Gatekeeper Configuration Data and XProtectPlistConfigData and Munki and Reposado, oh my!

If you haven’t read this already, please do:

http://macops.ca/os-x-admins-your-clients-are-not-getting-background-security-updates/

I’ll wait.

Done? OK. Concerned? No? Then you can skip the rest of this post.

If you are concerned, and would like to make sure your managed machines have these security updates, I have a solution for you — if it affects you (and you use Munki and Reposado; so what, about six people?)

I’ve updated my Reposado tool here: https://github.com/wdas/reposado

with a new option: --remove-config-data. This option can be used to remove the “config-data” attribute from the Gatekeeper Configuration Data and XProtectPlistConfigData dist files that cause them to be hidden from /usr/sbin/softwareupdate (and therefore Munki as well).

Once you’ve updated your Reposado tools:

Find the latest XProtectPlistConfigData update product ID:

> ./repoutil --products | grep XProtect
031-14263       XProtectPlistConfigData                            1.0        2014-12-12 [] (Deprecated)
031-17312       XProtectPlistConfigData                            1.0        2015-01-27 []

Remove the config-data attribute from the latest XProtectPlistConfigData dist:

> ./repoutil --remove-config-data 031-17312
Updated dist: /Volumes/munki/swupd/html/content/downloads/16/31/031-17312/1m0bhxfojg3hs4sk8rj4vz9f75gyeyllgr/031-17312.English.dist

Add the latest XProtectPlistConfigData product to your testing catalog:

> ./repoutil --add-product 031-17312 testing
Adding 031-17312 (XProtectPlistConfigData-1.0) to branch testing...
<...>

Find the latest Gatekeeper Configuration Data update product ID:

> ./repoutil --products | grep Gatekeeper
041-6414        Gatekeeper Configuration Data                      1.0        2012-07-25 ['release', 'testing']
031-17170       Gatekeeper Configuration Data                      57         2015-01-25 []

Remove the config-data attribute from the latest Gatekeeper Configuration Data dist:

> ./repoutil --remove-config-data 031-17170
Updated dist: /Volumes/munki/swupd/html/content/downloads/19/32/031-17170/ka9m3pkqmgnvbegg1soz1a4c66up925n3b/031-17170.English.dist

Add the latest Gatekeeper Configuration Data product to your testing catalog:

> ./repoutil --add-product 031-17170 testing
Adding 031-17170 (Gatekeeper Configuration Data-57) to branch testing...
<...>

If you do only this, Munki will start finding the XProtectPlistConfigData and Gatekeeper Configuration Data updates and offer to install them. But you probably want Munki to just install them without bothering the user, so we’ll add some apple_update_metadata to let Munki know it’s OK to install these without bothering the user.

munkiimport --apple-update 031-17312 --catalog testing --unattended_install
munkiimport --apple-update 031-17170 --catalog testing --unattended_install

Make sure you rebuild the catalogs after adding these items to your repo.

And now:

> sudo /usr/local/munki/managedsoftwareupdate --apple
Managed Software Update Tool
Copyright 2010-2014 The Munki Project
https://github.com/munki/munki

<snip>

    The following Apple Software Updates are available to install:
        + Gatekeeper Configuration Data-57
        + XProtectPlistConfigData-1.0

An automatic session will install them without bothering the user. (Ether just be patient and let each client do their thing, or run sudo /usr/local/munki/managedsoftwareupdate --auto)

Gatekeeper Configuration Data and XProtectPlistConfigData and Munki and Reposado, oh my!

7 thoughts on “Gatekeeper Configuration Data and XProtectPlistConfigData and Munki and Reposado, oh my!

  1. Some options include:

    – Switch to Reposado
    – Turn automatic software update checks back on and deal with the issues
    – Manually find and edit the update .dist files on your Apple SUS

  2. MiqViq says:

    I tested this and found out it is _safe_ to manually edit your .dist-files.
    The changes are not affected by the following repo_sync actions.
    Unless Apple decides to change something in that particular .dist file…
    But usually if Apple changes something in that update they release a new version with an unique update ID.
    But still I would not count on that, Apple has been known to change their ways without warning.

  3. Thanks Greg for implementing this. As usual you’re ahead of us, and we all get to benefit despite our collective laziness. I’ll be updating my post.

  4. Thanks for the article!! I’m sure these aren’t the only two background updates. How do I tell which other Reposado updates are background updates and need this treatment?

Comments are closed.