Knowledgebase
Deep Freeze Mac 7 and Automatic Software Update
Posted by Adam Zilliax, Last modified by Adam Zilliax on 10 April 2019 12:02 PM
macOS offers automatic software update feature, where if enabled and configured, will download available updates and install them. If a computer has Deep Freeze Mac 7 (or higher) installed and enabled, it is strongly recommended that automatic software update feature is disabled.

Starting with macOS High Sierra some system files are stored on a special volume not protected by Deep Freeze Mac when the system is configured to use a APFS volume to boot from. When macOS applies macOS updates, some or all of these files on the special volume may be updated. As macOS expects all system files to be synchronized unexpected problem may occur if the startup volume is being restored by Deep Freeze Mac upon restart and those files are not in synch with each other.

Turning off automatic software update can be done from System Preferences, 
  • On macOS High Sierra, open System Preferences and select App Store to clear the check box titled “Automatically check for updates”.
  • On macOS Mohave, open System Preferences and select Software Update, then click on Advanced… button.
This setting can also be changed from the terminal using the command below;
  • sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticDownload -boolean FALSE
This command does require administrative rights on the client system.


Below is important information you should consider before enabling each of the options. For all the options, it is assumed that Deep Freeze Mac is enabled and the startup volume is Frozen.


"Check for updates" (MohaveMohave) or "Automatically check for updates" (High Sierra) will automatically check for available updates, and notify you that an update is available. This option is required for the Gatekeeper updates and Apple's malware definition updates (ie. the "Install system data files and security updates" option). Any user (Admin or Standard user) can then install the update by clicking the "Install" button. One way of preventing Standard users from installing updates is using Configuration Profile, however it only works on MohaveMohave or higher. A sample profile is included at the end of this document.

"Download new updates when available" (Mohave) or "Download newly available updates in the background" (High Sierra) will download updates to the computer. If this option is enabled and updates were downloaded, restarting the computer while in Frozen mode will remove the downloaded files. Although this option is harmless, it will consume bandwidth depending on how often the computer is restarted. This option will also notify (when enabled) the currently logged on user that updates are ready to install.

"Install macOS update" will automatically install downloaded macOS updates and restart the computer after the installation completes. It is critical that this option be disabled, because of the potential problems that can occur if the system files on the special volume are updated and become out of synchronization with the rest of the operating system. This can result in a number of problems including system corruption that can render the system unable to properly boot.

"Install app updates from the App Store" (MohaveMohave) or "Install app updates" (High Sierra) will download app updates from App Store when they are available. This option has the same impact as "Download new updates when available", all updated apps will be restored when the computer is restarted.

"Install system data files and security updates" will install system files and security updates automatically, including Gatekeeper configuration data. This option requires that "Check for updates" is enabled, but independent of

"Download new updates when available".
Assess this option based on your organization's setup and IT policy:
  • The system files downloaded as part of this option are quite likely stored on the startup volume, and therefore will not cause mismatch if the computer is restarted, however the update will be restored upon restart
  • Some security updates may require restart. If this is the case, the restart will immediately restore the update
  • Downloading Gatekeeper configuration data as available, as well as the XProtect configuration data to keep the local definition up to date
"Automatically download apps purchased on other Mac computers" (High Sierra) will download apps that were purchased on other Mac computers if the same Apple ID is used to sign in. This option is harmless, however all updates will be restored when the computer is restarted. On MohaveMohave, the option is available under the App Store.app's Preferences.


Sample Configuration Profile for MohaveMohave or higher (save this with extension name ".mobileconfig"):

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>restrict-software-update-require-admin-to-install</key>
<true/>
<key>PayloadDescription</key>
<string>Restricts software updates to admin users.</string>
<key>PayloadDisplayName</key>
<string>Software Update Settings</string>
<key>PayloadEnabled</key>
<true/>
<key>PayloadIdentifier</key>
<string>com.apple.SoftwareUpdate.FC12D323-C42B-4699-A3E1-A37542C0E5FD</string>
<key>PayloadOrganization</key>
<string>Faronics</string>
<key>PayloadType</key>
<string>com.apple.SoftwareUpdate</string>
<key>PayloadUUID</key>
<string>E83C8F2A-8CE7-4076-BD7F-82A3BD8E4491</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>macOS Software Update Settings</string>
<key>PayloadDescription</key>
<string>Restricts software updates to admin users.</string>
<key>PayloadIdentifier</key>
<string>com.apple.SoftwareUpdate.E10386EF-1627-4C66-9021-04540EE9F869</string>
<key>PayloadOrganization</key>
<string>Faronics</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>A0E4D570-0833-43B6-B799-307CABE67E78</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
(0 vote(s))
Helpful
Not helpful

Comments (0)