23 May Enable / Disable macOS App Store Auto Updates with an Ivanti Custom Definition
In light of the recent ransomware attacks, with potentially others on the horizon, it’s time to review your internal patch processes and ensure they’re being effective. The key to patching is really simple, it’s to just do it. I know that is easier said than done, but more often than not, patches have been released by your application vendors prior to being exploited.
Having the correct settings on your devices may just save your company a lot of time and money. One such setting may be to ensure your Macs are set to auto-update from the Mac App Store.
While Ivanti provides a ton of patch definitions with their patch subscription service, at times you may still need to create your own custom patch definition to take care of your special needs. An example of this may be to detect whether your Mac is automatically updating. You could also check for other security setting on your devices and then repair that setting. Or, you may have a custom application built internally that needs to be updated. The needs really end up being limitless, so I won’t hash out each scenario, the important piece to understand is that you can create a definition for whatever the need is.
And, it’s not that hard to do.
To build an Ivanti custom definition, you need to answers three questions. What platform will the definition scan against? How will the vulnerability scanner detect the state of your situation? And, what will be the remediation process if required?
In the example below, we will walk through the process of detecting whether a Mac is set to automatically update itself from the Mac App Store. This is a setting that you may want enabled, to ensure the Mac App Store apps are up-to-date, because you’re not doing it through Ivanti; or it may be something you want to disable and have full control over the device using Ivanti’s patch manager. We’ll cover both scenarios of enabling and disabling the auto-updates.
To do this, we’ll need to write two scripts and embed them into the custom definition. The first will be the detection logic script and the second will be the remediation script.
Create a Manual Definition from Scratch
- Open the Ivanti Management Console from either a Remote Console or the Core Server.
- Go to Tools > Security and Compliance > Patch and Compliance.
- Filter the dashboards by selecting All Types, the first menu button, and selecting Custom Definition.
- Click on the green circle button with the white plus symbol on the menu bar to Create a Custom Definition.
- Change the ID to an appropriate name, i.e. Apple Automatic Updates.
- Copy the same text into the Title box.
- For the notes field, indicate who created the definition, when it was created and for what purpose (ex. Created by Bennett Norton on May 16, 2017 to detect Apple’s automatic update status.)
- Change the Published Severity to an appropriate setting, i.e. Important / High.
- Select the Description tab.
- Enter an appropriate description for your definition into the text box, i.e. Check for the Mac’s automatic update status.
- Click Apply.
- Return to the General tab.
- Click the Add button in the Detection Rules.
- On the Rule General Information menu item enter a name, i.e Apple Automatic Update Detection.
- Select the Affected Platforms menu option under Detection Logic from the menu tree.
- Check the boxes for Mac OS X and ac OS X Server.
- Select the Custom Script menu option under Detection Logic from the menu tree.
- In the Description box, enter a name that makes sense, i.e. Apple automatic update detection.
- Click the Use Editor… button.
- Paste the script you’ve written into the Script Content window. Use my example script below for a guide. The script needs a Found, Reason, Expected and a Detected output. Set the detected value to 1 if the detection discovers the patch is needed and 0 if a remediation is not needed.
#!/bin/sh # Apple Automatically Check for Updates Detection.sh # Created by Bennett Norton on 4/5/16. # The auto update setting is found at /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled autoUpdateSetting=( $( defaults read /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled ) ) # compare the returned value with your desired state # a autoUpdateSetting of 1 means it is enabled # a autoUpdateSetting of 0 means it is disabled if [[ $autoUpdateSetting == *"1"* ]] ; then echo "Found: The option to 'Automatically Check for Updates' is already enabled" echo "Reason: The value for 'Automatically Check for Updates' is: $autoUpdateSetting." echo "Expected: The value for 'Automatically Check for Updates' should be 1" echo "Detected: 0" exit 0 else echo "Found: The option to 'Automatically Check for Updates' is currently disabled" echo "Reason: The value for 'Automatically Check for Updates' is: $autoUpdateSetting." echo "Expected: The value for 'Automatically Check for Updates' should be 1" echo "Detected: 1" exit 1 fi
- Click on the Patch Information menu tree option.
- In our example, we’ll set the drop down box to “This issue can be repaired without downloading a patch.” Yours may differ.
- Set the requires reboot value.
- Set the Silent Install value.
- Click on the Patch Install Commands menu option under the Patch Installation and Removal menu tree.
- Click the Add button under Commands.
- From the Command Type dropdown, select Run A Script (if appropriate for your definition) and click the OK button.
- Click the Use Editor…button.
- Paste the script below in to the Script Content window. This is where you’ll specify how to remediate or fix what has been detected. In our example, if you want to disable automatic updates, remove the # symbol from the last line and comment out the defaults write command that sets the True flag.
#!/bin/sh # Apple Automatically Check for Updates Detection.sh # Created by Bennett Norton on 4/5/16. # The auto update setting is found at /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled # The detection logic has been written in another script - but the command below is what is called # autoUpdateSetting=( $( ) ) # an autoUpdateSetting of 1 means it is enabled # an autoUpdateSetting of 0 means it is disabled # to enable the automatic software check, use the following command defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -bool TRUE # to disable the automatic software check, use the following command # defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -bool FALSE
- Click the OK button to save the rule.
- Click the OK button to save the custom definition.
You now have a fully functioning custom script. You’ll need to verify that your Distribution and Patch scan options are looking for the Custom Definition Types, but other than that, your clients will now report their vulnerability status on your new custom definition during their next vulnerability scan.