As of Deep Freeze Mac 7.1 the software will automatically perform the following process to assist in managing the software updates in macOS.
- The Deep Freeze product will explicitly turn off automatic macOS updates at start up (on both High Sierra and Mojave).
- Deep Freeze will install two configuration profiles: one for disabling software update notification (that may pop up on the top right corner of the monitor), and another to restrict software updates to admin users only.
There are a number of other options that exist that govern the beahaviour of updates on a High Sierra and Mohave based systems;
"Check for updates" (Mohave) or "Automatically check for updates" (High Sierra) will automatically check for available updates, and notify you that an update is available. This option is required for the Gatekeeper updates and Apple's malware definition updates (ie. the "Install system data files and security updates" option). Any user (Admin or Standard user) can then install the update by clicking the "Install" button. One way of preventing Standard users from installing updates is using Configuration Profile, however it only works on MohaveMohave or higher. A sample profile is included at the end of this document.
"Download new updates when available" (Mohave) or "Download newly available updates in the background" (High Sierra) will download updates to the computer. If this option is enabled and updates were downloaded, restarting the computer while in Frozen mode will remove the downloaded files. Although this option is harmless, it will consume bandwidth depending on how often the computer is restarted. This option will also notify (when enabled) the currently logged on user that updates are ready to install.
"Install macOS update" will automatically install downloaded macOS updates and restart the computer after the installation completes. It is critical that this option be disabled, because of the potential problems that can occur if the system files on the special volume are updated and become out of synchronization with the rest of the operating system. This can result in a number of problems including system corruption that can render the system unable to properly boot.
"Install app updates from the App Store" (Mohave) or "Install app updates" (High Sierra) will download app updates from App Store when they are available. This option has the same impact as "Download new updates when available", all updated apps will be restored when the computer is restarted.
"Install system data files and security updates" will install system files and security updates automatically, including Gatekeeper configuration data. This option requires that "Check for updates" is enabled, but independent of
"Download new updates when available".
Assess this option based on your organization's setup and IT policy:
- The system files downloaded as part of this option are quite likely stored on the startup volume, and therefore will not cause mismatch if the computer is restarted, however the update will be restored upon restart
- Some security updates may require restart. If this is the case, the restart will immediately restore the update
- Downloading Gatekeeper configuration data as available, as well as the XProtect configuration data to keep the local definition up to date
"Automatically download apps purchased on other Mac computers" (High Sierra) will download apps that were purchased on other Mac computers if the same Apple ID is used to sign in. This option is harmless, however all updates will be restored when the computer is restarted. On Mohave, the option is available under the App Store.app's Preferences.