Issue with 2020-01 Catalina Security Update Fixlet

Fixlet 10150018 in the Patches for Mac OS X site appears to have incorrect relevance… It’s showing as relevant on all of my 10.15.7 Catalina Macs even though Apple software update shows nothing needing to be updated…

Relevance 2 in the fixlet:
(exists string “ProductVersion” whose (it as version >= “10.15.6” and it as version < “2020-001”) of dictionary of it) of file “/System/Library/CoreServices/SystemVersion.plist”

This will match all systems with 10.15.6 or 10.15.7 installed since “10.15.7” and “10.15.6” will always evaluate as less than “2020-01” cast to a version…
Q: “10.15.7” as version < “2020-01” as version
A: True

@mattporter, can you please open a support case with BigFix support regarding this relevance issue?

I can and will. It’s just super annoying how we have to do it (Fed)…

Another question semi-related… When did the Mac Patching Content go to just using the softwareupdate command in the action of patching fixlets… This change means that Mac Patching no longer technically delivers content over the relay network, and require that the systems have internet access.

@drothert and @RhondaSTK_HCL, can we provide an official response to @mattporter last question? Thank you.

And to clarify, when I say “deliver Mac Content”, I mean the fixlet payloads themselves, like Windows does currently, and the Mac Patch fixlets used to do. The fixlets themselves are of course is still traveling over the relays.

I’ve also opened a case to the Content team and am awaiting a response.

1 Like

So it looks like the Catalina 2020-01 fixlet was updated today… I confirmed I"m on the same site version listed in the update notice. Unfortunately, it’s still wrong… The updated fixlet relevance line reads:

(exists string “ProductVersion” whose (it as version >= “10.15.7” and it as version < “19H114”) of dictionary of it) of file “/System/Library/CoreServices/SystemVersion.plist”

Which again, isn’t going to work, since you’re pulling the version string in the form “xx.yy.z” and comparing to a build version… Also, why are you reading the systemversion.plist instead of using the operating system inspector in this case? Wouldn’t it be faster?

Q: lines of file "/System/Library/CoreServices/SystemVersion.plist"
A: <?xml version="1.0" encoding="UTF-8"?>
A: <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
A: <plist version="1.0">
A: <dict>
A: %09<key>ProductBuildVersion</key>
A: %09<string>19H114</string>
A: %09<key>ProductCopyright</key>
A: %09<string>1983-2020 Apple Inc.</string>
A: %09<key>ProductName</key>
A: %09<string>Mac OS X</string>
A: %09<key>ProductUserVisibleVersion</key>
A: %09<string>10.15.7</string>
A: %09<key>ProductVersion</key>
A: %09<string>10.15.7</string>
A: %09<key>iOSSupportVersion</key>
A: %09<string>13.6</string>
A: </dict>
A: </plist>
T: 3818

Q: (exists string "ProductVersion" whose (it as version >= "10.15.7" and it as version < "19H114") of dictionary of it) of file "/System/Library/CoreServices/SystemVersion.plist"
A: True
T: 260

Q: release of operating system
A: 10.15.7
T: 45

Q: releaseid of operating system
A: 19H114
T: 40
2 Likes

Jason, is your ticket for my specific issue with this fixlet, or my more general question about the fixlet payloads?

I have one on each. What I’m hearing about software update isn’t great though. My impression is that Apple blocked offline updates well over a year ago.

1 Like

You can still go in and grab them from the website here… https://support.apple.com/downloads

At least prior to Big Sur. I don’t see any 11.x updates there… That’s disappointing.

And I did open a ticket on the Fed side. Email me separately, and I’ll send it to you if you want it.

1 Like

Apple is no longer providing standalone Big Sur update packages for macOS updates (11.x). The supported update method is to call the softwareupdate command via MDM/remote management tools OR deploy the full OS installer.

2 Likes

This should be fixed in Patches for Mac OS X, site version 484.
The updated relevance checks ProductBuildVersion and ProductVersion spearately. Can you verify whether this detects correctly for you?

(((exists (string “ProductBuildVersion” of it) whose (it as version < “19H114”)) AND (exists (string “ProductVersion” of it) whose (it as string = “10.15.7” ))) of dictionary of it) of file “/System/Library/CoreServices/SystemVersion.plist”

1 Like

Once I fixed the quotes… It looks like it will work…

Q: (((exists (string "ProductBuildVersion" of it) whose (it as version < "19H114")) AND (exists (string "ProductVersion" of it) whose (it as string = "10.15.7" ))) of dictionary of it) of file "/System/Library/CoreServices/SystemVersion.plist"
A: False
T: 209

Q: version of operating system
A: 10.15.7
T: 45

Q: releaseid of operating system
A: 19H114
T: 40

And for the next Catalina patch, 2021-01, the build is “19H512” so just to check comparing as versions:

Q: "19H114" as version < "19H512" as version
A: True
T: 52
3 Likes

Well, technically not a “Like”, but I understand… :smile: