If you haven’t read this already, please do:
http://macops.ca/os-x-admins-your-clients-are-not-getting-background-security-updates/
I’ll wait.
Done? OK. Concerned? No? Then you can skip the rest of this post.
If you are concerned, and would like to make sure your managed machines have these security updates, I have a solution for you — if it affects you (and you use Munki and Reposado; so what, about six people?)
I’ve updated my Reposado tool here: https://github.com/wdas/reposado
with a new option: --remove-config-data. This option can be used to remove the “config-data” attribute from the Gatekeeper Configuration Data and XProtectPlistConfigData dist files that cause them to be hidden from /usr/sbin/softwareupdate (and therefore Munki as well).
Once you’ve updated your Reposado tools:
Find the latest XProtectPlistConfigData update product ID:
> ./repoutil --products | grep XProtect 031-14263 XProtectPlistConfigData 1.0 2014-12-12 [] (Deprecated) 031-17312 XProtectPlistConfigData 1.0 2015-01-27 []
Remove the config-data attribute from the latest XProtectPlistConfigData dist:
> ./repoutil --remove-config-data 031-17312 Updated dist: /Volumes/munki/swupd/html/content/downloads/16/31/031-17312/1m0bhxfojg3hs4sk8rj4vz9f75gyeyllgr/031-17312.English.dist
Add the latest XProtectPlistConfigData product to your testing catalog:
> ./repoutil --add-product 031-17312 testing Adding 031-17312 (XProtectPlistConfigData-1.0) to branch testing... <...>
Find the latest Gatekeeper Configuration Data update product ID:
> ./repoutil --products | grep Gatekeeper 041-6414 Gatekeeper Configuration Data 1.0 2012-07-25 ['release', 'testing'] 031-17170 Gatekeeper Configuration Data 57 2015-01-25 []
Remove the config-data attribute from the latest Gatekeeper Configuration Data dist:
> ./repoutil --remove-config-data 031-17170 Updated dist: /Volumes/munki/swupd/html/content/downloads/19/32/031-17170/ka9m3pkqmgnvbegg1soz1a4c66up925n3b/031-17170.English.dist
Add the latest Gatekeeper Configuration Data product to your testing catalog:
> ./repoutil --add-product 031-17170 testing Adding 031-17170 (Gatekeeper Configuration Data-57) to branch testing... <...>
If you do only this, Munki will start finding the XProtectPlistConfigData and Gatekeeper Configuration Data updates and offer to install them. But you probably want Munki to just install them without bothering the user, so we’ll add some apple_update_metadata to let Munki know it’s OK to install these without bothering the user.
munkiimport --apple-update 031-17312 --catalog testing --unattended_install munkiimport --apple-update 031-17170 --catalog testing --unattended_install
Make sure you rebuild the catalogs after adding these items to your repo.
And now:
> sudo /usr/local/munki/managedsoftwareupdate --apple Managed Software Update Tool Copyright 2010-2014 The Munki Project https://github.com/munki/munki <snip> The following Apple Software Updates are available to install: + Gatekeeper Configuration Data-57 + XProtectPlistConfigData-1.0
An automatic session will install them without bothering the user. (Ether just be patient and let each client do their thing, or run sudo /usr/local/munki/managedsoftwareupdate --auto)
Managing OS X 
What would be your suggested approach if we’re using Munki but with Apple’s own software update servers? Thanks!
Some options include:
– Switch to Reposado
– Turn automatic software update checks back on and deal with the issues
– Manually find and edit the update .dist files on your Apple SUS
I tested this and found out it is _safe_ to manually edit your .dist-files.
The changes are not affected by the following repo_sync actions.
Unless Apple decides to change something in that particular .dist file…
But usually if Apple changes something in that update they release a new version with an unique update ID.
But still I would not count on that, Apple has been known to change their ways without warning.
Thanks Greg for implementing this. As usual you’re ahead of us, and we all get to benefit despite our collective laziness. I’ll be updating my post.
Thanks for the article!! I’m sure these aren’t the only two background updates. How do I tell which other Reposado updates are background updates and need this treatment?
That is an exercise left for the reader.
10-4