MacOS
View all Worklets
MacOSmacOS

macOS - Configuration - Disable Auto-Updates

Disable automatic macOS and App Store updates so administrators control when patches land on the fleet

Worklet Details

What the macOS automatic update disabler does

This Automox Worklet™ disables every automatic update path that macOS exposes to the user: the system update checker, the background downloader, and the App Store auto-install hook. The Worklet writes to the two preference domains that drive Software Update behavior, /Library/Preferences/com.apple.SoftwareUpdate and /Library/Preferences/com.apple.commerce, so the change persists across reboots and survives the next time a user opens System Settings.

The remediation also calls softwareupdate --schedule off to disable the on-device scheduler and unloads the com.apple.softwareupdate_notify_agent LaunchAgent so the macOS update banner stops surfacing to end users. End users keep manual access to Software Update; they just no longer trigger automatic downloads or installs on Apple's schedule.

The evaluation phase is non-destructive and idempotent. The Worklet can run on a recurring policy to catch endpoints that drift back to default after a major macOS upgrade, a profile removal, or a user who reopens System Settings and re-enables a checkbox.

Why hold macOS endpoints on an administrator-controlled patch baseline

Apple ships macOS point releases on its own cadence and pushes Safari, XProtect, and Rapid Security Response updates through the same Software Update pipeline. A laptop set to default will pull a new minor version overnight, restart during business hours, and break a kernel extension, a VPN client, or a security agent that your team has not yet certified against the new build. Allowing AutomaticDownload on a regulated fleet also means an unreviewed payload lands on the endpoint before change management sees it.

The macOS auto-update keys reset in three predictable ways: a major OS upgrade re-enables AutomaticCheckEnabled, a user with admin rights flips a checkbox in System Settings, and an MDM profile push can rewrite the same preference plist. This Worklet asserts the configured values continuously, so the next evaluation catches a re-enabled key before it becomes an audit finding under CIS Benchmark 1.x or a SOC 2 change-control gap. Idempotent defaults writes keep repeat runs cheap on Macs already aligned with the standard.

How macOS update disablement works

  1. Evaluation phase: The script reads three preference keys with sudo defaults read: AutomaticCheckEnabled and AutomaticDownload from /Library/Preferences/com.apple.SoftwareUpdate, and AutoUpdate from /Library/Preferences/com.apple.commerce. If any of the three returns 1, the endpoint exits 1 and is flagged for remediation. If all three return 0 or the keys are absent, the endpoint exits 0 and is reported compliant.

  2. Remediation phase: The script runs launchctl unload -w /System/Library/LaunchAgents/com.apple.softwareupdate_notify_agent.plist, executes sudo softwareupdate --schedule off, and writes -bool false to AutomaticCheckEnabled, AutomaticDownload, and AutoUpdate with sudo defaults write. The Worklet emits Automatic updates are now disabled. on success and the next evaluation pass confirms compliance.

Requirements for disabling macOS auto-updates

  • macOS endpoint running a current supported release (macOS 12 Monterey or later recommended; tested on 12, 13, 14, and 15)

  • Automox agent installed with the default root execution context (required to write to /Library/Preferences and unload a system LaunchAgent)

  • No conflicting MDM configuration profile pinning the same Software Update keys; a profile-managed key overrides defaults write and the Worklet will appear to succeed while the system reverts on reload

  • A separate Automox patch policy or scheduled deployment Worklet to deliver macOS updates on your timetable once automatic updates are off

Expected macOS state after remediation

After the Worklet runs, sudo defaults read /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled returns 0, AutomaticDownload returns 0, and sudo defaults read /Library/Preferences/com.apple.commerce AutoUpdate returns 0. softwareupdate --schedule returns Automatic check is off, and launchctl list | grep softwareupdate_notify_agent returns no row. macOS will not check for, download, or install system updates or App Store updates on its own.

End users keep manual access. They can still open System Settings, Software Update (or System Preferences on older releases) and press Update Now to apply a release you have approved, and the App Store still allows manual application updates. The next time the Worklet evaluates the endpoint, it exits 0 and the policy reports compliant; if a user toggles a checkbox back on, the following evaluation catches the drift and remediation resets the keys. The Worklet is FixNow-compatible, so you can trigger it ad hoc from the Automox console to lock the fleet down before a planned release window.

View in app
evalutation image
remediation image

Consider Worklets your easy button

What's a Worklet?

A Worklet is an automation script, written in Bash or PowerShell, designed for seamless execution on endpoints – at scale – within the Automox platform. Worklets deploy named-CVE mitigations within hours of disclosure, perform configuration, remediation, and install or remove applications and settings across Windows, macOS, and Linux.

do more with worklets