As mentioned previously, the updates for XProtect’s blacklist moved into Apple’s software update feed starting in Mavericks. Gatekeeper updates are also included in the software update feed on Mavericks and Yosemite, so both XProtect and Gatekeeper updates are being delivered to machines using the same delivery mechanism.
To help distinguish Gatekeeper and XProtect updates from other updates in the software update feed, Apple marks them as being ConfigData updates. For more details on this and how you can manage their automatic installation, see below the jump.
To illustrate, here’s an example of a Gatekeeper update from the Yosemite software update catalog:
Here’s an example of an XProtect update:
Marking these updates as ConfigData cues the App Store to not display these as available software updates in the App Store’s list of software updates. These updates are meant to be under Apple’s control and to be as invisible as possible.
Meanwhile, an automatically installed software update like OS X NTP Security Update 1.0 shows up as a normal software update, but has extra keys in its catalog listing to mark it as a critical update whose automatic installation is set to occur as soon as possible.
<key>AutoInstallDelay</key> <integer>0</integer> <key>CriticalUpdate</key> <true/>
For those interested in examining for themselves, the Yosemite software update catalog is available for download from the following link:
Along with the ConfigData and security updates being marked differently in the software update catalog, it’s possible to manage them separately by setting the correct values in /Library/Preferences/com.apple.SoftwareUpdate.plist. To enable XProtect and Gatekeeper updates to be installed automatically, run the following command with root privileges:
defaults write /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -bool TRUE
To stop XProtect and Gatekeeper updates from being installed automatically, run the following command with root privileges:
defaults write /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -bool FALSE
To enable automatic security updates to be installed automatically, run the following command with root privileges:
defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -bool TRUE
To stop automatic security updates from being installed automatically, run the following command with root privileges:
defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -bool FALSE
Because these values can be managed separately, it’s possible to set XProtect and Gatekeeper updates to be installed automatically while allowing the user to decide when to install security updates. To enable this, run the following commands with root privileges:
defaults write /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -bool TRUE
defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -bool FALSE
In this scenario, the App Store preferences in System Preferences will have the Install system data files and security updates checkbox unchecked.
The reason for this is that both ConfigDataInstall and CriticalUpdateInstall‘s values must be set to be TRUE in order for the Install system data files and security updates checkbox to be checked in the App Store preferences.
One important thing to know about forcing automatic installation of ConfigData and security updates is that the Software Update function on the system in question must be set to automatically check for updates. Without the automatic checks, ConfigData and security updates will not install.
To control the automatic update check using the softwareupdate command line tool, run the following commands with root privileges:
To enable the automatic update check:
softwareupdate --schedule on
To disable the automatic update check:
softwareupdate --schedule off
You can also manage this using the defaults command line tool. To enable the automatic update check using defaults, run the following command with root privileges:
defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -bool TRUE
To disable the automatic update check using defaults, run the following command with root privileges:
defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -bool FALSE
