If you're going to run a softwareupdate -l command daily on your Macs, then you might as well combine policy 1 and 2 into one policy. Check for updates, if any are found, prompt the user to install them. If none are found, exit silently. There's no real reason to split those up, but you can do it that way as well if you'd like.

Or you can look at one of the tools out there designed for nagging users to install available updates, like Nudge for example.

@stevenjklein In theory that's a good approach, but there's a failure mode in sofwtareupdate where it may never return from a request to list updates, and on Apple Silicon machines installing updates requires providing the name and password for an account with volume owner permissions and that can be a problem.

MDM commands to drive macOS updates are currently best described as unreliable, and it remains to be seen if macOS Ventura improves that. Even if that's the case there remains the issue that Jamf doesn't seem to recognize the ability to schedule those MDM commands as if they were a Policy would be a Very Good Thing, and suggests using the Jamf API to trigger MDM update commands. That unfortunately doesn't help those of us where security policies prevent the use of the Jamf API from individual endpoints.

Here's a Q&D script I use to look for the availability of a specific update that tries to work around the case of a "stuck" sofwtareupdate process:

@sdagley Your script would require manual updates every time Apple releases an update.

After I posted my question yesterday, I came up with a better method, but I'm still not where I want to be.

We allow users to run the current and previous major releases of macOS.  So I've created a Smart Group called Macs needing macOS updates with these criteria:

Then I scoped my "force update" policy to that smart group.  Now only Macs needing updates nag users to update.

Of course, like your script, this Smart Group would require frequent manual maintenance.

My real goal is to avoid having to manually do anything: Users who are out of date would get prompted  (read: Forced) to update, but nobody else will.  Given the bugs in sofwtareupdate that you describe, my goal may be unobtainable.

With @sdagley 's script, the 

UpdateLookingFor

variable can be a script parameter instead of hardcoded, which would make it a little easier to manage going forward, but would still require some hand holding as new updates appear. But at least the script itself would not need to be modified.

@stevenjklein Every time Apple releases a macOS update it has to be qualified for my environment so the amount of time required to manually modify the script for the new version is insignificant. I think the game Jenga must have been invented by an IT engineer to represent the process of qualifying an OS upgrade with all of the various 3rd party tools Enterprise orgs are likely to require.

FWIW we've been advised by Apple to use the MDM method of enabling users to run Software Updates through the prefs pane. Seems to be more reliable than the old school method of building policies to do it.

I have been looking for this in my MDM...not JAMF fyi.  what specific payload did Apple say would allow them to install updates as standard users?

@stevenjklein I run this script at login to check for updates and if any are found a message is displayed to users, then the software update System Preferences pane is opened. If no updates are found, the script will exit with no user interaction.

This works best for minor updates, in my environment major updates are delayed until full testing is completed.

#!/bin/sh

if softwareupdate -l | grep -q "Software Update found the following" ;
then

# Get the logged in username
loggedInUser=$( scutil <<< "show State:/Users/ConsoleUser" | awk '/Name && ! /loginwindow/ { print $3 }' )
uid=$(id -u "$loggedInUser")

## Description passed in from parameter set in the policy
Title="$4"
Header="$5"
Desc="$6"

## The new message variable passed to jamfHelper
titleMSG=$( printf "$Title" )
headerMSG=$( printf "$Header" )
descMSG=$( printf "$Desc" )

JAMFHELPER="/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper"

RESULT=`"$JAMFHELPER" -windowType utility -icon "/Users/$loggedInUser/Library/Application Support/com.jamfsoftware.selfservice.mac/Documents/Images/brandingimage.png" -title "$titleMSG" -heading "$headerMSG" -description "$descMSG" -button1 "Install"`


if [ $RESULT == 0 ]; then
open /System/Library/PreferencePanes/SoftwareUpdate.prefPane
fi

else exit 0;
fi

Pretty sure Apple advises to not use this command anymore...

@stevenjklein I run this script at login to check for updates and if any are found a message is displayed to users, then the software update System Preferences pane is opened. If no updates are found, the script will exit with no user interaction.

This works best for minor updates, in my environment major updates are delayed until full testing is completed.

 

#!/bin/sh

if softwareupdate -l | grep -q "Software Update found the following" ;
then

# Get the logged in username
loggedInUser=$( scutil <<< "show State:/Users/ConsoleUser" | awk '/Name && ! /loginwindow/ { print $3 }' )
uid=$(id -u "$loggedInUser")

## Description passed in from parameter set in the policy
Title="$4"
Header="$5"
Desc="$6"

## The new message variable passed to jamfHelper
titleMSG=$( printf "$Title" )
headerMSG=$( printf "$Header" )
descMSG=$( printf "$Desc" )

JAMFHELPER="/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper"

RESULT=`"$JAMFHELPER" -windowType utility -icon "/Users/$loggedInUser/Library/Application Support/com.jamfsoftware.selfservice.mac/Documents/Images/brandingimage.png" -title "$titleMSG" -heading "$headerMSG" -description "$descMSG" -button1 "Install"`


if [ $RESULT == 0 ]; then
open /System/Library/PreferencePanes/SoftwareUpdate.prefPane
fi

else exit 0;
fi

 

  

Hello,

Say you run this on Monterey, it will only check for updates on Monterey, right?

Or will it try upgrade previous releases to Ventura?

Cheers
Emlyn