softwareupdate command "freezes" when it is executed by launchd

Device Model & OS Version

  • MacBook Pro (16-inch, 2019) Intel
  • MacOS Monterey 12.0.1 (21A559)

Issue Description

  • softwareupdate -d -a
  • softwareupdate -i -a --restart

Commands above "freeze" when they are executed as launchd tasks.

sudo launchctl load -w /Library/LaunchDaemons/com.jamfsoftware.task.runMacOSUpdatesInstalling.plist

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>com.jamfsoftware.task.runMacOSUpdatesInstalling</string>
    <key>ProgramArguments</key>
    <array>
        <string>/usr/sbin/softwareupdate</string>
        <string>-i</string>
        <string>-a</string>
        <string>--restart</string>
        <string>--force</string>
    </array>
    <key>StartInterval</key>
    <integer>60</integer>
    <key>UserName</key>
    <string>root</string>
</dict>
</plist>

Issue Root Analysis

If softwareupdate commands are executed through the Terminal shows notifications in the macOS notification center (as shown in the screenshot).

When softwareupdate commands are runned as launchd tasks they are also trying to show notification, but GUI cannot be launched by a daemon in macOS and commands freeze.

Impact on Users

The problems described make it difficult to automate operating system updates using MDM, such as Jamf. This has a negative impact on macOS security management.

Question

Perhaps someone has encountered a similar problem and knows how to execute the above commands by the launchd tasks?

Post not yet marked as solved Up vote post of a_r1em Down vote post of a_r1em
2.9k views
Posted by
a_r1em
Reply
Add a Comment

Replies

Disabling the Software Update notifications worked fine in testing on VM's, nut some reason still having the same issue on laptops see the below issue and workaround in the Super Script [https://github.com/Macjutsu/super/issues/11)

Posted by
Automator
Up vote reply of Automator Down vote reply of Automator
Add a Comment

Obligatory : "Did you file feedback with Apple?"

Seriously, though, can you share the FB # and have you received any response from Apple about this?

One of the default settings in Jamf is to simply run softwareupdate to check for available updates, not even to enforce them. This check triggers the User Notification. And the problems seem to have started with Big Sur.

Posted by
theirongiant
Up vote reply of theirongiant Down vote reply of theirongiant
Add a Comment

In addition to my request about whether you filed feedback... you should know that the '--restart' option does not work on Macs with Apple Silicon. Apple doesn't let 'root' do this for some godforsaken reason, even though forcing a machine to install updates signed by Apple poses absolutely no security risk to the user.

And before someone says 'on Apple Silicon, it requires a volume owner to enter their password to approve the updates' — I'm well aware of the mechanics and how it is connected to iOS, where the user enters their passcode to allow updates to install when the device is idle. The question is... WHY was this security mechanism implemented on the Mac, and why can't root trigger the update cycle anymore. It added a lot of management headache for little tangible benefit to administrators.

Posted by
theirongiant
Up vote reply of theirongiant Down vote reply of theirongiant
Add a Comment