Home > Mac administration, Mac OS X, XProtect > Managing OS X’s automatic security updates

Managing OS X’s automatic security updates

On Monday, December 22nd, Apple released OS X NTP Security Update 1.0 to fix a vulnerability in ntpd. What caught many folks off-guard was that this update installed itself in many cases, without action or authorization by the human using the Mac in question.

Security Update Installed notification

This marked the first time Apple has used its capability to push and automatically install an OS X security update, though the actual capability has been in OS X since OS X 10.8.x. Apple has used a similar capability in OS X 10.9.x and later to push updates for Apple’s XProtect and Gatekeeper.

So how did Apple make OS X NTP Security Update 1.0 install automatically? See below the jump for more details.

The key change appears to be some additional keys that appeared in the Software Update catalog with the NTP update’s entry.

<key>AutoInstallDelay</key>
<integer>0</integer>
<key>CriticalUpdate</key>
<true/>

Screen Shot 2014-12-23 at 4.39.59 PM

Credit to @mikeymikey for discovering these keys:

These keys don’t appear with other software updates available in the Software Update catalog for Mountain Lion, Mavericks or Yosemite. Based on the naming, it looks like the NTP updates were marked as critical updates where automatic installation was set to occur as soon as possible.

Apple has published a KBase article that explains in general how the automatic updates will work. If you would like to always manually download and install security updates, the KBase article also describes how to turn them off:

1. Open System Preferences

2. Click on the App Store icon (Software Update in Mountain Lion)

Screen Shot 2014-12-23 at 8.58.07 PM

3. De-select the following options

  • Automatically check for updates
  • Download newly available updates in the background
  • Install system data files and security updates

Screen Shot 2014-12-23 at 5.09.53 PM

One thing to be aware of is that disabling the automatic check for updates and installation will also disable updates from Apple for XProtect as well as Gatekeeper.

If you want to be notified of automatic security updates and choose when to install them, here’s how to do that:

1. Open System Preferences

2. Click on the App Store icon (Software Update in Mountain Lion)

Screen Shot 2014-12-23 at 8.58.07 PM

3. Select the following options:

  • Automatically check for updates
  • Download newly available updates in the background

4. De-select the following options:

  • Install system data files and security updates

Screen Shot 2014-12-23 at 8.28.11 PM

This option will cause you to be notified of security updates like the NTP update with the option of installing them.

Screen Shot 2014-12-23 at 5.01.47 PM

However, this option will also disable updates from Apple for XProtect as well as Gatekeeper. These options do not show up as available updates in Software Update and are designed to auto-install.

If you want to have automatic security updates, here’s how to do that:

1. Open System Preferences

2. Click on the App Store icon (Software Update in Mountain Lion)

Screen Shot 2014-12-23 at 8.58.07 PM

3. Select the following options:

  • Automatically check for updates
  • Download newly available updates in the background
  • Install system data files and security updates

Screen Shot 2014-12-23 at 4.53.59 PM

This option will cause security updates like the NTP update to be automatically installed, along with updates from Apple for XProtect as well as Gatekeeper.

Screen Shot 2014-12-23 at 5.18.09 PM

These options are set by default by the OS, so most home users and many enterprise users likely already have these settings in the App Store preferences.

Forcing automatic security updates to install

If you need to force an automatic security update to install on Mountain Lion, Mavericks or Yosemite, run the following command with root privileges:

softwareupdate --background-critical

The –background-critical function is actually an undocumented softwareupdate function, so it’s not listed when you run either softwareupdate –help or when you check the softwareupdate manpage.

As mentioned above, one important thing to know about forcing automatic security updates to install is that the Software Update function on the system in question must be set to automatically check for updates and to install security updates. Without those settings, automatic security updates (including XProtect and Gatekeeper updates) will not install.

  1. May 23, 2015 at 1:28 am

    Appreciate the post Rich. We enforce all the app store update preferences except for the install all purchases automatically option.

    Config profiles were not working properly for me but I might have missed something. This script works (we run daily through JSS):

    #!/bin/bash
    defaults write /Library/Preferences/com.apple.commerce.plist AutoUpdate -bool TRUE
    defaults write /Library/Preferences/com.apple.commerce.plist AutoUpdateRestartRequired -bool TRUE
    defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist AutomaticCheckEnabled -bool TRUE
    defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist AutomaticDownload -bool TRUE
    defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist CriticalUpdateInstall -bool TRUE
    defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist ConfigDataInstall -bool TRUE

    Then once a day (if you like to live dangerously) or once a week (more reasonable) we run:

    #!/bin/bash
    softwareupdate -i -a

    That way if a user has OS X updates pending, all they need to do is reboot. Has been working well on 350+ 10.9 & 10.10 clients for over 6 months.

  2. Emre
    April 26, 2016 at 6:50 pm

    Great post, thanks for the clarification.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: