Hello everybody !
I’ve been looking around, but without finding any real solution. Add to this changes from Apple / Jamf so what worked before may not work anymore, and of course what didn’t worked before may now be fine.
I would like what’s the best practice to install minor or major updates of macOS on Apple silicon computers. Actually, I’m working on 2 scripts: one that will download the updates and another one that will install them later. The problem is: users have standard user account and of course, admin credentiales are needed.
I’ve read that mdm commands aren’t very reliable, but as the posts are now from months ago, maybe that it’s working as expected now. And about those mdm commands, I don’t know if it downloads / installs only minor updates, or if it will install major ones if available.
I was thinking of having the credentials as parameters for the scripts, but is is secure enough ?
A last thing to ask: is there a way to install updates at the computer’s boot ? My main goal is to avoid users to loose data because they didn’t paid attention to the notification telling them to save their work as the computer will reboot to install updates. There is the option of the use of the Self Service app, but not sure that they will update computers.
Any advice is welcome !
Best practice to update / upgrade macs ?
+5
+13For Laptops I use Blueprints and DDM OS Reminder. It pops up an nice warning box so they shouldnt loose work.
https://snelson.us/2026/05/ddm-os-reminder-3-3-0/
For my labs of Macs I just use Blueprints. It doesnt work perfectly, but it does work.
When it comes to the Summer and I wipe the Labs, I do that by sending the OSX installer, and then I use Terminal to run the command line tool built in to the Installer. This requires the credentials of an administrator, I normally send these as a parameter to the script in the policy. Anyone who can access the policy in Jamf can then see the credentials, for me this is not a problem as they all know them anyway.
+5Thank you for your reply. As for the admin passwords, I don’t really like it but yes, those who have access to Jamf already know the credentials so it’s not really a problem.
For blueprints, one of my colleagues tried those but the updates started right after he finished them. Is there a way to set a specific day / hour for the blueprint to apply ? How does it exactly work ?
+7Thank you for your reply. As for the admin passwords, I don’t really like it but yes, those who have access to Jamf already know the credentials so it’s not really a problem.
For blueprints, one of my colleagues tried those but the updates started right after he finished them. Is there a way to set a specific day / hour for the blueprint to apply ? How does it exactly work ?
you can specify date and time when the policy will run. I am currently using Blueprints to update iMacs. I did notice one thing. version 14 works fine however version 15 + needs you to log in as admin for the update to start. I think they will sort this issue out soon.
+26DDU via blueprints is your best bet. We solely rely on Apples notifications with this and have been highly successful with updates. Our environment went from ~70% compliant within 90 days to ~90% complaint within 5 days.
+16I’m just getting Blueprints started but historically what I've relied on is some scripting logic and Jamf helper. Any 3rd party app we install must go through a review board so if I can rely on “native” or pre-approved tools (aka Jamf) to deploy it makes my life easier.
#!/bin/bash
# Update Notification.sh
#
# Created by Ed C. on 11/22/22.
# Edited to correct the date variable (line 11).
# Edited to add new OS names - 6.18.2024
# Edited to correct path for Software Updates prefs pane - 12.10.2024
# Edited to add new OS names - 8.5.2025
#
# Get Version of macOS
date=$4
version=$(sw_vers -productVersion)
case "$version" in
26.*) getversion="macOS Tahoe" ;;
15.*) getversion="macOS Sequoia" ;;
14.*) getversion="macOS Sonoma" ;;
13.*) getversion="macOS Ventura" ;;
12.*) getversion="macOS Monterey" ;;
11.*) getversion="macOS Big Sur" ;;
10.*) getversion="macOS Catalina" ;;
*) getversion="macOS (Unknown Version)" ;;
esac
updates=$(/usr/libexec/PlistBuddy -c "Print :RecommendedUpdates" /Library/Preferences/com.apple.SoftwareUpdate.plist | grep "Display Name" | sed 's/Display Name = //' | awk '{$1=$1};1')
/Library/Application\ Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType hud -lockHUD -title "Company Workstation Software Update Needed" -alignDescription justified -description "Your computer requires an update to the Operating System - $getversion.
Please update your workstation at your earliest convenience to prevent an unplanned forced restart.
The following updates are available: $updates
Forced Updates Are Scheduled to Begin $date.
Thank you for your prompt attention and cooperation in keeping Company workstations safe and functioning efficiently!" -icon "/Applications/Utilities/IO_Support/Icons/NW_Icon_No_Whitespace.png" -button1 "Update" -timeout 900 -countdown
/usr/bin/open "x-apple.systempreferences:com.apple.preferences.softwareupdate?client=softwareupdateapp"
exit 0
and Parameter for in my script load I label as “date” or some other option. when I run the script I put the date I ask users to be updated by. It gets 95+% acceptance quickly.
+27Agreed with
+6Agreed with
I’m working on getting to do DDM and Blueprints, but for now I’m using SUPERMAN.
https://github.com/Macjutsu/super
5.1.0 RC5 came out a few weeks ago.
-Pat
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.