Home
> Gatekeeper, Mac administration, Mac OS X, Scripting, XProtect > Checking XProtect and Gatekeeper update status on Macs
Checking XProtect and Gatekeeper update status on Macs
As part of making sure that XProtect and Gatekeeper are providing up-to-date protection, it can be worthwhile to see when your Mac received the latest updates from Apple for both XProtect and Gatekeeper. As both are background processes, as well as also receiving Config Data updates silently in the background, it’s not always obvious when updates have been applied.
To assist with this, I’ve written a couple of scripts to report the last time that Gatekeeper and XProtect have been updated on a particular Mac. For more details, see below the jump.
XProtect
To check XProtect’s update status, I’ve written the script below. Based on the OS version of the Mac in question, it will take the following actions:
- Macs running 10.5.8 and earlier – The script will display a message stating “XProtect not available for” followed up by the OS version number
- Macs running 10.6.x through 10.8.x – The script will check XProtect’s /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist file for the file’s last-modified date, then report the date in a human-readable date format.
- Macs running 10.9.x and later – The script will check the installer package receipts for XProtect update installer packages for the relevant version of Mac OS X, then report the installation date of the most recent update in a human-readable date format.
The script is available on GitHub at the following address:
A Casper Extension Attribute is also available on GitHub at the following address:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| XProtectCheck(){ | |
| osvers_major=$(/usr/bin/sw_vers -productVersion | awk -F. '{print $1}') | |
| osvers_minor=$(/usr/bin/sw_vers -productVersion | awk -F. '{print $2}') | |
| if [[ ${osvers_major} -eq 10 ]] && [[ ${osvers_minor} -lt 6 ]]; then | |
| # This section of the function will display a message that XProtect is not | |
| # available for the relevant version of Mac OS X. This will apply to Macs | |
| # running Mac OS X 10.5.8 and earlier. | |
| result="XProtect not available for `/usr/bin/sw_vers -productVersion`" | |
| elif [[ ${osvers_major} -eq 10 ]] && [[ ${osvers_minor} -ge 6 ]] && [[ ${osvers_minor} -lt 9 ]]; then | |
| # This section of the function will check the last-modified time of XProtect's | |
| # XProtect.meta.plist file and report the date when the file was last modified | |
| # in a human-readable date format. This will apply to Macs running Mac OS X 10.6.x | |
| # through OS X 10.8.5. | |
| last_xprotect_update_epoch_time=`/bin/date -jf "%s" $(/usr/bin/stat -s /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist | tr ' ' '\n' | awk -F= '/st_mtime/{print $NF}') +%s` | |
| last_xprotect_update_human_readable_time=`/bin/date -r "$last_xprotect_update_epoch_time" '+%m-%d-%Y %H:%M:%S'` | |
| result="$last_xprotect_update_human_readable_time" | |
| elif [[ ${osvers_major} -eq 10 ]] && [[ ${osvers_minor} -ge 9 ]]; then | |
| # This section of the function will check the installer package receipts for | |
| # XProtect update installer packages for the relevant version of Mac OS X and | |
| # display the installation date of the most recent update in a human-readable | |
| # date format. This will apply to Macs running OS X 10.9.0 and later. | |
| last_xprotect_update_epoch_time=$(printf "%s\n" `for i in $(pkgutil –pkgs=".*XProtect.*"); do pkgutil –pkg-info $i | awk '/install-time/ {print $2}'; done` | sort -n | tail -1) | |
| last_xprotect_update_human_readable_time=`/bin/date -r "$last_xprotect_update_epoch_time" '+%m-%d-%Y %H:%M:%S'` | |
| result="$last_xprotect_update_human_readable_time" | |
| fi | |
| } | |
| XProtectCheck | |
| echo "$result" |
Gatekeeper
To check Gatekeeper’s update status, I’ve written the script below. Based on the OS version of the Mac in question, it will take the following actions:
- Macs running 10.7.4 and earlier – The script will display a message stating “Gatekeeper not available for” followed up by the OS version number.
- Macs running 10.7.5 – The script will display a message stating “Gatekeeper update status not available for” followed up by the OS version number.
- Macs running 10.8.x and later – The script will check the installer package receipts for Gatekeeper update installer packages for the relevant version of Mac OS X, then report the installation date of the most recent update in a human-readable date format.
The script is available on GitHub at the following address:
A Casper Extension Attribute is also available on GitHub at the following address:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| GatekeeperCheck(){ | |
| osvers_major=$(/usr/bin/sw_vers -productVersion | awk -F. '{print $1}') | |
| osvers_minor=$(/usr/bin/sw_vers -productVersion | awk -F. '{print $2}') | |
| osvers_dot_version=$(/usr/bin/sw_vers -productVersion | awk -F. '{print $3}') | |
| if [[ ${osvers_major} -eq 10 && ${osvers_minor} -lt 7 ]] || [[ ${osvers_major} -eq 10 && ${osvers_minor} -eq 7 && ${osvers_dot_version} -lt 5 ]]; then | |
| # This section of the function will display a message that Gatekeeper is not | |
| # available for the relevant version of Mac OS X. This will apply to Macs running | |
| # Mac OS X 10.7.4 and earlier. | |
| result="Gatekeeper not available for `/usr/bin/sw_vers -productVersion`" | |
| elif [[ ${osvers_major} -eq 10 ]] && [[ ${osvers_minor} -eq 7 ]] && [[ ${osvers_dot_version} -eq 5 ]]; then | |
| # This section of the function will display a message that Gatekeeper's update | |
| # status is not available for the relevant version of Mac OS X. This will apply | |
| # only to Mac OS X 10.7.5. | |
| result="Gatekeeper update status not available for `/usr/bin/sw_vers -productVersion`." | |
| elif [[ ${osvers_major} -eq 10 ]] && [[ ${osvers_minor} -ge 8 ]]; then | |
| # This section of the function will check the package receipts for Gatekeeper | |
| # update installer packages and display the installation date of the most recent | |
| # update in a human-readable date format. This will apply to Macs running | |
| # OS X 10.8.0 and later. | |
| last_gatekeeper_update_epoch_time=$(printf "%s\n" `for i in $(pkgutil –pkgs=".*Gatekeeper.*"); do pkgutil –pkg-info $i | awk '/install-time/ {print $2}'; done` | sort -n | tail -1) | |
| last_gatekeeper_update_human_readable_time=`/bin/date -r "$last_gatekeeper_update_epoch_time" '+%m-%d-%Y %H:%M:%S'` | |
| result="$last_gatekeeper_update_human_readable_time" | |
| fi | |
| } | |
| GatekeeperCheck | |
| echo "$result" |
Categories: Gatekeeper, Mac administration, Mac OS X, Scripting, XProtect
Leave a comment
Recent Comments
 | markandlucie on Migrating a Jamf Pro AWS-hoste… |
 | Dark on Creating root-level directorie… |
 | Ben LeRoy on Losing a giant |
 | Peter-Erik on Downloading installer packages… |
 | nathanhaggard on Losing a giant |
Der Flounder 
I have my own XProtect script, running fine on El Capitan, and I don’t need to check the .pkg. The version number is also in the meta.plist.
defaults read /System/Library/CoreServices/XProtect.bundle/Contents/Resources/XProtect.meta.plist Version
And you can get the upgrade date:
eval $(stat -s /System/Library/CoreServices/XProtect.bundle/Contents/Resources/XProtect.meta.plist)
DATE=$(perl -e “print scalar(localtime($st_mtime))”)
Manage it with a LaunchAgent, put all of it into variables and broadcast with terminal-notifier, and I’ll know when to reboot. 🙂
Thank you for the Gatekeeper info. Will surely use it!
For xprotect I have always used the following cmd using ARD unix command. defaults read /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist LastModification
Won’t work in El Capitan 10.11.4: “The domain/default pair of (/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist, LastModification) does not exist”. There you need to determine modification date/time directly from the file.
As for Gatekeeper, instead of the bom/plist you can also look into /private/var/db/gkopaque.bundle/Contents/Info.plist … there the version number seems to be under key “CFBundleShortVersionString”.
Anyone else seeing odd times being reported on both of theses in JAMF Casper?
Getting the following on most systems 12-31-1969 19:00:00 for both of the above Casper Extensions.
thanks,
Steve
I am seeing the 12-31-1969 19:00:00 for both of the above Casper Extensions as well. Thanks
Apple’s System Information tool already shows all of this (hold the option key while clicking on the Apple menu at the top left of the screen and select System Information…).
Under the Software heading click on Installations, all the install dates and versions are there (except XProtectPlistConfigData reads as version 1.0 for some reason instead of reading the Version string from the actual plist).
Apple’s System Information app provides all of this info. You can find it by holding option while clicking on the Apple menu at the top left of the screen and selecting System Information.
On the left pane, scroll down to the Software category then Installations. Gatekeeper is under “Gatekeeper Configuration Data” and XProtect is under “XProtectPlistConfigData” (it seems there’s a bug with the XProtect version number because it always shows version 1.0 instead of the Version value from XProtect.meta.plist).
Source: https://tidbits.com/article/16377
I wrote a daemon that can update XProtect and Gatekeeper even if autoupdates are turned off: https://github.com/novaksam/JamfScripts/blob/master/XProtectUpdateDaemon.sh
Doesn’t seem to work for me – XProtect Last Updated Extension Attribute says 1/1/1970 for me.
Does the XProtect script still work for Ventura? I get back zero results, but the script does no error out.