Home > Mac administration, Mac OS X, XProtect > Managing automatic installation of ConfigData and security software updates on Yosemite

Managing automatic installation of ConfigData and security software updates on Yosemite

As mentioned previously, the updates for XProtect’s blacklist moved into Apple’s software update feed starting in Mavericks. Gatekeeper updates are also included in the software update feed on Mavericks and Yosemite, so both XProtect and Gatekeeper updates are being delivered to machines using the same delivery mechanism.

To help distinguish Gatekeeper and XProtect updates from other updates in the software update feed, Apple marks them as being ConfigData updates. For more details on this and how you can manage their automatic installation, see below the jump.

To illustrate, here’s an example of a Gatekeeper update from the Yosemite software update catalog:

Here’s an example of an XProtect update:

Marking these updates as ConfigData cues the App Store to not display these as available software updates in the App Store’s list of software updates. These updates are meant to be under Apple’s control and to be as invisible as possible.

Meanwhile, an automatically installed software update like OS X NTP Security Update 1.0 shows up as a normal software update, but has extra keys in its catalog listing to mark it as a critical update whose automatic installation is set to occur as soon as possible.

<key>AutoInstallDelay</key>
<integer>0</integer>
<key>CriticalUpdate</key>
<true/>

For those interested in examining for themselves, the Yosemite software update catalog is available for download from the following link:

http://swscan.apple.com/content/catalogs/others/index-10.10-10.9-mountainlion-lion-snowleopard-leopard.merged-1.sucatalog

Along with the ConfigData and security updates being marked differently in the software update catalog, it’s possible to manage them separately by setting the correct values in /Library/Preferences/com.apple.SoftwareUpdate.plist. To enable XProtect and Gatekeeper updates to be installed automatically, run the following command with root privileges:

defaults write /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -bool TRUE

To stop XProtect and Gatekeeper updates from being installed automatically, run the following command with root privileges:

defaults write /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -bool FALSE

To enable automatic security updates to be installed automatically, run the following command with root privileges:

defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -bool TRUE

To stop automatic security updates from being installed automatically, run the following command with root privileges:

defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -bool FALSE

Because these values can be managed separately, it’s possible to set XProtect and Gatekeeper updates to be installed automatically while allowing the user to decide when to install security updates. To enable this, run the following commands with root privileges:

defaults write /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -bool TRUE
defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -bool FALSE

In this scenario, the App Store preferences in System Preferences will have the Install system data files and security updates checkbox unchecked.

Screen Shot 2014-12-27 at 5.47.52 PM

The reason for this is that both ConfigDataInstall and CriticalUpdateInstall‘s values must be set to be TRUE in order for the Install system data files and security updates checkbox to be checked in the App Store preferences.

Screen Shot 2014-12-27 at 6.09.23 PM

One important thing to know about forcing automatic installation of ConfigData and security updates is that the Software Update function on the system in question must be set to automatically check for updates. Without the automatic checks, ConfigData and security updates will not install.

To control the automatic update check using the softwareupdate command line tool, run the following commands with root privileges:

To enable the automatic update check:

softwareupdate --schedule on

To disable the automatic update check:

softwareupdate --schedule off

You can also manage this using the defaults command line tool. To enable the automatic update check using defaults, run the following command with root privileges:

defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -bool TRUE

To disable the automatic update check using defaults, run the following command with root privileges:

defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -bool FALSE
  1. bp
    August 10, 2015 at 9:14 pm

    I’ve tried to create this into a profile but it doesn’t seem to work. Have you had any luck distributing these preferences as a custom profile?

  2. November 21, 2016 at 6:11 pm

    I’m trying to prevent users from updating Sierra to 10.12.1+ as it conflicts with our DLP software. While we work with the vendor to find a solution, the Security team has asked us to disable updates. I can use this method and flip the settings around, but the user (if they have admin rights) can re-enable any of the options here. Any ideas of a work-around to “lock down” updates, at least for OS level patches? I would rather not also disable overall updating of any installed apps, if possible…

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: