As a follow-up to my previous post for managing Background Security Improvements (BSIs) using Jamf Pro’s Blueprints, it looks like I misunderstood what one of the management options was actually doing. As part of my prior post, I had said that in order to set this:

• Background Security Improvements will be automatically installed

You needed to do the following in the Blueprint’s Software Update Settings component:

1. Go to the Background Security Improvements section
2. Select the following options to apply the desired settings:

• Background Security Improvements updates will be installed:
• Select Allow for Background Security Improvements installation

That enables an installation option, but not the automatic installation option. For more details, please see below the jump.

What installation option is being enabled? As it turns out, what’s enabled is the logged-in user’s ability to manually select installing the BSI. You can see this by setting the Background Security Improvements installation setting to Allow.

Once that’s been set and deployed to devices, look at System Settings: Privacy & Security: Background Security Improvements on a device that the setting has been deployed to. If there’s a BSI available to install, you’ll see it listed there along with an Install button.

Next, let’s set Background Security Improvements installation to Restrict and deploy the settings to devices.

Now when we look at System Settings: Privacy & Security: Background Security Improvements on a managed device, that section and its Install button have disappeared.

That means that the only install option available now is the automatic install option. Where’s that managed from? That is also managed in the Software Update Settings component, but in a different section. To set management for automatic installation of BSI updates:

1. Go to the Install Actions section
2. Select the following options to apply the desired settings:

• Automatic installs of available security updates:
• Select Always

When those settings are deployed to devices, you can go to System Settings: Privacy & Security: Background Security Improvements on a managed device and see that the Automatically Install setting is enabled and grayed out. There should also be a message that the setting is managed by your organization.

You can also disable automatic installation of BSIs, but a very important thing to be aware of is that the Automatic installs of available security updates setting is managing all background security updates for macOS, not only BSIs. This includes updates for Gatekeeper, XProtect and verifying the firmware that your Mac uses. Please keep that in mind if you want to disable automatic installs of BSIs.

If you’ve considered this information and still want to disable automatic installs of BSI updates, you can do so by using the following process:

1. Go to the Install Actions section
2. Select the following options to apply the desired settings:

• Automatic installs of available security updates:
• Select Never

When those settings are deployed to devices, you can go to System Settings: Privacy & Security: Background Security Improvements on a managed device and see that the Automatically Install setting is disabled and grayed out. There should also be a message that the setting is managed by your organization.