hoakley July 24, 2022 Macs, Technology

Last Week on My Mac: How can you tell whether your Mac is up to date?

One obvious answer to this question is to open About This Mac, where you can see the version of macOS that it’s running, but that’s just a part of the full answer. It doesn’t tell you whether its firmware is up to date, or anything about its essential security systems like XProtect, MRT, and the new addition XProtect Remediator. The assumption is that, if you follow Apple’s guidance with automatic updates enabled, when Software Update reports your Mac is up to date, then everything is hunky dory.

Until the beginning of June, that doesn’t seem to have been a dangerous assumption for the great majority of those using the current release of macOS. There have always been sporadic reports of Macs which are woefully out of date for certain components including those security systems, and El Capitan had a bug in its software update mechanism which could unintentionally block updates. But from Sierra onwards the great majority of Macs seem to have worked well in auto, until early June this year.

Over that period, there have been other changes. Many now have more than one Mac, together with iOS and iPadOS devices. Most have come to use iCloud a great deal, and a significant number rely even more heavily on it for multiple services. For Apple’s balance sheet these have all been healthy changes, as its revenues and profits have steadily risen.

Since Apple unbundled its Content Caching service from its moribund Server product in High Sierra, its use has steadily grown. Promoted by Apple as helping to “reduce internet data usage and speed up software installation on Mac computers, iOS and iPadOS devices, and Apple TV”, for most users it’s a cinch to set up and run. And, until early June this year, it has been thoroughly reliable for most of those who have enabled it.

I don’t know what changed in early June, as it could have been something in Monterey 12.4 or in Apple’s software update servers, but since then those security updates that used to install fine haven’t been working properly.

In my case, as with many, when any of my Macs tries to download and install security data updates from my Content Caching server, they fail to install. Disable that server, so those Macs are forced to connect direct to Apple’s servers, and the same updates install first time, without error.

I know all this because I’m crazy enough to study these software updates in detail, have written apps to take better control of them, and tell others when Apple releases updates. If I did none of these, I’d probably still assume that, whatever security updates Apple has pushed, they were all promptly installed on each of my Macs, thanks to my Content Caching server.

This is because, as a matter of policy, Apple doesn’t inform users when it pushes security data updates, nor does it reveal their current versions, nor is it easy to discover whether anything is wrong with the software update process. Unless you use third-party software and sites like this, your Mac(s) could have failed to install every one of the six security updates pushed by Apple since problems started in early June, and you’d be none the wiser.

I don’t believe that Apple really wants us to fall so badly out of date for security data updates. Its engineers have invested their effort into adding new malware detection signatures to XProtect’s Yara file, and even more to deliver its brand new tool XProtect Remediator, which alone has been the object of four of those six security updates. If they installed successfully.

Until a couple of days ago, I believed these problems installing updates were confined to those using a Content Caching server. Then I came across a Mac user who hasn’t used it, but whose XProtect Remediator had fallen two updates behind, and who had only learned of this through this site. If they had relied on the information unprovided by Apple and their Mac, they would presumably have remained in blissful ignorance.

Over the last few years, Apple has invested heavily to ensure that Mac users are provided with excellent security protection. This started with a campaign to ensure that the firmware in Macs was more uniformly up to date. Its engineers have recast the System into a mounted snapshot, every bit of it sealed by hashes and signed at the top. It has developed a new tool to improve the detection and remediation of malware. But the final link in delivery, ensuring that those updates are installed, is letting the whole system down.

26Comments

Add yours

1

Macintoshista on July 24, 2022 at 7:20 am

What on Earth are Apple playing at? It’s a major oversight. Thank goodness for SilentKnight et al! Thank you Howard for providing these now most essential tools

LikeLiked by 1 person
- 2
  
  hoakley on July 24, 2022 at 8:54 am
  
  Thank you. But SilentKnight should be completely unnecessary.
  Howard.
  
  LikeLiked by 1 person
3

Graham on July 24, 2022 at 7:30 am

I would not characterise macOS updates as working fine until June 2022. Inconsistencies between what is shown in Software Update between refreshes, and the output of the “softwareupdate -l” command, as well as the unreliability of software update deferrals using MDM, have plagued many of us for a couple of years now.

LikeLiked by 2 people
- 4
  
  hoakley on July 24, 2022 at 8:58 am
  
  Thank you.
  I’m afraid that my knowledge of MDM environments is scant, and this article isn’t about what happens in them. I suggest those are issues which need to be raised with Apple’s excellent enterprise support staff.
  Outside MDM, I stand by everything I have written. It’s based on over 6 years of experience across tens of thousands of users. Problems are unusual, but have suddenly become quite common since early June this year.
  You might also find that using
  softwareupdate -l –include-config-data
  brings better results. That’s what my apps have always used, except for El Capitan.
  Howard.
  
  LikeLike
  - 5
    
    Graham on July 24, 2022 at 12:21 pm
    
    The inconsistencies I have mentioned include some that do not relate to MDM, nor indeed to Caching Server.
    
    Myself and many others in the MacAdmins Slack see inconsistencies where an update may be detected bit later not detected. Also, it may be detected in the GUI, but not using the command (but each of those methods may or may not detect it at any one time).
    
    This makes it difficult to try to “nudge” users to do their updates when they disappear.
    
    I agree it has got worse of late, but it’s been somewhat of a problem at least for Monterey and I would say Big Sur too. There was a particular problem with the early versions of Monterey that prevents updates being shown at all on some devices, was only remedied by using the full installer for 12.3. I’m surprised you didn’t come across it but perhaps you were lucky.
    
    LikeLiked by 1 person
    - 6
      
      hoakley on July 24, 2022 at 3:20 pm
      
      I don’t think luck comes into it. I run SilentKnight several times each day, and it has never let me down. From its results I post announcements of software updates, usually with full details within an hour or two of Apple making them available. The only thing that can delay me is when the update arrives when I’m asleep!
      If you’d rather use a command tool, then silnite is very widely used now. Both, and LockRattler, are completely free, and ad-free too. You’re welcome to use them in a commercial setting without charge too. They don’t collect any data about their use or user – which is why I have no idea how many are using them.
      Howard.
      
      LikeLike
    - 7
      
      Graham Pugh on July 24, 2022 at 4:26 pm
      
      Your tools are excellent, but as you say, they also use the softwareupdate command underneath, so they’re not going to provide different results to using the command directly (note, I’m not talking about the security updates like XProtect that aren’t advertised properly in the GUI as you say; I’m talking about the point releases, 12.1, 12.2.1, etc.). I’ve spent a lot of time reading accounts from many high profile Mac administrators about this problem as well as tacit admissions from within Apple, which is largely why they try and steer enterprise admins away from the softwareupdate command in favour of using MDM commands to obtain the updates instead (but Apple’s MDM is inherently unreliable in terms of response time).
      
      I myself stopped relying on “softwareupdate -l” and instead use the data that’s inside “/Library/Preferences/com.apple.SoftwareUpdate.plist”, which is the same as what is displayed in the SoftwareUpdate preference pane. At least then my tools for nagging users to update are consistent with what is shown in the GUI. This has been working pretty well for our needs.
      
      LikeLiked by 1 person
    - 8
      
      hoakley on July 24, 2022 at 8:34 pm
      
      “I’m talking about the point releases”
      Well, although there are very occasional delays, I’ve never missed one yet using SilentKnight.
      What I do is run SilentKnight, which calls
      softwareupdate -l –include-config-data
      Note the last option, which is very important in all macOS after El Capitan, although I think still undocumented. That normally reveals the point update, which then appears in Software Update, ready for me to download and install immediately. Simply opening Software Update often doesn’t find the update, but opening SilentKnight first does.
      I have done that using SilentKnight since I first developed it, and did the same with LockRattler before that.
      Current problems with Content Caching servers seem only to apply to security data updates like XProtect and XProtect Remediator. I’ve not had a glitch with a minor macOS update in the last couple of months.
      Howard.
      
      LikeLike
9

EcleX on July 24, 2022 at 8:27 am

Thanks for the information. Apple security policies would be perfect if they allowed to manually install security updates when automatic updates are off. That is convenient to prevent surprises of them breaking something until a fix is released, and to know what caused such issue when manually installed. The problem with automatic updates is that if they break something (and they do from time to time), you may not know what caused it, complicating troubleshooting it.

LikeLiked by 2 people
- 10
  
  hoakley on July 24, 2022 at 8:59 am
  
  Thank you.
  They do, using the softwareupdate command. That’s all that my apps do in terms of listing and obtaining updates.
  Howard.
  
  LikeLike
  - 11
    
    EcleX on July 24, 2022 at 10:03 am
    
    Thanks. I meant with a GUI from the standard expected site at “Apple – About This Mac – Software Update”. Millions of Mac users may have automatic updates turned off and they may think that they are up to date, when they are not on security updates. Unfortunately, not all know the great SilentKinight.
    
    LikeLiked by 1 person
    - 12
      
      hoakley on July 24, 2022 at 10:58 am
      
      Thank you. You wrote: “they may think that they are up to date” and that’s exactly the point of this article. It’s not about providing a GUI tool to download individual updates. After all, if you don’t know that your Mac is out of date, why would you even consider doing that?
      Indeed, if you’re running a Content Caching server, the GUI tools mislead, as they show what’s downloaded from the server, and not whether the clients are successfully updated. So those client Macs could be two months out of date for security data updates, and you’d be none the wiser.
      Howard.
      
      LikeLike
    - 13
      
      EcleX on July 24, 2022 at 4:43 pm
      
      Thanks. What I meant is that it would be all much easier if Apple allowed to update all manually (including security updates) when automatic updates are turned off, as was previously possible, years ago.
      
      Now, when you do that from “Apple – About This Mac – Software Update”, you get the wrong “Your Mac is up to date” message when it is not, because security updates are not installed, as revealed by SilentKnight.
      
      LikeLiked by 1 person
    - 14
      
      hoakley on July 24, 2022 at 8:09 pm
      
      Thank you.
      You miss my point entirely, which is summarised in the title of this article. I don’t want to know whether Apple’s servers think they have an update for my Mac. I want to know whether my Mac is up to date. Those are quite different things, and Apple seems to think that telling me that there are no updates waiting is the same thing. It’s not. As you say, Software Update can get it wrong, although softwareupdate as used in SilentKnight seems more accurate.
      SilentKnight does this by actually checking the installed version against a list of current versions. That’s the way to do it.
      Howard.
      
      LikeLike
15

Valdo on July 24, 2022 at 10:47 am

Of topic question to “Is your Mac (hardware) up to date”?

Two days ago I ordered a M2 MacBook Air and suddenly reviewers started to criticize insufficient thermal control of M2 Air. Any comments from standard users, not influencers?

LikeLiked by 1 person
- 16
  
  hoakley on July 24, 2022 at 11:03 am
  
  I don’t know whether you discount my views as those of an “influencer”, but I’m not surprised at these reports.
  The M1 MacBook Air had the same design philosophy: it has no active cooling. Load any such Mac at full CPU and GPU long enough, in the right thermal environment, and I’m sure you can observe thermal throttling. Apple silicon Macs are harder, of course, as they generate less heat in the first place. But if they wouldn’t benefit from active cooling, why would the matching MacBook Pro have that?
  So, if you’re going to run your notebook at full load in the heat, you shouldn’t buy a MacBook Air, but a MacBook Pro.
  What’s different?
  Howard.
  
  LikeLike
  - 17
    
    Valdo on July 24, 2022 at 11:29 am
    
    Thank you Howard, no intention to do something like video editing, just a bit of pictures but without Adobe or other heavy weight apps.
    The rest is music, text, email and web.
    
    LikeLiked by 1 person
    - 18
      
      hoakley on July 24, 2022 at 3:15 pm
      
      In that case, I think you’ll be delighted with your M2 MBA, and be one of the many who finds that it never even gets warm.
      Enjoy!
      Howard.
      
      LikeLike
  - 19
    
    Valdo on July 24, 2022 at 11:34 am
    
    “I don’t know whether you discount my views as those of an “influencer””
    
    I replace the Influencer to Youtuber 🙂
    
    LikeLiked by 1 person
20

Dakotamoons on July 24, 2022 at 3:06 pm

Howard, when you say …..:But SilentKnight should be completely unnecessary” I’m not sure if you mean that Apple’s updating should be transparent and flawless, or something else?

LikeLiked by 1 person
21

Dakotamoons on July 24, 2022 at 3:08 pm

Just download the latest version of SilentKnight and ran it on my M1 running Monterey v12.5 with good results. Can you please elaborate on your statement about SilentKnight being “completely unnecessary?”

LikeLiked by 1 person
- 22
  
  hoakley on July 24, 2022 at 3:27 pm
  
  Ideally, Apple’s update service should be perfect, but we all know that such perfection isn’t realistic. What SilentKnight excels at is telling you whether your Mac is fully up to date for all those security data updates, firmware updates, and all its other important security settings like SIP.
  It really wouldn’t be hard for Apple to incorporate the same feature-set in About This Mac, for instance, allowing users to discover easily whether their Mac really is secure, or has fallen behind on some updates and needs to check for and install updates.
  Instead, Apple doesn’t even publish a list of current version numbers for security tools like MRT and XProtect, nor for firmware versions. So you can’t even discover whether your Mac is up to date without using third-party tools.
  Howard.
  
  LikeLiked by 2 people
  - 23
    
    Dakotamoons on July 24, 2022 at 4:44 pm
    
    Ah! Thank you Howard for elaborating. Now I understand what you meant.
    All the best, John
    
    LikeLiked by 1 person
24

Liam on July 24, 2022 at 8:39 pm

The updates that come out this week worked fine for all my Monterey Macs execept for one iMac which wouldn’t download the update from either the Preferences updater or softwareupdate command. My Content caching runs on a Mac Mini late 2012 which is on Catalina. I deleted the cache contents from it and then the iMac was able to retreive the update. Cache size is set to 40GB, and it was at 20+GB before I cleared it. Currently at 6.2 GB.

LikeLiked by 1 person
- 25
  
  hoakley on July 25, 2022 at 5:43 am
  
  Thank you.
  Howard.
  
  LikeLike
26

Michael Tsai - Blog - Missed Security Updates Due to Content Caching on July 25, 2022 at 7:03 pm

[…] Howard Oakley: […]

LikeLike