Automox Worklet: Deferred Reboot on macOS Devices

The purpose of this worklet is to detect if a macOS device is pending a reboot and will notify the user to reboot. If the user does not reboot within your given timeframe, the script will force a reboot. If the macOS device is at the login window (no user logged in), the device will reboot immediately with no notification.

Example notifications:

Reboot now or defer notification

Reboot now or defer notification

The Reboot Now button does just that, it reboots immediately.

The Later button will close the notification and redisplay again based on what you have set (below).

Deferred Reboot on macOS: Evaluation and Remediation Code

To create this Worklet, use the evaluation and remediation code scripts below. You can set the following options in the Remediation script:

  • title - The title of the notification
  • message - The message content (use %TIME% in your message to display the time left in minutes
  • forceRebootIn - The amount of minutes until the macOS device is force rebooted
  • notifyInterval - Show the above notification every X minutes until a reboot occurs
  • notifyTimeout - How long the above notification shows on the screen before closing and assuming a deferral
  • iconFile - Upload a .icns file to the worklet and specify its name here

Evaluation:

#!/bin/bash

# if either of these paths exist, a macOS Update or a macOS Security Update will install on reboot
if [[ -d "/Volumes/macOS Base System" || -d "/Volumes/OS X Base System" ]]; then
     return 1
fi
 

Remediation:

#!/bin/bash

# SET YOUR OPTIONS HERE
title="Security Updates"
message="Security updates will install on next reboot.  Your computer will automatically reboot in %TIME% minutes"
forceRebootIn=90 # number of minutes until a reboot is forced
notifyInterval=15 # send notification ever X minutes
notifyTimeout=30 # number of seconds to show notification (required to force Reboot)
iconFile="automox.icns" #optional: this name must match the .icns file attached to your worklet

#CONSTANTS
iconFilePath="$(pwd | sed -E 's/^\///g;s/\//:/g'):${iconFile}"
console_user=$(scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ { print $3 }')
console_user_gui=$(dscl . read /Users/$console_user UniqueID | awk '{print $2}')

function notificationResponse() {
local osaResult

osaResult=$(launchctl asuser "${console_user_gui}" osascript << EOT
display dialog "${message//%TIME%/${time}}" with title "${title}" buttons {"Reboot Now", "Later"} default button {"Later"} giving up after ${notifyTimeout} ${addIcon}
EOT
)
     awk -F "[:|,]" '{print $2}' <<< "${osaResult}"
}

function rebootNow() {
     local notify=$1

     if [[ -z "${console_user}" ]]; then
          # echo "reboot NOW"; exit 0
          launchctl reboot system
     elif [[ ${notify} -eq 1 ]]; then
          launchctl asuser "${console_user_gui}" osascript -e \
          "display dialog \"Your system will reboot now\" with title \"${title}\" buttons {\"Ok\"} giving up after ${notifyTimeout} ${addIcon}"
          # echo "reboot NOW"; exit 0
          launchctl reboot system
     else
          # echo "reboot NOW"; exit 0
          launchctl reboot system
     fi
}

function notifyUser() {
     time=${forceRebootIn}

     while [[ ${time} -gt 0 ]]; do
          # send notification
          if [[ "$(notificationResponse)" == "Reboot Now" ]]; then
               rebootNow 0
          else
               time=$(( time - notifyInterval ))
               echo "reboot deferred"
               sleep $(( notifyInterval * 60 ))
          fi
     done
}

# Set icon file if set
if [[ -n "${iconFile}" ]]; then
     addIcon="with icon alias \"${iconFilePath}\""
fi

# Main
if [[ -z "${console_user}" ]]; then
     echo "No console user detected, rebooting now"
     rebootNow 0
else
     notifyUser
     rebootNow 1
fi
 

Step-by-Step: Create an Automox Worklet

To deploy this endpoint hardening Worklet, do the following:

  1. Log in to your Automox Console.
  2. Navigate to the System Management page and click Create Policy in the upper right-hand section of the screen.
  3. Choose Mac under Worklet. 
  4. Copy and paste the Remediation code scripts [shown above].
  5. Define a schedule for when you want this policy to run. 
  6. Click Create Worklet.
  7. Assign Worklet to a group or multiple groups and click Save Changes.
  8. [Optional] To execute Worklet manually, click the Execute Policy Now button.

You can assign this Worklet to any number of your macOS groups and execute the policy. You can also set the Worklet to run on a schedule like any other Worklet. View the original posting of this Worklet in the Automox community here.

As always, we suggest testing this on a few devices before deploying to a production environment. If you have any questions, please contact our support team for technical assistance at support@automox.com.

About Automox Automated Patch Management

Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes the aperture of attack by more than 80% with just half the effort of traditional solutions.

Cloud-native and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, Mac, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure. 

Experience modern, cloud-native patch management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.

 

Get Instant Updates on Vulnerabilities

Subscribe to receive Automox vulnerability alerts

Reduce your threat surface by up to 80%

Make all of your corporate infrastructure more resilient by automating the basics of cyber hygiene.

Take 15 days to raise your security confidence!
Start a Free Trial