But partially no more! If you edit the sudoers file, you can allow the CLI version of Software Update (i.e. softwareupdate) to be executed by your users.
- Edit the sudoers file /etc/sudoers. Use the command sudo visudo; this will drop you into the default visual editor (usually vim).
- Add ALL ALL= NOPASSWD: /usr/sbin/softwareupdate to the file. Placing it at the bottom is OK. Be sure to add comments on your change by using # as the first character. Do not comment out the actual sudoers directive you just added, however. Save and exit the editor.
- Run softwareupdate -ia from Terminal in a non-admin user (any) account and watch the show.
I don't think this action will prompt for a restart, so the system will be running in an indeterminate state. Be sure to restart right away if you are trying this on a reboot-needed update. You have been warned.
Real world uses
With this hurdle covered, you can now add a cron/launchd job to download updates for sure (softwareupdate -d). I have been thinking about seeing if I can work this into the logouthook function. If so, then shutdown -r now will also need to be in sudoers. It has also been suggested to use an osascript command to issue a Finder restart to allow users the normal warnings.

