Ignore a specific macOS update using softwareupdate

There are a few different ways you can go about managing updates for macOS. They’ll all have their pros and cons. In this post, I’m just going to focus on one method that may come in handy for you.

The command softwareupdate has an ignore flag which lets you specify an update you want to ignore when the OS tries to check for software updates. The man page for softwareupdate tries to explain it’s usage:

NAME
softwareupdate -- system software update tool

SYNOPSIS
softwareupdate command [args ...]

DESCRIPTION
......

--ignore identifier ...
Manages the per-machine list of ignored updates. The identifier is the first part of the item name (before the dash and version num-
ber) that is shown by --list. See EXAMPLES.

--reset-ignored
Clears the per-machine list of ignored updates.
......

EXAMPLES
The following examples are shown as given to the shell:

softwareupdate --list

Software Update Tool

Finding available software
Software Update found the following new or updated software:
* MacBookAirEFIUpdate2.4-2.4
MacBook Air EFI Firmware Update (2.4), 3817K [recommended] [restart]
* ProAppsQTCodecs-1.0
ProApps QuickTime codecs (1.0), 968K [recommended]
* JavaForOSX-1.0
Java for OS X 2012-005 (1.0), 65288K [recommended]
......

sudo softwareupdate --ignore JavaForOSX

Ignored updates:
(JavaForOSX)

The problem I’ve run into is that the “identifier” is not always very clear. For example, if you look at the example they provide, the identifier to ignore is “JavaForOSX” but the update is listed as “JavaForOSX-1.0” or “Java for OS X 2012-005 (1.0)” when you pull a list of all available software updates. Which one are you supposed to use? And why are they all different?

Someone on the MacAdmins Slack was nice enough to share a little bit of knowledge which I wanted to share forward.

  1. Find a Mac with updates you want to block. You can either open up Software Update or the App Store > Update tab or alternatively using sudo softwareupdate -l.
  2. Once you’ve got a list of updates, run the command: defaults read /Library/Preferences/com.apple.SoftwareUpdate.plist which should list some of the updates available in a dictionary key:
    Below is an example. Pay attention to the Product Key value:

    {
    "Display Name" = Safari;
    "Display Version" = "12.0.2";
    Identifier = "Safari12.0.2HighSierraAuto";
    "Product Key" = "041-08765";
    }
  3. Technically, the Identifier is all you need there. The rest of the steps are not necessary. However for the sake of documentation, you can gain the same information elsewhere.
  4. Open up Finder and go to: /Library/Updates/
  5. Assuming there are available updates, you will find a folder containing a Product Key number (e.g. 041-20511). Each of those folders represents an available update. You can reconcile the Product Key IDs with what you found earlier.
  6. Open that directory and you should see a .dist file (e.g. 041-20511.English.dist). Open that .dist in a text editor. You will see that this file is simply XML.
  7. Do a find on the .dist file for the property tag suDisabledGroupID. This key is what holds the value you want. To continue with the example, suDisabledGroupID="Security Update 2018-003"

You can now use softwareupdate to ignore this specific update: sudo softwareupdate --ignore "Security Update 2018-003"

You can also update multiple updates at once:

sudo softwareupdate --ignore "Security Update 2018-002" "Security Update 2018-003"

Note: This does NOT prevent someone from manually downloading the update and installing it. It only prevents macOS from listing the specific ignored update as an available update via the command line and user interface (App Store, System Preferences).

If you want to reset the updates you’ve ignored, run the command sudo softwareupdate --reset-ignored

Or you can alternatively make use of a tool like SUS Inspector to give you this and more information.