Reading DDM-managed Apple Software Update settings from the command line on macOS Tahoe 26.2.0
嗯,用户让我总结一篇文章的内容,控制在100字以内,而且不需要用特定的开头。首先,我需要仔细阅读这篇文章,理解它的主要内容。 文章主要讲的是在macOS Tahoe 26.2.0版本中,如何通过命令行读取由Declarative Device Management(DDM)管理的Apple软件更新设置。作者提到之前没有现成的命令行工具来报告这些设置,但发现Apple将某些DDM声明写入了可读文件中。特别是com.apple.configuration.softwareupdate.settings这个声明,可以通过检查/var/db/softwareupdate/SoftwareUpdateDDMStatePersistence.plist文件来获取设置信息。使用PlistBuddy工具可以提取特定键的值,比如enableRapidSecurityResponse。 接下来,我需要将这些内容浓缩到100字以内。要抓住关键点:macOS版本、DDM管理的软件更新设置、命令行读取方法、涉及的文件和工具。 可能的结构是:在macOS Tahoe 26.2.0中,通过命令行读取由DDM管理的软件更新设置的方法,涉及检查特定plist文件,并使用PlistBuddy提取信息。 最后,确保语言简洁明了,不使用任何开头语句。 </think> 文章介绍了在macOS Tahoe 26.2.0中通过命令行读取由Declarative Device Management(DDM)管理的Apple软件更新设置的方法。具体通过检查`/var/db/softwareupdate/SoftwareUpdateDDMStatePersistence.plist`文件,并使用`PlistBuddy`工具提取相关设置值来验证配置。 2025-12-17 15:16:51 Author: derflounder.wordpress.com(查看原文) 阅读量:3 收藏

Home > Declarative Device Management, Jamf Pro Blueprints, Mac administration, macOS > Reading DDM-managed Apple Software Update settings from the command line on macOS Tahoe 26.2.0

Reading DDM-managed Apple Software Update settings from the command line on macOS Tahoe 26.2.0

One of the challenges with reporting on DDM settings is that as of macOS Tahoe 26.2.0 there aren’t currently command line tools available which can report back on settings which are managed via DDM declarations. You can see the settings which have been applied on the managed Mac via System Settings, but so far that’s about it. However, in some cases, Apple is writing information for some DDM declarations to files which are readable by command line tools. I recently discovered that one of those declarations was the com.apple.configuration.softwareupdate.settings Software Update Settings declaration. For more details, please see below the jump.

I have an earlier post on the Software Update Settings declaration and how it is used by Jamf Pro’s Blueprints. Using that information, I built and deployed a Software Update Settings declaration which has the following settings:

  • Standard users can’t install Apple software updates
  • Logged-in users will see all software update notifications
  • OS updates will be automatically downloaded
  • OS updates will be automatically installed
  • Security updates will be automatically installed
  • Rapid Security Response updates will be installed
  • Rapid Security Response updates can be removed

Once deployed to managed Macs, you should be able to verify these settings by looking at the Software Update Settings declaration’s listing in System Settings.

You can also verify them by checking the following file:

/var/db/softwareupdate/SoftwareUpdateDDMStatePersistence.plist

On a managed Mac with those DDM settings running macOS Tahoe 26.2.0, the SoftwareUpdateDDMStatePersistence.plist file should show information similar to what’s shown below:


<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"&gt;
<plist version="1.0">
<dict>
<key>SUCorePersistedStateContentsType</key>
<string>SoftwareUpdateCorePersistedStateFile</string>
<key>SUCorePersistedStateCoreFields</key>
<dict/>
<key>SUCorePersistedStateCoreSecureCodedObjectsFields</key>
<dict/>
<key>SUCorePersistedStateCoreVersion</key>
<string>2.1.0</string>
<key>SUCorePersistedStatePolicyFields</key>
<dict>
<key>SUCoreDDMDeclarationGlobalSettings</key>
<dict>
<key>adminInstallRequired</key>
<integer>1</integer>
<key>automaticallyDownload</key>
<integer>1</integer>
<key>automaticallyInstallOSUpdates</key>
<integer>1</integer>
<key>automaticallyInstallSystemAndSecurityUpdates</key>
<integer>1</integer>
<key>enableGlobalNotifications</key>
<true/>
<key>enableRapidSecurityResponse</key>
<true/>
<key>enableRapidSecurityResponseRollback</key>
<true/>
<key>serializedKeys</key>
<array>
<string>com.apple.RemoteManagement.SoftwareUpdateExtension.GlobalSettings/811362F1-10F1-4D2F-BFB7-F97393F3F44C:Qmx1ZXByaW50XzM3MTllZWRlLTI0MjUtNGE2ZC04YjljLTIyMGViMzMwYWQ2NF9zMV9jMV9zeXNfY2ZnMQ==.NDg5NTdiNjZkYmUwMWM3YzM2MzcwMTJjNTkxZTg4MWM1ZDk3YTNkMWUxZTI1MjI0NTYwMmJlNjQ0MTFmYjdkOA==</string>
</array>
</dict>
</dict>
<key>SUCorePersistedStatePolicySecureCodedObjectsFields</key>
<dict/>
<key>SUCorePersistedStatePolicyVersion</key>
<string>1.0</string>
</dict>
</plist>

From there, you can use tools like PlistBuddy to read the values stored in the /var/db/softwareupdate/SoftwareUpdateDDMStatePersistence.plist file. For example, the following command should read the value for the enableRapidSecurityResponse key from the SoftwareUpdateDDMStatePersistence.plist file.


/usr/libexec/PlistBuddy -c "Print :SUCorePersistedStatePolicyFields:SUCoreDDMDeclarationGlobalSettings:enableRapidSecurityResponse" /var/db/softwareupdate/SoftwareUpdateDDMStatePersistence.plist

If Rapid Security Response updates are set to be installed, that should give you a value of true:


username@Z6WCW076MR ~ % /usr/libexec/PlistBuddy -c "Print :SUCorePersistedStatePolicyFields:SUCoreDDMDeclarationGlobalSettings:enableRapidSecurityResponse" /var/db/softwareupdate/SoftwareUpdateDDMStatePersistence.plist
true
username@Z6WCW076MR ~ %

To the best of my knowledge, this method of verification is undocumented by Apple and they could choose to change it at any time. That said, if you’re looking for a way to report on Software Update Settings declaration settings, this is a way to do it as of macOS Tahoe 26.2.0.


文章来源: https://derflounder.wordpress.com/2025/12/17/reading-ddm-managed-apple-software-update-settings-from-the-command-line-on-macos-tahoe-26-2-0/
如有侵权请联系:admin#unsafe.sh