macOS Setup - Update-Watcher on macOS

Update-Watcher runs on macOS for monitoring Homebrew packages and native macOS software updates. The macOS setup is simpler than Linux since most checkers do not require elevated permissions or a dedicated system user.

Configuration Location

On macOS, the configuration file is stored in the user config directory:

~/.config/update-watcher/config.yaml

Create the directory if it does not exist:

mkdir -p ~/.config/update-watcher

The setup wizard (update-watcher setup) creates this directory and file automatically.

Available Checkers on macOS

Two checkers are specific to macOS:

macOS Software Updates

The macos checker uses the native softwareupdate command to detect available system updates, including macOS version upgrades, security patches, and Safari updates.

update-watcher watch macos

For security-only filtering:

update-watcher watch macos --security-only

No sudo is required. The softwareupdate --list command runs without elevated permissions.

Homebrew

The homebrew checker detects outdated Homebrew formulae and casks:

update-watcher watch homebrew

To skip cask (GUI application) updates and only report formulae:

update-watcher watch homebrew --no-casks

No sudo is required. Homebrew runs entirely under the current user.

When to Use Which

Other Checkers

The following checkers also work on macOS without modification:

• docker – If Docker Desktop is installed.
• wordpress – If WordPress sites are accessible on the local filesystem.
• webproject – If web projects with npm, yarn, pnpm, or Composer are present.
• distro – Not applicable on macOS (only checks Linux distributions).
• openclaw – Works on macOS.

Example Configuration

A typical macOS configuration:

hostname: "macbook-pro"

watchers:
  - type: macos
  - type: homebrew
  - type: docker

notifiers:
  - type: slack
    options:
      webhook_url: "${SLACK_WEBHOOK_URL}"

settings:
  send_policy: "only-on-updates"

Scheduling

update-watcher install-cron --time 09:00

crontab -l

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
  "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>com.update-watcher.daily</string>
    <key>ProgramArguments</key>
    <array>
        <string>/usr/local/bin/update-watcher</string>
        <string>run</string>
        <string>--quiet</string>
    </array>
    <key>StartCalendarInterval</key>
    <dict>
        <key>Hour</key>
        <integer>9</integer>
        <key>Minute</key>
        <integer>0</integer>
    </dict>
    <key>StandardOutPath</key>
    <string>/tmp/update-watcher.log</string>
    <key>StandardErrorPath</key>
    <string>/tmp/update-watcher.err</string>
</dict>
</plist>

launchctl load ~/Library/LaunchAgents/com.update-watcher.daily.plist

launchctl list | grep update-watcher

launchctl unload ~/Library/LaunchAgents/com.update-watcher.daily.plist

Cron vs launchd

Permissions

Most macOS checkers require no special permissions:

• softwareupdate --list runs as the current user.
• brew outdated runs as the current user.
• Docker Desktop manages its own socket permissions.

No sudoers configuration is needed for a standard macOS setup.

Related

• Linux Server Setup – Production-ready Linux server setup.
• Cron Scheduling – Detailed cron scheduling guide.
• Homebrew Checker – Full documentation for the Homebrew checker.
• macOS Checker – Full documentation for the macOS software update checker.