macOS Softwareupdates - BlueSkyTools/BlueSkyConnect GitHub Wiki

Managing and installing macOS Softwareupdates has been a constant hassle with almost all of the available tools out there, especially if you need to make sure that no Upgrade to a newer OS will be installed. Also installing Softwareupdates for Clients manually has been difficult. Letting users install Softwareupdates bares the risk of un unwanted Upgrade, especially after the maximum of 90 days that you can defer an Update via the MDM/mobileconfig profile.

After struggling with different approaches, I found a reliable way to do this via the Softwareupdate command. Here's my approach:

  1. install a defer Software .mobileconfig (from Apple Configurator or iMazing Profile Editor manually or and MDM Solution) with the maximum of 90 days

  2. Turn off all macOS Softwareupdates: sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticDownload -boolean FALSE && sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -boolean FALSE && sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -boolean FALSE

  3. Tell the User to not do any Updates!

  4. Install macOS Softwareupdates vie the command: sudo softwareupdate -I -a -R

This will install all available Apple Softwareupdates including Safari, XProtect etc. The Main advantage with this method is that even after the 90 days of the deferral profile, only Updates and no Upgrades are being installed! A single profile works for all macOS Verisons, even when upgrading in between, the profile stays in place.

I have been installing all my clients with this method since Ventura and didn't have any single accidental Upgrade.

Usage tips:

  1. Often the softwareupdate command downloads the current macOS Update but after the download installs Safari first. If the User has Safari running, the User gets prompted to close Safari to install it. This causes unwanted delays in the process. To better handle this I created a script that updates XProtext in the Background and Safari if it's not running (so it can be run even when the user is currently working). Before a Softwareupdate, run it with the option -f to force a Safari Update: https://github.com/dircadmin/update.sh After Updating Safari this way, the installation of the macOS Update is much smoother. Also the script can be run as any user, even without admin privileges.

  2. Upgrading macOS to a new Verison. Use eraseinstall.sh for this (https://github.com/grahampugh/erase-install) with the base64 encoded Credentials for example upgrading to macOS 14 Sonoma with the user admin and the password admin: curl -s https://raw.githubusercontent.com/grahampugh/erase-install/release/erase-install.sh | sudo zsh /dev/stdin --reinstall --very-insecure-mode --credentials YWRtaW46YWRtaW4= --os 14

  • use --min-drive-space 35 to make sure that there's enough disk space available before downloading.
  • use --caching-server if you have a Mac configured as a content caching server in the network.

  1. If the User has Applications running that stop the necessary reboot for the softwareupdate, du a reboot before sudo reboot or logout the user (praxis in this case) by running: sudo launchctl bootout user/$(id -u praxis)

  2. If a softwareupdate is not found, try rebooting

  3. Try using iTerm2 (https://iterm2.com) and i2cssh (https://github.com/wouterdebie/i2cssh) for simultaneous installing softwareupdates in split panes on multiple Macs at the same time with input broadacast ;)