Skip to content

Replace deprecated com.apple.SoftwareUpdate payload with supported configuration#653

Open
nancysangani wants to merge 1 commit intousnistgov:mainfrom
nancysangani:fix/deprecated-softwareupdate-payload
Open

Replace deprecated com.apple.SoftwareUpdate payload with supported configuration#653
nancysangani wants to merge 1 commit intousnistgov:mainfrom
nancysangani:fix/deprecated-softwareupdate-payload

Conversation

@nancysangani
Copy link
Copy Markdown

@nancysangani nancysangani commented Apr 3, 2026

Add DDM support for software update rules (fixes #633)

Replaces deprecated com.apple.SoftwareUpdate payload usage by adding DDM (com.apple.configuration.softwareupdate.settings) equivalents where supported.

Added ddm_info blocks to:

  • system_settings_software_update_download_enforce
  • system_settings_install_macos_updates_enforce
  • system_settings_critical_update_install_enforce

Existing mobileconfig blocks are retained for backward compatibility.

Some rules are unchanged due to lack of DDM support or scope limitations.

Copilot AI review requested due to automatic review settings April 3, 2026 18:08
@nancysangani nancysangani mentioned this pull request Apr 3, 2026
Open
Copilot AI reviewed Apr 3, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds Declarative Device Management (DDM) equivalents for several macOS Software Update enforcement rules to replace reliance on the deprecated com.apple.SoftwareUpdate payload, while keeping existing mobileconfig blocks for backward compatibility.

Changes:

  • Added ddm_info blocks using com.apple.configuration.softwareupdate.settings for automatic download, OS update install, and critical/security update install enforcement.
  • Mapped legacy profile keys to DDM AutomaticActions values (Download, InstallOSUpdates, InstallSecurityUpdates).
  • Retained existing mobileconfig_info payloads to support older OS versions / non-DDM deployments.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.

File Description
rules/system_settings/system_settings_software_update_download_enforce.yaml Adds DDM declaration for enforcing automatic software update downloads.
rules/system_settings/system_settings_install_macos_updates_enforce.yaml Adds DDM declaration for enforcing automatic macOS update installation.
rules/system_settings/system_settings_critical_update_install_enforce.yaml Adds DDM declaration for enforcing automatic installation of critical/security updates.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

rules/system_settings/system_settings_software_update_download_enforce.yaml
Comment on lines +45 to +49
ddm_info:
declarationtype: com.apple.configuration.softwareupdate.settings
ddm_key: AutomaticActions
ddm_value:
Download: AlwaysOn
Copy link

Copilot AI Apr 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Now that this rule includes a DDM declaration, the check still reads com.apple.SoftwareUpdate user defaults via osascript. DDM software update settings are typically reflected in /var/db/softwareupdate/SoftwareUpdateDDMStatePersistence.plist (see system_settings_download_software_update_enforce.yaml), so this rule may report non-compliance even when DDM is correctly applied. Consider updating the check to detect/validate the DDM state (or support both mechanisms depending on OS/version).

Copilot uses AI. Check for mistakes.
rules/system_settings/system_settings_install_macos_updates_enforce.yaml
Comment on lines +45 to +49
ddm_info:
declarationtype: com.apple.configuration.softwareupdate.settings
ddm_key: AutomaticActions
ddm_value:
InstallOSUpdates: AlwaysOn
Copy link

Copilot AI Apr 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This adds a DDM declaration, but the rule’s check still validates com.apple.SoftwareUpdate defaults (AutomaticallyInstallMacOSUpdates). If DDM enforcement doesn’t write these defaults, compliance results can be incorrect on DDM-capable OS versions. Consider adding a DDM-aware check (similar to the /var/db/softwareupdate/SoftwareUpdateDDMStatePersistence.plist approach used in other DDM software update rules) or branching between legacy profile vs DDM state based on OS support.

Copilot uses AI. Check for mistakes.
rules/system_settings/system_settings_critical_update_install_enforce.yaml
declarationtype: com.apple.configuration.softwareupdate.settings
ddm_key: AutomaticActions
ddm_value:
InstallSecurityUpdates: AlwaysOn
Copy link

Copilot AI Apr 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Potential key mismatch: this rule uses InstallSecurityUpdates under AutomaticActions, but an existing DDM software update rule (system_settings_security_update_install.yaml) uses InstallSecurityUpdate (singular). Since these keys must match Apple’s SoftwareUpdateSettings schema exactly, please verify the correct key name and align usage across rules to avoid generating a non-functional DDM declaration.

Suggested change
InstallSecurityUpdates: AlwaysOn
InstallSecurityUpdate: AlwaysOn

Copilot uses AI. Check for mistakes.
rules/system_settings/system_settings_critical_update_install_enforce.yaml
Comment on lines +57 to +61
ddm_info:
declarationtype: com.apple.configuration.softwareupdate.settings
ddm_key: AutomaticActions
ddm_value:
InstallSecurityUpdates: AlwaysOn
Copy link

Copilot AI Apr 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

With the new ddm_info block, the rule’s check still inspects the legacy com.apple.SoftwareUpdate defaults (CriticalUpdateInstall). If DDM is the intended enforcement mechanism on supported macOS versions, this check may not reflect the effective policy. Consider validating DDM state from /var/db/softwareupdate/SoftwareUpdateDDMStatePersistence.plist (or otherwise detecting DDM vs profile-backed configuration) so compliance reporting stays accurate.

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Use of deprecated payload com.apple.SoftwareUpdate

2 participants

@nancysangani