Hi all, and welcome to another “I wrote something handy and thought I should share” blog. In this post I’ll go over two scripts I’ve written to check for and install all available updates to the XProtect and MRT security tools, included in macOS.

Some Background

In the MacAdmins ‘JamfNation’ Slack Channel, someone asked about the possibility of running software updates without alerting the user with things like notifications from the OS. This is indeed possible for most updates, but the ‘Config Data’ updates for XProtect and MRT (kinda like the ‘Virus definition updates for your Anti-Malware products) will only be installed if you enabled the automatic check for updates (as detailed here). But, if you enable this automatic check, your users will likely get Software Update notifications, which is not ideal in a Lab environment.

So that leaves a choice between having devices flag up new software updates to end users, or not getting critical security software updates to XProtect etc.


Option 1:  Reposado

If you utilise the Open Source Reposado solution to manage your macOS updates, Greg has written a great guide on dealing with these updates for your estate, here.

However, what if you have devices worldwide, including perhaps at user’s homes? Or what if you have some other reason where you can’t (or don’t want to) run a Software Update Server solution?


Option 2: It’s Scriptin’ Time

At some point last September I stumbled upon a post detailing a new, undocumented feature of the softwareupdate binary in macOS 10.12 and newer, --include-config-data.

This command will not only display the Config Data updates when using the list command, but will also allow you to forceable check and install any available Config Data updates, relevant to your Mac!

But there are some limitations:

  • This new flag is completely undocumented, both in the man and help pages for softwareupdate. Its usage, language and entire functionality could change or be removed at anytime
  • So far, I’ve only seen it on macOS 10.12.x and 10.13.x. If you’re on anything older, it ain’t gonna work.

So, without further delay, here’s the two scripts I wrote around this:



Found here

This script will check to see if the OS is higher (newer) than 10.11.x (exiting if not), check to see if there are any Config Data updates available (exiting if not), then proceed to install them.


EA – List_Configuration_Data_Updates.sh

Found here

This script will check to see if the OS is higher (newer) than 10.11.x (echoing out a result of “N/A” and exiting if not) and check to see if there are any Config Data updates available (echoing out a result of “None” and exiting if not). If it finds any available ones, it’ll echo these out as the result, perfect for use in a Jamf Pro Extension attribute.


Usage Suggestions

For these scripts, I’d suggest using one of the various methods out there to disable the automatic software update checking, then triggering the install script in addition to any other method you’re using to deploy your Software Updates. For the Extension Attribute, add this in to your Jamf Pro Server to have it collect this information each time an Inventory collection is performed.


Credit Missing?

As you may have seen above, I didn’t figure out this new feature alone, but rather saw it mentioned somewhere. As a big believer in credit where credit is due, I’d like to attribute the discovery to the correct person / message. All I can remember is it was either the Mac Admins Slack, or one of the Mac messaging boards. If anyone finds it, please let me know in the usual channels (Comments, Slack, Twitter etc) and I’ll update this accordingly.



And there we go, I’ve detailed the solution I’ve used to ensure Macs get their Config Data updates. As always, if you have any questions, queries or comments, let us know below (or @daz_wallace on Mac Admins Slack) and I’ll try to respond to and delve into as many as I can.


The usual disclaimer:

While the author has taken care to provide our readers with accurate information, please use your discretion before acting upon information based on the blog post. I will not compensate you in any way whatsoever if you ever happen to suffer a loss/inconvenience/damage because of/while making use of information in this blog.