Skip to content

[Rule]: system_settings_install_macos_updates_enforce - add DDM check #715

Description

@robertgendler

Is there an existing issue for this?

  • I have searched the existing issues

Rule ID

system_settings_install_macos_updates_enforce

Platform

macOS

OS version(s) affected

26 and 15.

What's wrong?

Check script fails or gives a false result

What is the current behavior?

Check fix needs to be updated for DDM

Reports incorrectly when only applied via DDM

What is the expected behavior?

The expected behavior is check DDM

Relevant output

Suggested fix

mdm=$(/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.SoftwareUpdate')\
.objectForKey('AutomaticallyInstallMacOSUpdates').js
EOS
)

ddm=$(/usr/bin/plutil -convert json /private/var/db/softwareupdate/SoftwareUpdateDDMStatePersistence.plist -o - | /usr/bin/jq -r '.SUCorePersistedStatePolicyFields | .SUCoreDDMDeclarationGlobalSettings | .automaticallyInstallOSUpdates')

if [[ "${mdm}" == "true" ]] || [[ "${ddm}" == "1" ]]; then
  echo "true"
else
  echo "false"
fi

as proposed check.

Metadata

Metadata

Assignees

Type

No type
No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions