Enforcing Critical OSX System Updates via Casper

Upon many talks from and within the Mac Admin community about XProtect and Gatekeeper updates, it was pointed out that within a few scenarios, the updates don’t apply.

Scenario 1: When the Auto check for Apple Updates is disabled, (softwareupdate Schedule off), the critical updates do not apply.
When you do sudo softwareupdate –background-critical while your auto update checks are disabled, the critical updates do not apply.(This is automatically check for updates, not auto install updates)

Screen Shot 2015-02-12 at 2.26.39 PM

Screen Shot 2015-02-12 at 2.18.46 PM

Screen Shot 2015-02-12 at 2.19.03 PM

Once you turn the settings back on and run the same command, you see a whole lot more than before.

Screen Shot 2015-02-12 at 2.31.07 PM

Screen Shot 2015-02-12 at 2.37.45 PM

A lot more traffic, including download of XProtectConfigData.
The next step was to ensure I could not only verify the state of the settings in OSX but also run the command that would update the security data.
I wrote a couple of scripts to address this situation and they are available on my github

The first Update_Status.sh is an extension attribute that will check:
-Automatic Check for Updates
-Install Critical Updates
Once set as an attribute, you will get a report at every inventory and I also added a command to run the background-critical command to ensure the critical updates are been taken care of.

Screen Shot 2015-02-12 at 2.52.51 PM

The second part is to setup smart group which will grab all clients where the Attribute result are “Disabled”
That smart group will be the scope of a policy set to run on recurring with ongoing frequency.
It will enable the auto updates and also run the critical updates.

Screen Shot 2015-02-12 at 2.54.24 PM
With that, all my clients are taking care of.
Once a client is identified via the inventory collection, the smart group is updated and the policy will run to set the settings back into compliance.


One thought on “Enforcing Critical OSX System Updates via Casper

  1. Pingback: Force Install macOS Update - Rui Qiu's Blog

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s