Managing OS X’s automatic security updates
On Monday, December 22nd, Apple released OS X NTP Security Update 1.0 to fix a vulnerability in ntpd. What caught many folks off-guard was that this update installed itself in many cases, without action or authorization by the human using the Mac in question.
This marked the first time Apple has used its capability to push and automatically install an OS X security update, though the actual capability has been in OS X since OS X 10.8.x. Apple has used a similar capability in OS X 10.9.x and later to push updates for Apple’s XProtect and Gatekeeper.
So how did Apple make OS X NTP Security Update 1.0 install automatically? See below the jump for more details.
The key change appears to be some additional keys that appeared in the Software Update catalog with the NTP update’s entry.
<key>AutoInstallDelay</key> <integer>0</integer> <key>CriticalUpdate</key> <true/>
Credit to @mikeymikey for discovering these keys:
These keys don’t appear with other software updates available in the Software Update catalog for Mountain Lion, Mavericks or Yosemite. Based on the naming, it looks like the NTP updates were marked as critical updates where automatic installation was set to occur as soon as possible.
Apple has published a KBase article that explains in general how the automatic updates will work. If you would like to always manually download and install security updates, the KBase article also describes how to turn them off:
1. Open System Preferences
2. Click on the App Store icon (Software Update in Mountain Lion)
3. De-select the following options
- Automatically check for updates
- Download newly available updates in the background
- Install system data files and security updates
One thing to be aware of is that disabling the automatic check for updates and installation will also disable updates from Apple for XProtect as well as Gatekeeper.
If you want to be notified of automatic security updates and choose when to install them, here’s how to do that:
1. Open System Preferences
2. Click on the App Store icon (Software Update in Mountain Lion)
3. Select the following options:
- Automatically check for updates
- Download newly available updates in the background
4. De-select the following options:
- Install system data files and security updates
This option will cause you to be notified of security updates like the NTP update with the option of installing them.
However, this option will also disable updates from Apple for XProtect as well as Gatekeeper. These options do not show up as available updates in Software Update and are designed to auto-install.
If you want to have automatic security updates, here’s how to do that:
1. Open System Preferences
2. Click on the App Store icon (Software Update in Mountain Lion)
3. Select the following options:
- Automatically check for updates
- Download newly available updates in the background
- Install system data files and security updates
This option will cause security updates like the NTP update to be automatically installed, along with updates from Apple for XProtect as well as Gatekeeper.
These options are set by default by the OS, so most home users and many enterprise users likely already have these settings in the App Store preferences.
Forcing automatic security updates to install
If you need to force an automatic security update to install on Mountain Lion, Mavericks or Yosemite, run the following command with root privileges:
softwareupdate --background-critical
The –background-critical function is actually an undocumented softwareupdate function, so it’s not listed when you run either softwareupdate –help or when you check the softwareupdate manpage.
As mentioned above, one important thing to know about forcing automatic security updates to install is that the Software Update function on the system in question must be set to automatically check for updates and to install security updates. Without those settings, automatic security updates (including XProtect and Gatekeeper updates) will not install.
Leave a comment
Recent Comments
 | Ousley, Kara on Losing a giant |
 | jmoyer9af90c9f6b on Granting Volume Owner status o… |
 | rtrouton on Losing a giant |
| Ousley, Kara on Losing a giant |
 | orgitnized on Losing a giant |
Der Flounder 
Appreciate the post Rich. We enforce all the app store update preferences except for the install all purchases automatically option.
Config profiles were not working properly for me but I might have missed something. This script works (we run daily through JSS):
#!/bin/bash
defaults write /Library/Preferences/com.apple.commerce.plist AutoUpdate -bool TRUE
defaults write /Library/Preferences/com.apple.commerce.plist AutoUpdateRestartRequired -bool TRUE
defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist AutomaticCheckEnabled -bool TRUE
defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist AutomaticDownload -bool TRUE
defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist CriticalUpdateInstall -bool TRUE
defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist ConfigDataInstall -bool TRUE
Then once a day (if you like to live dangerously) or once a week (more reasonable) we run:
#!/bin/bash
softwareupdate -i -a
That way if a user has OS X updates pending, all they need to do is reboot. Has been working well on 350+ 10.9 & 10.10 clients for over 6 months.
Great post, thanks for the clarification.