Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-03 21:38:24 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 45
fleet/it-and-security/lib/macos/scripts/update-safari.sh
Allen Houchins cc6b995e22
Add automated Safari policy update and remediation (#35890) 
This pull request introduces automation for keeping the Fleet macOS
Safari update policy current, along with a new script for updating
Safari on endpoints. The main changes include a new GitHub Actions
workflow step to run an automated script that checks for the latest
Safari versions, updates the policy YAML if needed, and creates a pull
request with the changes. Additionally, a new endpoint script is added
to perform Safari updates via `softwareupdate`.

**Automation for Safari Policy Updates:**

* Added `.github/scripts/dogfood-policy-updater-latest-safari.sh`, a
script that fetches the latest Safari versions from the SOFA feed,
compares them to the versions in `update-safari.yml`, updates the YAML
if necessary, and automatically creates a pull request with reviewers
assigned.
* Updated `.github/workflows/dogfood-automated-policy-updates.yml` to
add a step that runs the new Safari version update script as part of the
workflow, using the required automation secrets.

**Policy and Endpoint Script Enhancements:**

* Added a new policy to
`it-and-security/lib/macos/policies/update-safari.yml` that checks if
the installed Safari version matches the latest for macOS 15 (Safari
18.6) and macOS 26 (Safari 26.1).
* Introduced `it-and-security/lib/macos/scripts/update-safari.sh`, a
script for endpoints that runs `softwareupdate` with the `--safari-only`
flag, logging the outcome and requiring root privileges.
2026-01-08 11:00:31 -06:00

33 lines
760 B
Bash
Executable file
Raw Blame History

#!/bin/bash
# Safari Update Script
# This script runs softwareupdate to install Safari updates only
set -e
# Log file location
LOG_FILE="/var/log/safari_update.log"
# Function to log messages
log() {
echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1" | tee -a "$LOG_FILE"
}
# Check if running as root
if [ "$EUID" -ne 0 ]; then
log "Error: This script must be run as root (use sudo)"
exit 1
fi
log "Starting Safari update process..."
# Run softwareupdate to install Safari updates only
# The --safari-only flag ensures only Safari updates are installed
if /usr/sbin/softwareupdate -i --safari-only; then
log "Safari update completed successfully"
exit 0
else
log "Error: Safari update failed or no Safari updates available"
exit 1
fi
Reference in a new issue View git blame Copy permalink