usnistgov/macos_security
1
0
Fork 0
mirror of https://github.com/usnistgov/macos_security.git synced 2026-02-03 05:53:24 +00:00
Code Issues 21 Actions Packages Projects Releases Wiki Activity

system_settings_software_update_enforce.yaml has been silently deprecated by Apple #76

New Issue
Closed
opened 2026-01-19 18:29:09 +00:00 by michael · 1 comment
michael commented 2026-01-19 18:29:09 +00:00
Owner
Copy Link

Originally created by @isaacatmann on GitHub.

I also brought this up in the CIS Benchmark for Sequoia, contents below - Seems like the AutomaticCheckEnabled key isn't necessary anymore and implied with the individual keys to enforce types of updates.

In the GUI System Settings > General > Software Update > I there is no "Check for updates" slider anymore, to graphical method of audit procedure is incorrect.

If you push a config for enforcing a downloads or updates Automatic updates are marked as "on" in the GUI and the need for automatic updates is implied. for Example setting com.apple.SoftwareUpdate CriticalUpdateInstall & ConfigDataInstall as true will make the GUI show "Automatic Updates: Security Responses"

Setting ONLY com.apple.SoftwareUpdate AutomaticCheckEnabled as true results in the GUI to show "Automatic Updates: Off"

While Apple's documentation does still list the AutomaticCheckEnabled setting the example provided doesn't actually use it to enforce Automatic Installation fo AppStore updates

https://developer.apple.com/documentation/devicemanagement/softwareupdate

Originally created by @isaacatmann on GitHub. I also brought this up in the CIS Benchmark for Sequoia, contents below - Seems like the `AutomaticCheckEnabled` key isn't necessary anymore and implied with the individual keys to enforce types of updates. In the GUI System Settings > General > Software Update > I there is no "Check for updates" slider anymore, to graphical method of audit procedure is incorrect. If you push a config for enforcing a downloads or updates Automatic updates are marked as "on" in the GUI and the need for automatic updates is implied. for Example setting com.apple.SoftwareUpdate CriticalUpdateInstall & ConfigDataInstall as true will make the GUI show "Automatic Updates: Security Responses" Setting ONLY com.apple.SoftwareUpdate AutomaticCheckEnabled as true results in the GUI to show "Automatic Updates: Off" While Apple's documentation does still list the AutomaticCheckEnabled setting the example provided doesn't actually use it to enforce Automatic Installation fo AppStore updates https://developer.apple.com/documentation/devicemanagement/softwareupdate
michael commented 2026-01-19 18:29:09 +00:00
Author
Owner
Copy Link

@brodjieski commented on GitHub:

Hello!
This rule is only associated with the CIS benchmarks. I see the discussion with CIS regarding this and looks like they will be addressing it in the next release. Since this rule reflects what is currently published by CIS, we won't make any changes to it until CIS makes their update. But when they do, this should get updated and removed as well.

Thanks!

@brodjieski commented on GitHub: Hello! This rule is only associated with the CIS benchmarks. I see the discussion with CIS regarding this and looks like they will be addressing it in the next release. Since this rule reflects what is currently published by CIS, we won't make any changes to it until CIS makes their update. But when they do, this should get updated and removed as well. Thanks!
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
michael
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: usnistgov/macos_security#76
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?