Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

See Software Update notifications as a non-admin user System
I use Mac OS X while logged in as a non-admin user. The problem with this is that the Software Update notification only appears if I am logged in as a user with administrative rights. In a real multi-user environment this makes sense, because the ordinary user should not be confused with things he's not responsible for.

But what about the situation with the typical single user machine, where the owner uses a non-admin account for normal work? (And everybody should do so!) In this case, the user is the administrator, although he or she is using a non-admin account. In this very common case, the user should get the software update notifications so he/she can react to them. However, even if the Check for Updates option is selected in the Software Update panel of System Preferences, there will be no notifications. You can argue if this is a bug or not, but it's how it works.

To solve this problem, I wrote a little AppleScript (in fact, it's embedded into a launchd plist file, so you only have to care about one file) that checks once per day if there are any software updates available. If there are any, they are displayed in a nice looking Growl notification, if Growl is installed (highly recommended!). Otherwise, they show up in a standard system dialog. Here's the code (note that the latest version can be found in this post on my blog):
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<!--
    updateCheck - Copyright 2008 Sven Anderson sven_at_anderson.de

    This is an applescript based launch agent, that checks once per day
    for available software updates. If there are any, it announces them
    as a Growl notification or - if it is not installed - as a system
    dialog. This agent also works for users without administrative rights.

    To install it, move this file to ~/Library/LaunchAgents/ and
    re-login.

    Installing Growl is highly recommended: http://growl.info/

This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

For a copy of the GNU General Public License see
   http://www.gnu.org/licenses/

-->
<dict>
    <key>Label</key>
    <string>de.anderson.sven.updateCheck</string>
    <key>LowPriorityIO</key>
    <true/>
    <key>Nice</key>
    <integer>1</integer>
    <key>ProgramArguments</key>
    <array>
        <string>osascript</string>
        <string>-e</string>
        <string>
set theList to every paragraph of (do shell script "softwareupdate -l")
set updates to ""
repeat with anItem in theList
    if anItem starts with "   * " then
        if updates is not "" then
            set updates to updates &amp; return
        end if
        set updates to updates &amp; (characters 6 thru -1 of anItem)
    end if
end repeat
if updates is not "" then
    tell application "System Events"
        set isRunning to (count of (every process whose name is "GrowlHelperApp")) &gt; 0
    end tell
    if isRunning then
        tell application "GrowlHelperApp"
            register as application "UpdateCheck" all notifications {"Update Available"} default notifications {"Update Available"} icon of application "Software Update"
            notify with name "Update Available" title "Software Update available" description updates application name "UpdateCheck" sticky yes
        end tell
    else
        tell application "Finder"
            ignoring application responses
                display dialog "Software Update available:" &amp; return &amp; updates with title "Software Update available" buttons "OK" default button 1 with icon file "System:Library:CoreServices:Software Update.app:Contents:Resources:Software Update.icns"
            end ignoring
        end tell
    end if
end if
</string>
    </array>
    <key>RunAtLoad</key>
    <true/>
    <key>StartInterval</key>
    <integer>86400</integer>
</dict>
</plist>
Save the above code as de.anderson.sven.updateCheck.plist into your user's Library/LaunchAgents folder (create this folder if necessary). Then logout and login, or enter the following command in the Terminal, to activate the code:
$ launchctl load ~/Library/LaunchAgents/de.anderson.sven.updateCheck.plist
I've been using this code for over a year now without any problems, so I decided to make it available to everybody.
    •    
  • Currently 1.88 / 5
  • 1
  • 2
  • 3
  • 4
  • 5
  (8 votes cast)
 
[12,516 views]  

See Software Update notifications as a non-admin user | 20 comments | Create New Account
Click here to return to the 'See Software Update notifications as a non-admin user' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
See Software Update notifications as a non-admin user
Authored by: marriott on Mar 03, '09 09:38:13AM

I do something similar-- I have a Twitter account that is subscribed to the "softwareupdate" account on Twitter. Then I use a perl script to listen on Twitter, and post a "sticky" growl notification when it sees something new posted on the Twitter.

This can be extended to other sorts of alerts by finding more "notification" type feeds on Twitter.

Of course the solution in this hint is less crufty and better aimed at solving the problem at hand. Just thought I'd mention my set-up for the sake of discussion.



[ Reply to This | # ]
Admin User
Authored by: PDubNYC on Mar 03, '09 10:24:18AM

Although I have all of my users in my office using non-admin accounts, I certainly disagree that EVERYONE should be using a standard account. I would go insane with permissions issues if I weren't running as an Admin user everyday.

That's my 2 cents, but thanks anyways for your forced advice.

and how about just running softwareupdate -l in Terminal

You are making things so much more difficult than they have to be.



[ Reply to This | # ]
Admin User
Authored by: neill on Mar 03, '09 11:41:03AM

>>I would go insane with permissions issues if I weren't
>>running as an Admin user everyday.

How hard is it to just type in an admin account name and password when requested. Granted . . . it's harder than just being an admin user all the time . . .and it pops up when you (for instance) try to copy something to the Applications folder; but it really doesn't happen all that often. Given the much greater access that an admin user has and the possibility (admittedly relatively low) of a worm/trojan/what-have-you coming in that tries to do bad things . . .I gave up long ago and moved all of my home machine accounts to non admin (except my file server which stays logged in all the time as admin so that Time Machine will properly handle parts of my backup routines). Everything else runs day to day as normal user; authenticating as necessary.



[ Reply to This | # ]
Admin User
Authored by: frgough on Mar 03, '09 11:52:36AM

How much more secure is it to have to type in admin name and password instead of just password?

Even with a non-admin privileges, my trojan can play merry hob with your personal data.



[ Reply to This | # ]
Admin User
Authored by: Anonymous on Mar 04, '09 10:50:13AM
No, the issue is that some actions do not require a password when using an administrative user account.

[ Reply to This | # ]
Admin User
Authored by: frgough on Mar 05, '09 07:21:55AM

Like what?



[ Reply to This | # ]
Admin User
Authored by: ansiwen on Mar 06, '09 10:57:39AM

Exactly, ONLY with your personal data, and it cannot modify system wide executables in /Applications or /Library



[ Reply to This | # ]
Admin User
Authored by: leamanc on Mar 03, '09 06:45:50PM

I have to agree with this sentiment, as far as OS X is concerned. And, to a lesser extent, even with Windows in the Vista/UAC era. You are going to be prompted to death for anything that could be potentially harmful ("yes, OS X, I really want to open up that HTML file I downloaded!").

And running as a non-admin user, you will still be prompted for admin credentials when running as a standard user; it's just that your username won't be filled in. Since most people are going to reflexively put in their credentials (just like in Vista, where they will reflexively confirm all UAC prompts), you might as well run as admin anyway.

Since trojans are the biggest security threat to OS X, and they don't necessarily require admin privileges, I see no point to restricting yourself to a standard user if you are competent enough to run a computer.

Running as a non-admin user is fine for your kids, but if you are the owner of the computer, go ahead and run as admin. It's YOUR computer, you should administrate it. There are just too many things you are deprived of as a non-admin user that owners of a computer need to do.

Standard users are also OK for a work/lab environment, as long as it is a desktop, but anybody with a portable will invariably need to do something as an admin when out on the road--create a new network Location, change the time zone, install your corporate VPN client. Either you make these people admins or you end up giving up your admin password over the phone.

Which leads me to one thing Windows has that I wish OS X had: the "power user," which sits in between the standard user and the admin. Or at least, I wish Apple would allow standard users to have arbitrary permissions assigned...and no, parental controls doesn't count, and managed clients via OS X Server and Workgroup Manager doesn't do me much good for those travelers with laptops.



[ Reply to This | # ]
Admin User
Authored by: Anonymous on Mar 04, '09 10:53:53AM
As I pointed out to frgough above, administrative user accounts are not necessarily prompted for a password when performing potentially harmful actions.

I'm not advocating that everyone run as a non-admin user -- just setting you straight on a misconception.

[ Reply to This | # ]

Admin User
Authored by: ansiwen on Mar 06, '09 11:44:38AM

You are mixing two things up here. Just to administrate your computer you don't have to use an admin account all the time. It is a general and wise security rule that you take privileges only when you need them and drop them as soon as possible.

Coming from the Unix side I was using a non-admin account as a matter of course from the very beginning. There is absolutely no problem in doing so.



[ Reply to This | # ]
Admin User
Authored by: ansiwen on Mar 06, '09 10:48:13AM

If you agree, that there are "permission issues" with using an admin account, you will also agree that there is a difference in permissions of an admin- and a non-admin account. (In fact, the difference is just being in the "admin" group or not.) It does not matter at all, what threat scenario you're looking at (viruses, trojans, the user itself...), the attack surface is always significantly lower if you are not working with an admin account. And there is no difference in security demands for normal or admin users, although there are some "administrators" who think they don't need the same security as their users.



[ Reply to This | # ]
See Software Update notifications as a non-admin user
Authored by: macdsl on Mar 03, '09 10:31:52AM

Just curious.....
This is better than just going Apple Menu---Software Update......
once a day? Or am I being lame and missing something......?



[ Reply to This | # ]
See Software Update notifications as a non-admin user
Authored by: leamanc on Mar 03, '09 02:04:13PM

Not lame, but this just automates the process for you, and only notifies you when there is an update available.



[ Reply to This | # ]
See Software Update notifications as a non-admin user
Authored by: Anonymous on Mar 04, '09 10:56:08AM

Can automated tasks can be automated with Automator? Jus' wondrin' :-P



[ Reply to This | # ]
See Software Update notifications as a non-admin user
Authored by: ansiwen on Mar 06, '09 10:50:14AM

No, but I'm just lazy to do that (and think of it) every day.



[ Reply to This | # ]
I must be missing something
Authored by: lincd0 on Mar 03, '09 02:40:41PM

I run as a non-admin user too, but when I open the Software Update preference pane in Leopard, I see a "Check Now" button, which works, and a "Check for Updates" checkbox with a pulldown menu for Daily, Weekly, or Monthly, which also works. I don't have to enter an admin password to use these features. I'd have to enter one to actually install the updates, but not to be notified of them.



[ Reply to This | # ]
I must be missing something
Authored by: j-beda on Mar 03, '09 02:56:59PM

The checkboxes exist, but notifications are not given unless you have an administrator account logged in, at least in my experience. I gave up running as a non-admin partially for this reason.



[ Reply to This | # ]
I must be missing something
Authored by: lincd0 on Mar 04, '09 08:32:29AM

I have an admin account and a work account, both of which are always logged in with fast user switching enabled. The notifications work for me.



[ Reply to This | # ]
See Software Update notifications as a non-admin user
Authored by: anthonym on Aug 26, '09 08:21:50AM

Thanks for the script. No new updates yet to verify that it works, but will certainly be grateful if it does.

When you're in a home shared with family, leaving the admin logged in is not necessarily a good thing!

I hated having to add "Check for updates" to the long list of other tasks I need to do every day. Computers are supposed to do the tedious & repetitive actions, so I'm glad someone was able to put that to good use. :-)

I also used to have time to read the man pages and discover what every command did in UNIX. But now I have a job and other responsibilities... Being new to Mac, I did not know there was a 'softwareupdate' command. Thanks!
I need to quit my job and go back to college when I had plenty of time during the day to do the things I liked to do.

Anyway, thanks again.



[ Reply to This | # ]
See Software Update notifications as a non-admin user
Authored by: papertigers on Dec 31, '09 12:47:18PM

Hey guys, I actually wrote a package for this. It can be found on my site, all you have to do is download the dmg and run the installer.

http://lightsandshapes.com/tutorials/mac/mac-software-updater/

I was faced with the same problem over the summer working for a local College as a SysAdmin, so I wrote this program that does the updates. Find out more about by following my link.



[ Reply to This | # ]