This morning while reviewing new updates on my reposado server I saw this new update:
091-76348 macOS High Sierra 2018-04-10 
I didn’t think much of it; various “Install macOS High Sierra” updates have appeared in the softwareupdate catalogs since early in the High Sierra beta cycle: the App Store, when installing the “Install macOS High Sierra” application, downloads resources from these catalogs. (See https://managingosx.wordpress.com/2017/09/26/some-stuff-about-install-macos-high-sierra-app/ for more info).
But then I saw this cry for help on the munki-discuss list: https://groups.google.com/forum/?utm_medium=email&utm_source=footer#!msg/munki-discuss/I9nA-340mO4/KVQTJMEGCgAJ
Apologies if this has been asked and answered already, but we’re in a desperate time crunch. This morning, on the second day of standardized testing for our district, High Sierra is appearing as a “regular update” instead of an App Store option, so naturally MSC offers it:
It appeared that “macOS High Sierra” was being offered as an Apple software update (which Munki was then offering to install).
I did a little research and talked to people on the Mac admins Slack and it was confirmed: Apple _is_ using softwareupdate to offer High Sierra to Macs running 10.9.5 and any version of 10.10. They don’t seem to be doing this (yet) for Macs running 10.11 or 10.12.
It currently appears that this update installs the “Install macOS High Sierra” application into /Applications and either auto-opens the app (if the AutoUpdate preference in com.apple.commerce or com.apple.storeagent is set to true) or causes a notification to appear, presumably a notification that one should update to macOS High Sierra. One also assumes that clicking on the notification would then open the “Install macOS High Sierra” application.
If you are using Munki to manage your Macs, Munki is configured to install available Apple software updates, and you have machines running 10.9.5-10.10.x, you may see Munki showing “macOS High Sierra” as a pending update, leading to confusion, consternation, help desk calls, or worse.
This unwelcome surprise is yet another reason that sane Mac admins should be running a local softwareupdate replica, either via Apple’s softwareupdate server service that is part of macOS Server (though currently hidden and scheduled to go away), or via Reposado: https://github.com/wdas/reposado
Running your own softwareupdate replica allow you to review all new updates from Apple and decide whether or not you want to offer them to your managed clients, and thus avoid unwelcome Apple surprises.