@AJPinto I'm not going to discourage anyone from following your advice, because it's sound, and I agree this is the direction Apple is going... however, I've been surprised to notice in testing that in macOS Monterey, including the latest release candidates (and in the public betas before it), softwareupdate --install -all --restart is now working to fully install OS updates without a user being logged in at the GUI.

I still need to test using a script or as a command run from Jamf (which will in turn means it runs as root instead of a logged in user over SSH like how I've been testing), but it seems to be at least restored some functionality to the softwareupdate tool in Monterey.  I don't have my hopes up yet though!

@AJPinto testing is on an Intel 2019 iMac.  The majority of the fleet I manage at the moment is Intel so I do my testing there first.  It wouldn't surprise me things are still "broken" on the Apple Silicon side of things.

The softwareupdate command was not working for me on Intel Macs in Big Sur.  Unless a user was logged into the GUI, the command would not complete the install - it would download only.  Only once an account had logged into the system did the softwareupdate command install the macOS updates successfully - however non-OS updates (Safari, Video Codecs, etc) would install fine.  I believe there's some other threads on Jamf Nation about that issue.  I had experimented with some policies that enabled an account to automatically login, run the softwareupdate command, then disable automatic login, but it was very unreliable and sometimes left the systems in a logged in state.  I work in higher ed and a third of the installed systems are in labs where systems are not assigned to end-users.

There are more granular deferral options starting in Jamf Pro 10.32. Many require macOS 11 Big Sur or higher (i.e.; macOS 10.15 Catalina still requires the deprecated softwareupdate --ignore XXX command via script/policy to block major macOS updates such as macOS Monterey 12.0.)

Hi dstranathan,

If we enable the defer updates, that means the latest version for software updates will be install after 30 days? or we will get notification after 30 days?

I'm in higher education and we have the same situation with Big Sur and Intel, the softwareupdate stopped working for system updates from about 11.4 onwards I think.

Sometimes when people say they aren't having issues I think it's because they're referring to staff who maybe have admin privileges running policies. In education the requirement for managing updates is always going to be full automation of large amounts of machines with no users logged in and no admin users logging in that can be done to a non disruptive schedule.

I had to get 11.6 on to everything to fix an issue with scanners not working (we're an arts university so have hundreds of them). The only way I could do it was to push out the whole Big Sur installer to every machine and use that to patch which worked OK but it's an awful lot of network traffic so not really the sort of thing you can just push all at once.

I'm hoping as well that in Monteray the binary works again, the M1 machines are a separate headache but we still have 600+ Intel ones at the moment to consider.

Ian

If you enable defer updates then macs will not see updates for xyz days after they become publicly available. Keep in mind if you use a MDM command to install updates it does not respect this deferral so plan accordingly. 

In practice. If apple releases 11.7 today, and you have a 7 day deferral end users will not see any notifications about it until 11/1. If you tell a mac to run any updates between now and the 1st they will pull down 11.6, unless you use a MDM command which for some reason bypasses this and will install 11.7 (working as intended its just stupid). 

Please pardon me today as I'm in a crappy mood, but look at this thread (not to mention many others) and tell me we don't have a problem.  This is insane!  We're using paid for products on an OS that is made by the most valuable company in the world, and here we all are trying to figure out how to update said OS?  This is nuts, and it's driving me nuts as well.

I just don't get why it takes so much wrangling to do a basic task in managing computers.  Again, apologies - just seems like a circle jerk at this point...praying Monterey brings some sanity to this topic (and others).

Thanks to all who have contributed to this - lots of good stuff here to ponder and try.

Wait, are we forming a choir? Sounds like you are preaching to the choir here lol.

I am actually going back and forth with JAMF over this right now in email. They keep saying installASAP is a great way to manage updates, and an engineer admits it cannot force updates if something prevents a reboot. So, not a great way to manage updates. Also if you only use installASAP in Monterey users get a dialog box they can use to abort. YAY.

It is beyond my why JAMF refuses to add InstallForceRestart, the engineer just kept stressing how this key can cause data loss. Like dude, we don't care we need to force updates. If you use MaxUserDeferrals it looks like Apple automatically enables InstallForceRestart when deferrals are exceeded. However lord only knows when JAMF will add MaxUserDeferrals to their framework.

So in short, no you don't manage OS updates in 2021. At least there is no forcing compliance on Apple Silicon devices (not going in to the issues others are having with intel devices after 11.4 not wanting to update). Apple makes the tools, JAMF is just not supporting them. Not to free apple from blame, this has been a horrible transition managed by them from the terminal command to MDM commands.

This issue may become worse for us shortly.  The workaround for many of us was to deploy the full macOS Big Sur installer via Jamf policy and install the latest macOS updates that way.  With Monterey's release imminent, I'm curious to if the "Install macOS Big Sur" app/InstallAssistant gets updated going forward.  If you download the latest Catalina installer, it has none of the latest security updates applied.  I'm curious to see how Apple numbers security updates (11.6.1, 11.6.2) going forward with their new numbering scheme, and/or, if 11.6 remains the final OS version and just the build number changes.  The strategies for numbering may affect the strategies for keeping their OS installer current...

Ha! Already have one answer - macOS Big Sur 11.6.1 was also released today...

Monterey, and others, are out...have fun!

There's this:

Deferrals via Mass Action... 

We love it personally.  Our security team signed off on it after the last few zero days.  I think the biggest is key is communicating to your users what it is.  Also, have documented policies for how long a patch can go without being applied.  We have a set amount of days before we enforce it.

As someone who has just recently began looking into updating hundreds of Macs using Jamf, I'm shocked that this is such a complex issue!  On the windows side, our SCCM software makes handling this very easy.  As a college, we really need some way to perform the updates overnight when the machines are not in use.  We currently have many OS versions in use partially because of hardware that will not support upgraded OS's plus some specialty classes/hardware/software keeping us at certain OS versions.  Does anyone have any thoughts on a method of controlling when updates occur?

Watched the JNUC session about nudge, that thing seems like a full time job to handle! Thats what I took away from that session, anyone else find a better tool to help this process out with M1 devices, I suppose I can just schedule times to push out the commands, seems silly though.

Throwing my ring into the hat here, more or less just to say the pain is real and I'm getting pretty agitated. We are currently a fragmented mix of 10.14 10.15 and 11.x machines. (All Intel and all macbooks). Our patching workflow had been to update Pilot machine groups, wait a week then update the rest of the fleet, all the while giving users 3 days of deferral until the patch is enforced. Utilizing either the softwareupdate commands or the SoftwareUpdate payload in policy. Big Sur seems to have changed all of that as others have mentioned. I basically need to "beg" macOS 11 users now to install the latest update, which is ridiculous. I will be reaching out to JAMF support on this also, as this is not an acceptable solution in an Enterprise Environment. My SCCM coworker basically laughs at how absurd this is.

SImir situaion here. We are Catalina and Big Sur mostly, but starting to roll out Monterey now that 12.1 is out. We are a mix of Intel and a few ARM CPUs too.

The days of NetSUS seem so far bend in the review mirror.

Another item to consider with M1 Hardware. We are currently getting older model M1 shipped with Big Sur, but want them on Monterey for Various reasons as some of our stuff just works better in Monterey. Current process (since there is no keyboard command to press to internet recovery for latest OS) Enroll Device, Let Startup scripts run, Log in, Upgrade the OS Manually, Use Erase All Content and Settings and then hand to the end user. No fun at all.

@Geissbuhler Have you tried using Apple Configurator 2 for your M1 macs? We've been successful in using it to update and wipe around 5 M1 machines connected to a single host at a time in 15 minutes or so. 

@twall Apple configurator 2? Buzz your girlfriend, WOOF! THATS DISGUSTING! I’ll give it a try thanks 🙂

Just got the email JNUC 2021 recap, saw the nudge video being suggested again, made me sad. Here is to hoping for better solutions in the new year! 

This is exactly what I was looking for! Thank you. My only issue is, how are you waking up the sleeping machines? I have a few conference rooms and classrooms machines that I would like to update automatically (atleast minor software updates) and the biggest issue I am running into is waking them up remotely. Any suggestions? Also do you have your script shared on github? 

Sorry accidentally posted 2 times

The only issue is that this kills my network during the day and you can not schedule it.