New Check: macOS Automatic Updates Improperly Configured

September 10th, 2020

We are excited to announce the availability of a new K2 Check called macOS Automatic Updates Improperly Configured

This check is a companion to our macOS Missing Important Update check which only produces failures if the Mac has a security update downloaded/staged but not yet installed.

This new check goes a step further by ensuring that end-users have their Macs configured correctly to automatically keep them up to date. Specifically, this check queries the settings in the   System Preferences > Software Update > Advanced… modal. The check only passes if the device has all of the following settings enabled…

This check will also properly detect and pass if these settings are forced on using a managed profile.

While Apple and Kolide both highly recommend having all of these settings enabled, you may not want to use this check if any of the following situations apply:

  • Your organization uses Munki’s Software Center to distribute macOS updates. In this case, many of these settings may be disabled, but critical macOS and App Store updates will still be downloaded.
  • You deploy an automated script that invokes the softwareupdate binary manually to check and automatically install updates.
  • You do not require your users to “automatically install” macOS or App Store updates and are fine with simply alerting them only if they are missing any important updates.

There are several pieces of Inventory related to macOS Software Update you might find interesting.

  • Software Update Settings - Provides you with the settings from the System Preferences > Software Update > Advanced…  button modal window, for every Mac in your fleet.
  • Software Updates Pending - Provides you with a list of downloaded, but not yet installed, updates on every Mac in your fleet.
  • Package Install History Items - Gives you a breakdown of all of the packages and updates installed by the system. This includes updates applied via the App Store, the Software Update tool, macOS background updates, and third-party packages.

Additional Reading

While writing this Check, we found that many of our customers had a misconception around the “ Install system data files and security updates” option in the Software Update’s advanced settings screen. Many thought this would automatically apply important macOS updates. In fact, the “security updates” part of setting only ensures certain built-in tools like XProtect, the Malware Removal Tool, and Gatekeeper receive updated definitions that are download and installed in the background. It will not automatically install security supplemental updates or patches to macOS itself.

You can read more about these background updates on Apple’s support page.

Share this story:

More articles you
might enjoy:

New Device Inventory: NPM Packages
Jason Meller
Introducing the Check Catalog
Jason Meller
Configure Multiple Checks at Once!
Watch a Demo
Watch a Demo