Home > Gatekeeper, Mac administration, Mac OS X, Scripting, XProtect > Checking XProtect and Gatekeeper update status on Macs

Checking XProtect and Gatekeeper update status on Macs

As part of making sure that XProtect and Gatekeeper are providing up-to-date protection, it can be worthwhile to see when your Mac received the latest updates from Apple for both XProtect and Gatekeeper. As both are background processes, as well as also receiving Config Data updates silently in the background, it’s not always obvious when updates have been applied.

To assist with this, I’ve written a couple of scripts to report the last time that Gatekeeper and XProtect have been updated on a particular Mac. For more details, see below the jump.

XProtect

To check XProtect’s update status, I’ve written the script below. Based on the OS version of the Mac in question, it will take the following actions:

  • Macs running 10.5.8 and earlier – The script will display a message stating “XProtect not available for” followed up by the OS version number
  • Macs running 10.6.x through 10.8.x – The script will check XProtect’s /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist file for the file’s last-modified date, then report the date in a human-readable date format.
  • Macs running 10.9.x and later – The script will check the installer package receipts for XProtect update installer packages for the relevant version of Mac OS X, then report the installation date of the most recent update in a human-readable date format.

The script is available on GitHub at the following address:

https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/report_latest_xprotect_update

A Casper Extension Attribute is also available on GitHub at the following address:

https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/Casper_Extension_Attributes/report_latest_xprotect_update

 

Gatekeeper

To check Gatekeeper’s update status, I’ve written the script below. Based on the OS version of the Mac in question, it will take the following actions:

  • Macs running 10.7.4 and earlier – The script will display a message stating “Gatekeeper not available for” followed up by the OS version number.
  • Macs running 10.7.5 – The script will display a message stating “Gatekeeper update status not available for” followed up by the OS version number.
  • Macs running 10.8.x and later – The script will check the installer package receipts for Gatekeeper update installer packages for the relevant version of Mac OS X, then report the installation date of the most recent update in a human-readable date format.

The script is available on GitHub at the following address:

https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/report_latest_gatekeeper_update

A Casper Extension Attribute is also available on GitHub at the following address:

https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/Casper_Extension_Attributes/report_latest_gatekeeper_update

  1. Joss Brown
    March 29, 2016 at 1:00 am

    I have my own XProtect script, running fine on El Capitan, and I don’t need to check the .pkg. The version number is also in the meta.plist.

    defaults read /System/Library/CoreServices/XProtect.bundle/Contents/Resources/XProtect.meta.plist Version

    And you can get the upgrade date:

    eval $(stat -s /System/Library/CoreServices/XProtect.bundle/Contents/Resources/XProtect.meta.plist)
    DATE=$(perl -e “print scalar(localtime($st_mtime))”)

    Manage it with a LaunchAgent, put all of it into variables and broadcast with terminal-notifier, and I’ll know when to reboot. 🙂

    Thank you for the Gatekeeper info. Will surely use it!

  2. cashxx
    March 31, 2016 at 12:21 am

    For xprotect I have always used the following cmd using ARD unix command. defaults read /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist LastModification

    • Joss Brown
      March 31, 2016 at 9:16 pm

      Won’t work in El Capitan 10.11.4: “The domain/default pair of (/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist, LastModification) does not exist”. There you need to determine modification date/time directly from the file.

  3. Joss Brown
    March 31, 2016 at 9:31 pm

    As for Gatekeeper, instead of the bom/plist you can also look into /private/var/db/gkopaque.bundle/Contents/Info.plist … there the version number seems to be under key “CFBundleShortVersionString”.

  4. Steven Murphy
    April 8, 2016 at 2:20 pm

    Anyone else seeing odd times being reported on both of theses in JAMF Casper?
    Getting the following on most systems 12-31-1969 19:00:00 for both of the above Casper Extensions.

    thanks,
    Steve

  5. Jeffrey Conte
    April 20, 2016 at 12:57 am

    I am seeing the 12-31-1969 19:00:00 for both of the above Casper Extensions as well. Thanks

  6. cashh2
    June 1, 2016 at 4:33 am

    Apple’s System Information tool already shows all of this (hold the option key while clicking on the Apple menu at the top left of the screen and select System Information…).

    Under the Software heading click on Installations, all the install dates and versions are there (except XProtectPlistConfigData reads as version 1.0 for some reason instead of reading the Version string from the actual plist).

  7. cashhh2
    June 1, 2016 at 6:10 am

    Apple’s System Information app provides all of this info. You can find it by holding option while clicking on the Apple menu at the top left of the screen and selecting System Information.

    On the left pane, scroll down to the Software category then Installations. Gatekeeper is under “Gatekeeper Configuration Data” and XProtect is under “XProtectPlistConfigData” (it seems there’s a bug with the XProtect version number because it always shows version 1.0 instead of the Version value from XProtect.meta.plist).

    Source: https://tidbits.com/article/16377

  8. November 8, 2016 at 1:44 pm

    I wrote a daemon that can update XProtect and Gatekeeper even if autoupdates are turned off: https://github.com/novaksam/JamfScripts/blob/master/XProtectUpdateDaemon.sh

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: