1.4 Ensure Install of macOS Updates Is Enabled

Information

Ensure that macOS updates are installed after they are available from Apple. This setting enables macOS updates to be automatically installed. Some environments will want to approve and test updates before they are delivered. It is best practice to test first where updates can and have caused disruptions to operations. Automatic updates should be turned off where changes are tightly controlled and there are mature testing and approval processes. Automatic updates should not be turned off simply to allow the administrator to contact users in order to verify installation. A dependable, repeatable process involving a patch agent or remote management tool should be in place before auto-updates are turned off.

Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited.

Solution

Graphical Method:

Perform the following steps to enable macOS updates to run automatically:

- Open System Settings
- Select General
- Select Software Update
- Select the i
- Set Install macOS updates to enabled
- Select Done

Terminal Method:

Run the following command to to enable automatic checking and installing of macOS updates:

$ /usr/bin/sudo /usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticallyInstallMacOSUpdates -bool TRUE

Profile Method:

Create or edit a configuration profile with the following information:

- The PayloadType string is com.apple.SoftwareUpdate
- The key to include is AutomaticallyInstallMacOSUpdates
- The key must be set to <true/>

Impact:

Unpatched software may be exploited.

See Also

https://workbench.cisecurity.org/benchmarks/15551

Item Details

Category: RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|RA-5, 800-53|SI-2, 800-53|SI-2(2), CSCv7|3.4, CSCv7|3.5

Plugin: Unix

Control ID: 67427e7afcbb572d53534acacb62503c557a2c8316bb775c0ac30435f3216f02