Enable App Store Updates

What the App Store auto-update enforcer does

This Automox Worklet™ enforces the macOS App Store automatic update behavior on managed Mac endpoints by writing the AutoUpdate preference in the com.apple.commerce domain with the defaults command. The Worklet reads /Library/Preferences/com.apple.commerce AutoUpdate, and when the value is 0 it writes the key back to true with defaults write /Library/Preferences/com.apple.commerce AutoUpdate -bool TRUE. After remediation, applications installed from the Mac App Store update themselves in the background without user interaction.

Because the preference lives in /Library (not ~/Library), the change applies machine-wide rather than per-user. This matters on shared Macs where the previous user disabled auto-updates and the next user has no idea why their App Store apps stopped patching. The Worklet writes to the machine-level domain so the policy holds regardless of which user is logged in.

The evaluation phase reads com.apple.commerce AutoUpdate via defaults read before any write. Endpoints where AutoUpdate is already non-zero exit 0 with no change applied. Endpoints where a user has flipped the toggle off through System Settings, or where a macOS upgrade has reset the value to 0, are returned to the desired state on the next evaluation without prompting the logged-in user.

Why enforce App Store auto-updates at fleet scale

Mac App Store apps include Safari extensions, the Apple-developed productivity apps (Pages, Numbers, Keynote, Notes), and a long tail of third-party utilities. Each of those ships security fixes through the App Store update channel. When a user disables auto-updates to silence a notification or to prevent a download on a metered connection, those security fixes stop landing. A Safari extension vulnerability that the vendor patches today does not reach the user's Mac for weeks, sometimes months, because no manual trigger is configured.

The App Store auto-update toggle flips back to its previous state after a user opens Settings to dismiss an update prompt, and shared Macs accumulate per-machine drift as they are handed from one user to the next. Apply this Worklet through your macOS baseline policy so the com.apple.commerce AutoUpdate key is written as root on first pass, then schedule a recurring evaluation so App Store apps actually receive their published security patches without depending on the user. Pair the enforcement with a separate softwareupdate-driven Worklet for a complete macOS patching baseline that covers both App Store apps and OS updates.

How App Store auto-update enforcement works

1. Evaluation phase: The Worklet runs defaults read /Library/Preferences/com.apple.commerce AutoUpdate and inspects the returned integer. If the value equals 0, the endpoint is flagged for remediation and the evaluation script exits 1. Endpoints where AutoUpdate is non-zero are reported compliant and the script exits 0 with no change applied.

2. Remediation phase: The remediation script re-reads com.apple.commerce AutoUpdate. When the value is 0, it runs defaults write /Library/Preferences/com.apple.commerce AutoUpdate -bool TRUE to flip the key, relying on the Automox agent's root context for write access to /Library/Preferences. The script logs whether automatic updates were already enabled or newly enabled, then exits.

App Store auto-update requirements

• Mac endpoint running a supported macOS release with the defaults command available in the default path

• Root privileges for the Automox agent (the default agent context already meets this) to write to /Library/Preferences/com.apple.commerce.plist

• No conflicting configuration profile pushing com.apple.commerce AutoUpdate to false; if your MDM delivers a profile that disables App Store auto-updates, update the profile rather than running this Worklet against managed endpoints

• Network access from the endpoint to swcdn.apple.com and the App Store update servers so background downloads can complete

• End user awareness that App Store apps may update in the background; communicate the policy so a user does not interpret an unexpected version change as a vendor bug

Expected App Store update state after enforcement

After successful remediation, defaults read /Library/Preferences/com.apple.commerce AutoUpdate returns 1 on the Mac endpoint, and the Automatically keep my Mac up to date and App Store update toggles in System Settings reflect the enforced state. The App Store resumes its automatic check cadence and pending App Store updates start landing within their next scheduled check window.

Validate by capturing the defaults read value before and after a policy run, then waiting through one App Store check cycle and confirming that a previously pending app update has installed. For audit evidence, store the before-and-after defaults output with the policy run identifier. If the toggle regresses to 0 between runs, the most common cause is a configuration profile delivered by an MDM other than Automox; identify and update that profile rather than fighting the symptom on each evaluation.