Enable Auto Update

What the macOS automatic update enforcer does

This Automox Worklet™ enforces five automatic update preferences in the system-wide com.apple.SoftwareUpdate domain on macOS endpoints. The evaluation script reads each key with defaults read /Library/Preferences/com.apple.SoftwareUpdate and flags the endpoint non-compliant if any value is not equal to 1. The remediation script writes the missing keys back to true using defaults write, so the next scheduled evaluation finds the endpoint aligned to the baseline.

The five enforced keys are AutomaticCheckEnabled (check for updates), AutomaticDownload (download in the background), ConfigDataInstall (install XProtect, Gatekeeper, and MRT signature payloads), CriticalUpdateInstall (apply security-only updates without prompting), and AutomaticallyInstallMacOSUpdates (install full macOS releases). The Worklet writes to /Library/Preferences/com.apple.SoftwareUpdate, the system-level domain, so the policy survives user account changes and applies to every console session on the endpoint.

Bind the policy to a weekly Mac evaluation. An endpoint that reads all five preference keys equal to 1 exits 0 and burns no remediation cycles; an endpoint where a user flipped Software Update off, an MDM profile cleared a key, or a fresh image landed with the Apple defaults gets the missing keys written on the next remediation. The defaults-read return code surfaces in the Automox activity log, so a locked preference domain shows up as a real failure rather than disappearing into a silent skip.

Why enforce the macOS automatic update baseline

Apple ships two streams of updates to every Mac: full macOS releases (Sequoia, Sonoma, Ventura point releases) and background security payloads delivered through XProtect, Gatekeeper, and the Malware Removal Tool. The five com.apple.SoftwareUpdate keys gate both streams. When AutomaticCheckEnabled is off, the endpoint stops asking; when ConfigDataInstall is off, XProtect signature updates pause; when CriticalUpdateInstall is off, security-only patches wait for a user click. These are the exact controls cited by CIS Benchmark 1.x for macOS (Software Updates section) and by NIST 800-53 SI-2 (Flaw Remediation), and they are the most common place a macOS fleet silently falls out of compliance.

Macs with end-user admin rights are one System Settings checkbox away from breaking the policy, and an MDM profile that misfires on enrollment can clear the same plist keys without anyone noticing. This Worklet rewrites AutomaticCheckEnabled, AutomaticDownload, ConfigDataInstall, CriticalUpdateInstall, and AutomaticallyInstallMacOSUpdates on every evaluation pass that finds them flipped, so a missed XProtect signature window or a CIS 1.1 finding never gets to age into a security incident.

How macOS update preference enforcement works

1. Evaluation phase: The Worklet iterates over the five keys (AutomaticCheckEnabled, AutomaticDownload, ConfigDataInstall, CriticalUpdateInstall, AutomaticallyInstallMacOSUpdates) and runs defaults read /Library/Preferences/com.apple.SoftwareUpdate <key> against each one. If any return value is not equal to 1, the script prints the key name, exits 1, and the endpoint is queued for remediation. If all five return 1, the script exits 0 and the endpoint is reported compliant.

2. Remediation phase: The remediation script iterates over the same five keys and runs defaults write /Library/Preferences/com.apple.SoftwareUpdate <key> -bool true for any value not already set to 1. The -bool true flag stores the value as a CFBoolean in the system preferences plist, which is the form softwareupdated and the System Settings UI read on next launch. The script exits 0 once every disabled key has been written.

macOS automatic update enforcement requirements

• macOS endpoint running Big Sur (11) or later, validated on Monterey and newer; works on Intel and Apple silicon hardware

• Workstation or server device type (the metadata declares both)

• Root context for the Automox agent so defaults write can update /Library/Preferences/com.apple.SoftwareUpdate (the agent runs as root by default)

• No MDM configuration profile already locking com.apple.SoftwareUpdate; a profile-managed key cannot be overridden by defaults write, and the evaluation will continue to flag the endpoint until the profile is loosened or the key is unlocked

• FixNow compatible (feature_compatibility includes RunNow), so the Worklet can be triggered on-demand from the console against a single endpoint or a device group

Expected macOS update state after enforcement

After remediation, defaults read /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled returns 1, and the same is true for AutomaticDownload, ConfigDataInstall, CriticalUpdateInstall, and AutomaticallyInstallMacOSUpdates. In System Settings (Ventura and later) or System Preferences (Monterey and earlier), every box under Software Update advanced options reads as enabled: Check for updates, Download new updates when available, Install macOS updates, Install application updates from the App Store, Install Security Responses and system files. softwareupdated picks up the change without requiring a reboot; the next scheduled check fires against Apple's update CDN automatically.

For audit evidence, capture the output of defaults read /Library/Preferences/com.apple.SoftwareUpdate alongside the Automox policy run identifier; the plist values are the artifact CIS auditors and NIST 800-53 SI-2 evidence collectors will ask for. Subsequent policy runs report the endpoint as compliant and do not re-write the keys, because the evaluation phase already finds each preference equal to 1. The baseline only breaks if an administrator, an end user with admin rights, or an MDM profile push clears one of the keys; when that happens, the very next defaults-read evaluation returns 0 instead of 1, and the Worklet rewrites the missing key during the next remediation window.