The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

MacOS - List Install history from InstallHistory.plist

Description: Pulls all install history from MacOS - tested on Catalina and Big Sur. 

What The Data Shows: The following query will pull the raw data from InstallHistory.plist, which includes installed applications and the time they were installed. (The system report on installed applications appears to be derived from the InstallHistory.plist file).

It's also useful when looking for specific security updates as os_version does not record MacOS security updates. The package_install_history table does not appear to be supported on all versions of MacOS in 4.5.0 (when tested, it returned "Not Supported" for a Big Sur host, I believe this issue was fixed in version 4.6.0 - PackageIdentifiers are optional in InstallHistory.plist (#6767)), otherwise I would recommend using package_install_history instead to pull this information. 

Sample plist entry:

<dict>
<key>date</key>
<date>2019-11-20T15:41:33Z</date>
<key>displayName</key>
<string>Security Update 2019-001</string>
<key>displayVersion</key>
<string>10.14.6</string>
<key>packageIdentifiers</key>
<array>
<string>com.apple.pkg.macOSBrain</string>
</array>
<key>processName</key>
<string>softwareupdated</string>
</dict>

subkey will hold the 'key' - ex: "displayName"

value will hold the 'string' - ex: "Security Update 2019-001"

SQL:

SELECT key, subkey, value FROM plist WHERE path = '/Library/Receipts/InstallHistory.plist'

> Requirement: MacOS

2 Comments
jnelson
Carbon Black Employee
Status changed to: Approved
 
jnelson
Carbon Black Employee

@cearl you can also get this information in an easier to read format from this table: 

package_install_history