Suppressing the macOS Software Update Alert Icon via Configuration Profile in Jamf Pro

This builds on a previous post about suppressing the alert icon that appears on the System Preferences app when macOS sees available software updates.

If you are using Jamf Pro as your MDM, you are not likely to see the addition of the necessary preference to suppress this alert, as it’s not documented by Apple. However, because the preference lives within com.apple.systempreferences.plist, which is an Apple-supported payload for restricting access to preference panes in System Preferences, in order to manage this preference natively you have to make the profile read-only by code-signing it outside of Jamf.

If you happen to have a locally mirrored Apple Software Update Server like we do, you can still benefit from managing this preference via profile. Even though you control what updates are available and when, per this post if your Macs do not automatically check for updates then they are not getting security updates, like XProtect. As such, you’ve needed to remove the config-data type attribute in order for these to appear as regular updates and be installed.

At JNUC 2019, there was a good presentation on how to update and sign profiles outside of Jamf Pro. While you can certainly use a self-signed certificate as demonstrated in the video, you might consider creating an Apple Developer account instead so you can get a fully trusted certificate chain. If you’re an EDU institution like we are, you can actually get this for free after jumping through a few hoops. After paying an upfront $100 for the account, you can request to get reimbursed as an education institution and once approved, you will be refunded and all subsequent annual renewal costs will be waived. Once you have a Developer account, you can create and download your cert and install it in your Mac keychain.

With the certificate in your keychain, you can most efficiently create the necessary profile with ProfileCreator, as the preference key necessary to suppress this alert is readily available. With the app downloaded, click in the search field at the bottom left and search for ‘System’. From the list on the left, select the payload titled ‘System Preferences’.

In the main window, click the ‘Add’ button at the top right to add the payload to the profile. Next, select the ‘Other’ menu option to reveal the preference key we need. Click the plus button to the left of the preference to add it to the payload. Once added, it will look like the image below. If you have any difficulty with these steps, consult the ProfileCreator wiki.

While you can click the plus button to explicitly define a value of 0 for the com.apple.preferences.softwareupdate preference pane bundle ID (this will be supplied automatically if added), leaving the preference blank is enough.

Click the XML button at the top right to verify that the AttentionPrefBundleIDs dictionary key is both present and empty.

Lastly, click the ‘General’ payload from the top left to give your profile a title, description, and importantly to set the scope of the profile to System. While the AttentionPrefBundleIDs key is handled at the user-level com.apple.systempreferences.plist file, setting the profile to system will work and ensure any user on the Mac does not see this alert icon.

With all this done, you can export your profile. If this is your first time using ProfileCreator, you will also need to enable some settings to allow it to access and use your certificate to sign the profile. More information can be found here from the wiki.

After entering admin credentials to sign the profile, you should have a signed configuration profile which Jamf cannot alter.

Thankfully, the com.apple.systempreferences payload allows multiple profiles and/or payloads to manage preferences without creating a conflict, so any existing Restrictions payloads in profiles you’ve already created in Jamf won’t be affected. All that’s left is to upload your signed profile.

Once uploaded into Jamf Pro, you will notice that there are no payloads listed along the left side as you normally would see. This is normal. Add a computer scope for your profile, save it, and watch that pesky red alert icon disappear!

Note: In my experience, you either need to reboot the machine after the profile is installed or run a killall cfprefsd && killall Dock to no longer see the alert icon.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s