Enforcing Critical OSX System Updates via Casper

Upon many talks from and within the Mac Admin community about XProtect and Gatekeeper updates, it was pointed out that within a few scenarios, the updates don’t apply.

Scenario 1: When the Auto check for Apple Updates is disabled, (softwareupdate Schedule off), the critical updates do not apply.
When you do sudo softwareupdate –background-critical while your auto update checks are disabled, the critical updates do not apply.(This is automatically check for updates, not auto install updates)

Screen Shot 2015-02-12 at 2.26.39 PM

Screen Shot 2015-02-12 at 2.18.46 PM

Screen Shot 2015-02-12 at 2.19.03 PM

Once you turn the settings back on and run the same command, you see a whole lot more than before.

Screen Shot 2015-02-12 at 2.31.07 PM

Screen Shot 2015-02-12 at 2.37.45 PM

A lot more traffic, including download of XProtectConfigData.
The next step was to ensure I could not only verify the state of the settings in OSX but also run the command that would update the security data.
I wrote a couple of scripts to address this situation and they are available on my github

The first Update_Status.sh is an extension attribute that will check:
-Automatic Check for Updates
-Install Critical Updates
Once set as an attribute, you will get a report at every inventory and I also added a command to run the background-critical command to ensure the critical updates are been taken care of.

Screen Shot 2015-02-12 at 2.52.51 PM

The second part is to setup smart group which will grab all clients where the Attribute result are “Disabled”
That smart group will be the scope of a policy set to run on recurring with ongoing frequency.
It will enable the auto updates and also run the critical updates.

Screen Shot 2015-02-12 at 2.54.24 PM
With that, all my clients are taking care of.
Once a client is identified via the inventory collection, the smart group is updated and the policy will run to set the settings back into compliance.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s