Skip to main content

I currently leverage a smart group, softwareupdate -aiR, custom notifications and the deferral option for an automated OS patching workflow both myself and user base are really happy with.

In testing the m1 chipset I am finding softwareupdate -aiR isn't functional in the workflow. Looks like there is an additional prompt for a password prior to downloading??? Anyone seen this or have any ideas as to why?

The next time you run this command, look up the computer you ran it on and navigate to the management tab. Post a screenshot of what you see. 


Here you go, is this what I'm looking for?


Here you go, is this what I'm looking for?


Ok it finally actually ran. Here's the history of the commands:

It took a while for the machine to actually restart, and when it did restart there was no warning, so right away my users will be pissed. Then it went through a few blank screens and some fits and starts, and the login screen popped up, then it actually installs the update after logging in.

I need a way to show my users what is happening during the time that our JAMF server is running various commands and the update is downloading and then warn them before the machine actually restarts, so they can save their work.  Most of our users are artists, so they expect the system to just work and never lose data. There's alot of hand holding involved in even the smallest task. I really hope apple or JAMF can clean this mess up.


Ok it finally actually ran. Here's the history of the commands:

It took a while for the machine to actually restart, and when it did restart there was no warning, so right away my users will be pissed. Then it went through a few blank screens and some fits and starts, and the login screen popped up, then it actually installs the update after logging in.

I need a way to show my users what is happening during the time that our JAMF server is running various commands and the update is downloading and then warn them before the machine actually restarts, so they can save their work.  Most of our users are artists, so they expect the system to just work and never lose data. There's alot of hand holding involved in even the smallest task. I really hope apple or JAMF can clean this mess up.


I hate to revive this dead horse, but I was wondering if anyone had a way to warn users before their machine restarts after the MDM command runs?  Otherwise the user gets like 45mins of nothing then BAM their machine just reboots. I've had complaints. My users need alot of hand holding.


I hate to revive this dead horse, but I was wondering if anyone had a way to warn users before their machine restarts after the MDM command runs?  Otherwise the user gets like 45mins of nothing then BAM their machine just reboots. I've had complaints. My users need alot of hand holding.


Late response, but I just let them know that information with a jamf helper window. "Your machine will reboot anywhere between 15-60 minunutes." 

 


Late response, but I just let them know that information with a jamf helper window. "Your machine will reboot anywhere between 15-60 minunutes." 

 


@bwoods, can you send messages thru MDM commands? If so where is the input?


I hate to revive this dead horse, but I was wondering if anyone had a way to warn users before their machine restarts after the MDM command runs?  Otherwise the user gets like 45mins of nothing then BAM their machine just reboots. I've had complaints. My users need alot of hand holding.


For hand holding, I run the API script using a 30 day deferral policy. The 'User Interaction' tab will give you all the necessary messaging.


Moving away from the classic API to utilize the new features in the json version. Will use something similar to the function below to run the update. This does take bearer tokens into account. Still waiting for 10.38 to release to use the new force update feature. Updated progress can be found here

 

 

 

 

 

 

 

#!/bin/bash # server connection information URL="https://your.jamfcloud.com" username="username" password="password" # created base64-encoded credentials encodedCredentials=$( printf "${username}:${password}" | /usr/bin/iconv -t ISO-8859-1 | /usr/bin/base64 -i - ) # Generate new auth token authToken=$( curl -X POST "${URL}/api/v1/auth/token" -H "accept: application/json" -H "Authorization: Basic ${encodedCredentials}" ) # parse authToken for token, omit expiration token=$(/usr/bin/awk -F \\" 'NR==2{print $4}' <<< "$authToken" | /usr/bin/xargs) echo ${token} # Execute software update curl -X POST "${URL}/api/v1/macos-managed-software-updates/send-updates" -H "accept: application/json" -H "Authorization: Bearer ${token}" -H "Content-Type: application/json" -d "{\\"deviceIds\\":[\\"1444\\"],\\"maxDeferrals\\":0,\\"version\\":\\"12.3.1\\",\\"updateAction\\":\\"DOWNLOAD_AND_INSTALL\\"}" # Invalidate existing token and generate new token curl -X POST "${URL}/api/v1/auth/keep-alive" -H "accept: application/json" -H "Authorization: Bearer ${token}"

 

 

 

 

 

 


Moving away from the classic API to utilize the new features in the json version. Will use something similar to the function below to run the update. This does take bearer tokens into account. Still waiting for 10.38 to release to use the new force update feature. Updated progress can be found here

 

 

 

 

 

 

 

#!/bin/bash # server connection information URL="https://your.jamfcloud.com" username="username" password="password" # created base64-encoded credentials encodedCredentials=$( printf "${username}:${password}" | /usr/bin/iconv -t ISO-8859-1 | /usr/bin/base64 -i - ) # Generate new auth token authToken=$( curl -X POST "${URL}/api/v1/auth/token" -H "accept: application/json" -H "Authorization: Basic ${encodedCredentials}" ) # parse authToken for token, omit expiration token=$(/usr/bin/awk -F \\" 'NR==2{print $4}' <<< "$authToken" | /usr/bin/xargs) echo ${token} # Execute software update curl -X POST "${URL}/api/v1/macos-managed-software-updates/send-updates" -H "accept: application/json" -H "Authorization: Bearer ${token}" -H "Content-Type: application/json" -d "{\\"deviceIds\\":[\\"1444\\"],\\"maxDeferrals\\":0,\\"version\\":\\"12.3.1\\",\\"updateAction\\":\\"DOWNLOAD_AND_INSTALL\\"}" # Invalidate existing token and generate new token curl -X POST "${URL}/api/v1/auth/keep-alive" -H "accept: application/json" -H "Authorization: Bearer ${token}"

 

 

 

 

 

 


Do you have a Gist or Github like that you keep updated @bwoods ? I'd like to follow this and see what comes of it.


@nwagner I do not have Gist or Github. But you can help me work on this here


I tried to get this working, but it prints the password before it actually prompts for it. My script:

 

userpassword=$(osascript -e 'display dialog "Please enter your login password." default answer "" with icon stop buttons {"Cancel", "Continue"} default button "Continue" with hidden answer' | awk -F ':' '{print $3}') expect -c " spawn softwareupdate -i \\"$4\\" -R expect "Password*" send "{${userpassword}}" expect "Password*" send "{${userpassword}}" expect eof "

 

 From Terminal (1234 is the password I'm trying with):

 

spawn softwareupdate -i macOS Monterey 12.6-21G115 -R Software Update Tool Finding available software 1234Downloading macOS Monterey 12.6 Password:

 

When I add the "set timeout -1" part in the expect section, it doesn't print the password early, but it doesn't seem to print it at all either since it just sits on the Password: prompt.


@PhillyPhoto I recommend you abandon ship and use Nudge: https://github.com/macadmins/nudge/wiki/Jamf-Pro-Guide

I needed to migrate users from BigSur to Monterey on Intels and M1s using a deferral. Nudge checked all the boxes for me, and it's highly customizable. Make sure you set it up to ping your Self Service policy rather than the installer from the applications folder.  I used this for the policy execute command:

echo "password" | /Applications/Install\\ macOS\\ Monterey.app/Contents/Resources/startosinstall --user admin --stdinpass --agreetolicense --nointeraction --forcequitapps --pidtosignal

 


@PhillyPhoto I recommend you abandon ship and use Nudge: https://github.com/macadmins/nudge/wiki/Jamf-Pro-Guide

I needed to migrate users from BigSur to Monterey on Intels and M1s using a deferral. Nudge checked all the boxes for me, and it's highly customizable. Make sure you set it up to ping your Self Service policy rather than the installer from the applications folder.  I used this for the policy execute command:

echo "password" | /Applications/Install\\ macOS\\ Monterey.app/Contents/Resources/startosinstall --user admin --stdinpass --agreetolicense --nointeraction --forcequitapps --pidtosignal

 


@PhillyPhoto I completely agree with @cucaracha. Use Nudge or S.U.P.E.R.M.A.N to get your updates out reliably.


I run this shell script in terminal, and seems working, no more password prompt.

"set timeout -1" is important, otherwise it will timeout and the third "Password:" won't show up.

#!/bin/zsh adminUser="test" adminPWD="test123" echo "Running updates for Apple Silicon Mac" /usr/bin/expect<<EOF set timeout -1 spawn /usr/bin/su "$adminUser" -c "sudo softwareupdate -iaR" expect "Password:" send {${adminPWD}} send \\r expect "Password:" send {${adminPWD}} send \\r expect "Password:" send {${adminPWD}} send \\r expect eof EOF

 

and the output

stevenxu@MBP-SX% sh autoUpgrade-TEST.sh Running updates for Apple Silicon Mac spawn /usr/bin/su test -c sudo softwareupdate -iaR Password: Password: Software Update Tool Finding available software Downloading macOS Ventura 13.1 Password: Downloading: 3.90%