Gatekeeper Configuration Data and XProtectPlistConfigData and Munki and Reposado

[Gregory Neagle]

If you haven't read this already, please do: 

http://macops.ca/os-x-admins-your-clients-are-not-getting-background-security-updates/

I'll wait.

Done? OK. Concerned? No? Then you can skip the rest of this post.

I've updated my Reposado tool here: https://github.com/wdas/reposado

with a new option --remove-config-data. This option removes the attribute from the Gatekeeper Configuration Data and XProtectPlistConfigData dist files that cause them to be hidden from /usr/sbin/softwareupdate (and therefore Munki as well)

Once you've updated your Reposado tools:

# find the latest XProtectPlistConfigData update product ID

> ./repoutil --products | grep XProtect

031-14263       XProtectPlistConfigData                            1.0        2014-12-12 [] (Deprecated)

031-17312       XProtectPlistConfigData                            1.0        2015-01-27 [] 

# remove the config-data attribute from the latest XProtectPlistConfigData dist:

> ./repoutil --remove-config-data 031-17312

Updated dist: /Volumes/munki/swupd/html/content/downloads/16/31/031-17312/1m0bhxfojg3hs4sk8rj4vz9f75gyeyllgr/031-17312.English.dist

# Add the latest XProtectPlistConfigData product to your testing catalog:

> ./repoutil --add-product 031-17312 testing

Adding 031-17312 (XProtectPlistConfigData-1.0) to branch testing...

<...>

# find the latest Gatekeeper Configuration Data  update product ID

# ./repoutil --products | grep Gatekeeper

041-6414        Gatekeeper Configuration Data                      1.0        2012-07-25 ['release', 'testing'] 

031-17170       Gatekeeper Configuration Data                      57         2015-01-25 [] 

# remove the config-data attribute from the latest Gatekeeper Configuration Data dist:

> ./repoutil --remove-config-data 031-17170

Updated dist: /Volumes/munki/swupd/html/content/downloads/19/32/031-17170/ka9m3pkqmgnvbegg1soz1a4c66up925n3b/031-17170.English.dist

# Add the latest Gatekeeper Configuration Data product to your testing catalog:

> ./repoutil --add-product 031-17170 testing

Adding 031-17170 (Gatekeeper Configuration Data-57) to branch testing...

<...>

If you do only this, Munki will start finding the XProtectPlistConfigData and Gatekeeper Configuration Data updates and offer to install them. But you probably want Munki to just install them without bothering the user, so we'll add some apple_update_metadata to let Munki know it's OK to install these without bothering the user.

munkiimport --apple-update 031-17312 --catalog testing --unattended_install

munkiimport --apple-update 031-17170 --catalog testing --unattended_install

> sudo /usr/local/munki/managedsoftwareupdate --apple

Managed Software Update Tool

Copyright 2010-2014 The Munki Project

https://github.com/munki/munki

<snip>

    The following Apple Software Updates are available to install:

        + Gatekeeper Configuration Data-57

        + XProtectPlistConfigData-1.0

An automatic session will install them without bothering the user. (Ether just be patient and let each client do their thing, or run `sudo /usr/local/munki/managedsoftwareupdate --auto`)

-Greg

[Mike Solin]

Awesome, thanks Greg!  This is fantastic - it'll be a relief to know all of the Macs here will be getting these updates.

Is there a way to automate this for each repo_sync session?  Not necessarily the pkginfo portion, but the --remove-config-data portion.

Thanks again!

Mike

--

mi...@mikesolin.com / @flammable

http://mikesolin.com

--
You received this message because you are subscribed to the Google Groups "munki-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to munki-dev+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Gregory Neagle]

On Jan 30, 2015, at 3:23 PM, Mike Solin <mi...@mikesolin.com> wrote:

Awesome, thanks Greg!  This is fantastic - it'll be a relief to know all of the Macs here will be getting these updates.

Is there a way to automate this for each repo_sync session?  Not necessarily the pkginfo portion, but the --remove-config-data portion.

Not currently. Just do it as you add them to a branch catalog.

[Erik Gomez]

You're too fast sometimes. Awesome stuff. 

[Gregory Neagle]

Too fast?  This has been a known issue for months; I've been aware of it since last summer. I've been surprised how little Mac admins have been aware of/following this issue. But at least there's a fix I can use now. I hope there are a few others that can use it as well.

-Greg

[Gregory Neagle]

BTW, you can use the --dist option to view the relevant dist file before and after using --remove-config-data

If you wanted to revert the change and restore a generic Apple dist file:

./repoutil --purge-product 031-17312 --force (or other applicable product id that is still offered by Apple)

./repo_sync

Note: since repo_sync only replicates items currently offered by Apple, you can't use this method to revert changes on Deprecated versions of XProtectPlistConfigData and Gatekeeper Configuration Data dist files.

-Greg

[Erik Gomez]

I was alluding more to the fact that we had just discussed this. 

This will now allow me to finally disable the built in automatic checks. 

Sent from my iPhone

[Michal Moravec]

Am I corrent when I say --remove-config-data only works if I replicate installer packages?

I've tested this with both ways (packages on apple's severs, packages on my server) and it seems to work only with second option. 

[sondjata]

I'm all kinds of late with this but I just want to confirm:

Does this also apply to updates like:

Chinese Word List

Apple Connect

and Voice Updates?