id: os_software_update_deferral
title: Ensure Software Update Deferment Is Less Than or Equal to $ODV Days
discussion: |
  Software updates _MUST_ be deferred for $ODV days or less.

  If you need to defer software updates, create a Restrictions profile using the com.apple.applicationaccess domain and the key enforcedSoftwareUpdateDelay.
check: |
  /usr/bin/osascript -l JavaScript << EOS
  function run() {
    let timeout = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
  .objectForKey('enforcedSoftwareUpdateDelay')) || 0
    if ( timeout <= $ODV ) {
      return("true")
    } else {
      return("false")
    }
  }
  EOS
result:
  string: 'true'
fix: |
  This is implemented by a Configuration Profile.
references:
  cce:
    - CCE-95303-4
  cci:
    - N/A
  800-53r5:
    - N/A
  800-53r4:
    - N/A
  srg:
    - N/A
  disa_stig:
    - N/A
  800-171r3:
    - N/A
  cis:
    benchmark:
      - 1.6 (level 1)
    controls v8:
      - 7.3
      - 7.4
macOS:
  - '26.0'
odv:
  hint: Number of days.
  recommended: 30
  cis_lvl1: 30
  cis_lvl2: 30
tags:
  - cis_lvl1
  - cis_lvl2
mobileconfig: false
mobileconfig_info: