Four ways to determine if macOS Rapid Security Response updates have been installed on your fleet.

Well, it happened. Apple has used the macOS Rapid Security Response feature for the first time since announcing it at WWDC.

It’s designed to enable quicker and more frequent security patching for the latest Apple operating systems, especially for WebKit-related flaws that affect Safari and other apps that use Apple’s built-in browser engine. If you’re looking for additional reading on what RSR is and how it works, the articles below are a good starting point:

• Apple: About Rapid Security Responses for iOS, iPadOS, and macOS
• The Electic Light Company: What is a Rapid Security Response (RSR)?
• Mykola’s blog: macOS’ Rapid Security Response: Designed into a Corner

It’s worth noting that this specific update is only available to the latest version of macOS 13.3.1, and that Apple has stated that security updates and patches may only be available to the latest versions of macOS moving forward.

If that doesn’t drive some urgency to update your Mac fleet, I don’t know what will. But how do you determine which computers have been successfully patched?

If you look up the macOS version on a patched mac with sw_vers -productVersion, it still reports 13.3.1. Same with inspecting /System/Library/CoreServices/SystemVersion.plist. If you click on About This Mac, the window does properly list 13.3.1 (a), with the (a) indicating that the Rapid Security Response update has been applied.

How do we determine if the Rapid Security Response update was installed programmatically?

Here are four different options:

1. Use sw_vers ProductVersionExtra

sw_vers now includes a new key titled ProductVersionExtra after a Rapid Security Response update is installed. If you run /usr/bin/sw_vers on a machine that has been updated, you’ll see the following output:

% /usr/bin/sw_vers

ProductName:		macOS
ProductVersion:		13.3.1
ProductVersionExtra:	(a)
BuildVersion:		22E772610a

So with /usr/bin/sw_vers -ProductVersionExtra, you can determine if the Rapid Security Update has been applied to 13.3.1.

2. Use system_profiler SPSoftwareDataType

You can also use system_profiler which does display the fully patched version number with the (a) identifier.

% system_profiler SPSoftwareDataType
Software:

    System Software Overview:

      System Version: macOS 13.3.1 (a) (22E772610a)
      Kernel Version: Darwin 22.4.0
      Boot Volume: Macintosh HD
      Boot Mode: Normal
      Computer Name: Brian's Computer
      User Name: Brian
      Secure Virtual Memory: Enabled
      System Integrity Protection: Enabled
      Time since boot: 13 minutes, 51 seconds

If you wanted to extract the System Version number, you could awk it out using system_profiler SPSoftwareDataType | awk -F ': ' '/System Version/ {print $2}'

% /usr/sbin/system_profiler SPSoftwareDataType | awk -F ': ' '/System Version/ {print $2}'

macOS 13.3.1 (a) (22E772610a)

3. Use system_profiler SPInstallHistoryDataType

Alternatively, you can use the system_profiler SPInstallHistoryDataType command we discussed a few weeks ago to determine if the update was installed and recorded in the machine’s update history.

% /usr/sbin/system_profiler SPInstallHistoryDataType | grep "13.3.1 (a)"

    macOS Rapid Security Response 13.3.1 (a):
      Version: 13.3.1 (a)

4. Use softwareupdate –history

The softwareupdate command contains a --history flag that can show a history of everything installed via Apple’s software update mechanism.

% /usr/sbin/softwareupdate --history | grep "13.3.1 (a)"

     macOS Security Response 13.3.1 (a)      13.3.1 (a)     05/02/2023, 23:26:10

Or if you’d just like to grab the version number without the title of the update, you can use awk.

% /usr/sbin/softwareupdate --history | awk '/13.3.1 \(a\)/ {print $4, $5}'

    13.3.1 (a)

How critical is this update?

The words “Rapid” “Security” and “Response” sure make it seem critical, but the truth is that as of this writing, Apple has not revealed what the update is patching. This is also the first time we’ve seen a Rapid Security Response update from Apple, so I imagine as time progresses, we’ll get a better sense of what these updates contain and how much importance and attention you should give them.

How do I get users to update?

Use whatever methods you’re using now to encourage users to upgrade macOS. That might include a company-wide email, an @here mention in Slack, a built-in feature of your MDM, a third-party tool like Nudge or Superman (they are currently working on RSR support), or a simple script like the one below.

#!/bin/zsh
# RSR Checker | macosadventures.com
#
# Check if macOS Rapid Security Response is installed.
# If not, prompt the end-user and open the Software Update pane.

dialogTitle="CRITICAL SECURITY UPDATE"
dialogMessage="Apple has issued a critical security update. Please run Software Update ASAP!"
appIcon="/System/Library/PrivateFrameworks/AOSUI.framework/Versions/A/Resources/AppleID.icns"

rsrUpdate=$(/usr/sbin/system_profiler SPInstallHistoryDataType | grep -m1 "13.3.1 (a)")

if [[ -z $rsrUpdate ]]; then
  echo "macOS Rapid Security response not detected. Encouraging user to update..."
  open x-apple.systempreferences:com.apple.Software-Update-Settings.extension
  /usr/bin/osascript -e 'display dialog "'"$dialogMessage"'" with title "'"$dialogTitle"'" with icon POSIX file "'"$appIcon"'" buttons {"Okay"} default button 1 giving up after 15'
else
  echo "$rsrUpdate is already installed."
  exit 0
fi

Want a fancier version of the script above? Let me know, and I’ll build it out a bit and publish it to GitHub.

All of this is a great reminder of the emphasis Apple has put on making sure your Mac computers are on the latest version of macOS, as those are the only machines that will be able to receive these Rapid Security Response Updates.

Happy patching, and happy adminning!

---

Looking for more RSR discussion? Check out Trevor Sysok’s blog post, expanding on some of the topics written here.