPreferencesAnyUser, 
                               kCFPreferencesAnyHost)
    return True if p == value else False


def set_desired_state(config):
    '''Sets preferences according to provided config'''
    for domain in config:
        for key, value in domain['prefs'].iteritems():
            if not check_pref(key, value, domain['domain']):
                CFPreferencesSetValue(key, value, domain['domain'],
                                      kCFPreferencesAnyUser, 
                                      kCFPreferencesAnyHost)
                print "Set - {} - {}: {}".format(domain['domain'], key, value)

    CFPreferencesAppSynchronize(domain['domain'])


def main():
    '''Main'''
    set_desired_state(DESIRED_STATE)


if __name__ == '__main__':
    main()

Now that Catalina has been released, I want someone to confirm that everything discussed above (all about upDATES) will NOT perform an automatic upGRADE (from 10.14 to 10.15).

Regardless of settings, NO upgrade should be performed automatically in our environment, but I want to keep the benefits of auto-updating 10.14 with security updates, App store etc etc.

Please enlighten me.

@roeland.de.windt This was a concern of ours as well. I tested this on a machine that was on 10.14.5 with a long deferral of Software Updates. Just last week, it updated itself to 10.14.6, however, Catalina is still sitting in Software Update awaiting my trigger.

Your Mac is not going to upgrade unless "told" to do so. This process works and the badge shows update, but it's not in SU pref pane. If you combine that with a process kill for Catalina, you should be fine.

Did anyone try restricted software?

It looks like this line:
/usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist AutomaticCheckEnabled -bool false

Does the same as this line that was deprecated?
softwareupdate --schedule off

In my testing it turns off/unchecks Check for updates

Is that accurate?