Replace deprecated com.apple.SoftwareUpdate payload with supported configuration

[nancysangani]

Add DDM support for software update rules (fixes #633)

Replaces deprecated com.apple.SoftwareUpdate payload usage by adding DDM (com.apple.configuration.softwareupdate.settings) equivalents where supported.

Added ddm_info blocks to:

• system_settings_software_update_download_enforce
• system_settings_install_macos_updates_enforce
• system_settings_critical_update_install_enforce

Existing mobileconfig blocks are retained for backward compatibility.

Some rules are unchanged due to lack of DDM support or scope limitations.

[Copilot]

Pull request overview

Adds Declarative Device Management (DDM) equivalents for several macOS Software Update enforcement rules to replace reliance on the deprecated com.apple.SoftwareUpdate payload, while keeping existing mobileconfig blocks for backward compatibility.

Changes:

• Added ddm_info blocks using com.apple.configuration.softwareupdate.settings for automatic download, OS update install, and critical/security update install enforcement.
• Mapped legacy profile keys to DDM AutomaticActions values (Download, InstallOSUpdates, InstallSecurityUpdates).
• Retained existing mobileconfig_info payloads to support older OS versions / non-DDM deployments.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.

File	Description
rules/system_settings/system_settings_software_update_download_enforce.yaml	Adds DDM declaration for enforcing automatic software update downloads.
rules/system_settings/system_settings_install_macos_updates_enforce.yaml	Adds DDM declaration for enforcing automatic macOS update installation.
rules/system_settings/system_settings_critical_update_install_enforce.yaml	Adds DDM declaration for enforcing automatic installation of critical/security updates.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Now that this rule includes a DDM declaration, the check still reads com.apple.SoftwareUpdate user defaults via osascript. DDM software update settings are typically reflected in /var/db/softwareupdate/SoftwareUpdateDDMStatePersistence.plist (see system_settings_download_software_update_enforce.yaml), so this rule may report non-compliance even when DDM is correctly applied. Consider updating the check to detect/validate the DDM state (or support both mechanisms depending on OS/version).

[Copilot]

This adds a DDM declaration, but the rule’s check still validates com.apple.SoftwareUpdate defaults (AutomaticallyInstallMacOSUpdates). If DDM enforcement doesn’t write these defaults, compliance results can be incorrect on DDM-capable OS versions. Consider adding a DDM-aware check (similar to the /var/db/softwareupdate/SoftwareUpdateDDMStatePersistence.plist approach used in other DDM software update rules) or branching between legacy profile vs DDM state based on OS support.

[Copilot]

Potential key mismatch: this rule uses InstallSecurityUpdates under AutomaticActions, but an existing DDM software update rule (system_settings_security_update_install.yaml) uses InstallSecurityUpdate (singular). Since these keys must match Apple’s SoftwareUpdateSettings schema exactly, please verify the correct key name and align usage across rules to avoid generating a non-functional DDM declaration.

Suggested change

	InstallSecurityUpdates: AlwaysOn
	InstallSecurityUpdate: AlwaysOn

[Copilot]

With the new ddm_info block, the rule’s check still inspects the legacy com.apple.SoftwareUpdate defaults (CriticalUpdateInstall). If DDM is the intended enforcement mechanism on supported macOS versions, this check may not reflect the effective policy. Consider validating DDM state from /var/db/softwareupdate/SoftwareUpdateDDMStatePersistence.plist (or otherwise detecting DDM vs profile-backed configuration) so compliance reporting stays accurate.