Checks that the system is configured via MDM to automatically install updates.
Create or edit a configuration profile with the following information:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>AutomaticCheckEnabled</key>
<true/>
<key>PayloadDisplayName</key>
<string>Software Update</string>
<key>PayloadIdentifier</key>
<string>com.apple.SoftwareUpdate.8567CAE0-4F08-49B7-9DEE-EE7A1FB232E4</string>
<key>PayloadType</key>
<string>com.apple.SoftwareUpdate</string>
<key>PayloadUUID</key>
<string>8567CAE0-4F08-49B7-9DEE-EE7A1FB232E4</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>Automatically install updates</string>
<key>PayloadIdentifier</key>
<string>com.fleetdm.automatically_install_updates</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>C9797096-D3DD-4BB4-85B0-6679209BA78F</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
Create or edit the following script and configure it to run when the check fails:
Use the policy below to verify
SELECT 1 WHERE
EXISTS (
SELECT 1 FROM managed_policies WHERE
domain='com.apple.SoftwareUpdate' AND
name='AutomaticCheckEnabled' AND
(value = 1 OR value = 'true') AND
username = ''
)
AND NOT EXISTS (
SELECT 1 FROM managed_policies WHERE
domain='com.apple.SoftwareUpdate' AND
name='AutomaticCheckEnabled' AND
(value != 1 AND value != 'true')
);