Auto-Update Magic! Keep Mac Apps Current with the Casper Suite and AutoPkgr

For those of you who weren't at JNUC this year, here are the notes and slides for my presentation, Auto-Update Magic:
https://github.com/homebysix/auto-update-magic

Here's the link to the latest version of AutoPkgr, which now supports direct JSS integration:
https://github.com/lindegroup/autopkgr/releases/latest

If you find a reproducible bug with AutoPkgr, please open or update an issue on GitHub:
https://github.com/lindegroup/autopkgr/issues

If you have feedback or questions, I'd love to hear from you here!

Page 4 / 4

@elliotjordan Yes, that's close to what we do currently. We've modified the NAME in the INPUT fields in the jss recipe's override to be what we want. It works for many, but not all, recipes. I tried your above method on the packages that our current method doesn't work on. For those pkgs, they already exist and the recipe is just downloading them. Nothing gets built, so no name from the recipe is entered. So the OracleJava8-1.8.45.14.pkg already existed and will not have its name changed by AutoPKG. Neither of our approaches fix that issue.

The NAME variable(as JAMF sees it) would just be useful for these admittedly niche situations. I guess it joins things like PRIORITY, BOOT_VOLUME_REQUIRED, INFO, and NOTES on the list of fields that aren't yet available or essential but would make handy additions in future builds.

I have an issue where the upload to the JSS fails. I do not have a smb/afp share so I need to upload directly to the JSS. Autopkg creates scripts, attributes etc but it fails to upload the package file. I'm testing with the Chrome pkg but others have failed as well.
The package is reported as "Missing" in Casper admin.
I've added this to my settings but no luck. (according to https://github.com/sheagcraig/JSSImporter#jds-jamf-distribution-servers)

<key>JSS_REPOS</key>
    <array>
        <dict>
            <key>type</key>
            <string>JDS</string>
        </dict>
    </array>

Do you suggest trying to get this to work or is it easier set up a smb share for this purpose only?

@karlmikaeloskar I ran into the same issue. Basically, even if you're running auto-pkg on the same machine as the JSS, you need to configure distribution points or it won't actually work. It's a weird quirk but at least it is an easy one to resolve.

If you are using AutoPkgr, they have a really handy interface that will prompt you for the needed information. Also having a GUI is always helpful.

(Edit) I believe the reasoning is that it send the info(policy, group, etc) on it over the API, but needs to mount the share to actually move the file.

@elliotjordan I am getting a weird error when trying to just run AutoPKG:

[ERROR] socket.gaierror: [Errno 8] nodename nor servname provided, or not known

I have already configured the Distribution Points, setup the API user in the JSS and checked permissions there. Any suggestions would be appreciated as I am getting really excited to use this.

Thanks!

@monosodium, I'd like to help you, but I need more details. Also, I'm not sure this thread is the proper place to do in-depth troubleshooting.

Could you join our autopkgr-discuss Google Group and provide some more details there? (e.g. What were you doing when you saw that error? If you clicked the "Run AutoPkg Now" button, which recipes were you running? Are there any AutoPkgr-related errors shown in Console.app?)

Thanks!

@elliotjordan Posted a different issue I ran into here: https://groups.google.com/forum/#!topic/autopkgr-discuss/3dMmKZfzMzI

I've been working on getting AutoPkgr up and running today and have run into a snag near the end.

Whenever I "Run AutoPKG Now" I get the following error, regardless of the recipe I have selected.

The following errors occurred: /Library/Python/2.7/site-packages/python_jss-1.0.2-py2.7.egg/jss/contrib/requests/packages/urllib3/connectionpool.py:769: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html InsecureRequestWarning) A Python exception occurred during the execution of autopkg, see the system log for more details. [ERROR] : [Errno 13] Permission denied: u'/Volumes/CasperShare/Packages/TextWrangler-4.5.12.pkg'

Which leads me to the mentioned documentation:

https://urllib3.readthedocs.org/en/latest/security.html#certifi-with-urllib3

And I'm now stuck because I can't get past step one of the "Using Certifi with urllib3" instructions.

Any guidance available out there in JAMF land?

Edit: I am running AutoPkgr on a Yosemite 10.10.3 Mac.

I had this issue and was able to address it by adding my Casper server's root CA to the VM I use to run AutoPkgr. I have a post on what I did available from here:

https://derflounder.wordpress.com/2014/12/24/adding-a-self-signed-casper-root-ca-as-a-trusted-root/

@scraig also added some options to JSSImporter to stop these warnings from appearing. Information on the JSS_VERIFY_SSL and JSS_SUPPRESS_WARNINGS options is available via the link below:

https://github.com/sheagcraig/JSSImporter

@rtrouton If I could kiss you on the mouth I would! That totally worked.

Interestingly, after doing this I decided to move AutoPkgr off of a test box and into a VM, and none of the issues I had came up at all.

Thank you.

I've been playing with AutoPkgr over the last couple of days. Installation seems to have gone fairly smoothly. And I only intend to work on a Self Service level.

I notice that the policies are set up to install updates only. EG Firefox needs to be installed on the client computer before it sees an AutoPkgr update in Self Service. Many of these frequent updates (Firefox, Chrome, Flash Player) come as a full stand alone installer. SO... how do I enable an AutoPkgr app update to be used as a first time installer with that same autoupdating policy?

@gibbo1 The simplest way to get what you want is probably to just maintain a separate policy manually. When AutoPkgr feeds a new package to your JSS, you would log into the JSS and add that package to your separate policy so that the people without the app already installed can see it.

The reason I recommend doing it that way is that JSSImporter's default behavior (offering the newest version only to Macs in the Testing group that have an old version) is specifically tuned to be part of an app staging process, not part of an automatic deployment process.

That being said, if you want to push the boundaries and offer the app in Self Service to a different set of Macs, the SmartGroupTemplate.xml file contains the criteria you'd need to adjust or remove.

@elliotjordan Thanks. I will have a play. Thank you to your awesome contribution. AutoPkgr is a beautiful thing!

Did anyone successfully implemented an update all button for the autopkg packages?

Read 5B - 5C
https://github.com/homebysix/auto-update-magic#exercise-5b-automatically-create-auto-update-policies

Yes i read that section, but we are a Self Service organization. So i would like to provide the updates trough the Self Service app

Then add the Script to your JSS and create a Policy (ongoing/Selfservice) which executes the script? :-)

Ah yeah off course, thanks!

Hi all, we have autopkgr setup and have several application recipes. We have them set initially to a testing group as self service which then after testing we promote to auto install policies. When the laptop is connected via a cable the startup trigger works however most MAC's dont have a cable connected and just work off wireless. We use 802.1x wireless authenticating via a radius and the wireless doesn't connect until the user logs in. So we modified the auto-update-magic.sh to include a loop which tests network connection before proceeding with the rest of the script.

However we are stuck with one aspect. Does anyone one else have issues where when the computer restarts if the reopen windows check box is ticked the apps reopen really quickly not giving enough time for the app updates to actually happen or with apps which are big in size (i.e MS office updates) not installing because as soon as a user logs in they open the app? How do others handle autoupdates in cases like this? Note if you login and do nothing for a significant period after login (ensuring all apps are closed they do update)

Many thanks

@vdhanji Great question. Did you ever get a resolution on this?

I so wish I came across this sooner! This is gold... I just got the Firefox auto update set up, and aspire to set up more apps. I know the JAMF has a patch management portion now, but from my understanding, you still have to manually upload the patches and assign it to deploy with any new release. Is there a way to integrate the beauty of your automation with their built in tool? Has that been done, or is it a waste to consider?

Has anyone managed to get this working with SSO?

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded