It's definitely a lot of work, but totally worth it.

In my case we developed an MDM-based patch schedule using a jump host on the same subnet as my Jamf Pro server, rather than a script within Jamf Pro which runs locally on an endpoint, potentially exposing credentials. It did allow me to support headless Macs on Big Sur and above (including M1) where the softwareupdate binary is either broken or doesn't work at all.

The account I'm using also only has the ability to issue SWU commands to computers and mobile devices, so if the credentials were ever compromised they can't be used for any other purpose.

Force a Computer Restart to Install macOS Updates - Jamf Nation Community - 265982

Question. If you hit Try tonight, do you know what time it'll run?

It should try to run the updates between 12a-4a. They mentioned this somewhere in WWDC2021 if I remember correctly. "Uses machine learning to determine the best time to install update between 12a and 4a blah blah blah"

Do you know, if you select either try tonight or remind me tomorrow, is it possible to bring this back up on a machine without waiting until the option you selected?  For example, if a user tells it to remind me tomorrow, but then decided that afternoon that they would like to install the upgrade because they decide it is a good time, is there a way to accommodate that?  Perhaps something that could be made available in self service that would force it to re-display?

Your questions are getting rather detailed. I suggest making a new JAMF nation post rather than commenting on a post that is over a year old. You will get more replies. JAMF and softwareupdates have sucked for a very long time, and changes apple has made only exacerbate the issue with how poorly JAMF manages OS updates.

You question is more of a user agency than management action question.

My suggestion: If a user changes their mind and wants to run updates before their deferral just tell them to open system preferences > software update. If the user wants to run updates, empower them to run updates themselves.

As far as using self-service, your experiences will vary between Apple Silicon and Intel Macs.

• Apple Silicon – MDM can only push updates using MDM commands. JAMF teased about letting us use MDM commands in a policy last fall for OS updates. However, as many things they failed to deliver. Unfortunately, the only way to issue a software update command is from the JAMF console by an admin. You can get crafty with API, but I would not recommend it.
• Intel – You can create a policy using the softwareupdate binary and shove that in self-service. The command would be “sudo softwareupdate -aiR” (i = install / a = all / R=Reboot). You “can” do this with apple silicon, but it will prompt the user to enter their password.

Managed Software Updates - using deferrals via a m... - Jamf Nation Community - 249821

Was there anything you had to do to get the "Required Managed Update" prompt? I tested it on an intel Mac yesterday while I was remoted it, but I didn't get any prompts. The user locked his Mac and the update did run successfully, but never seen the initial prompt.

Update: In July 2022, I broke out my Deferment restrictions from the other Restrictions. So now my scope look like this:

Restrictions: All Computers (does NOT contain any SU deferment payloads - I disabled them all)
Deferments SU Restriction - Production: All non-IT Macs (30-day minor updates and 90-day major updates)
Deferments SU Restriction - IT: All IT Macs (7-day minor updates and 30-day major updates)

For me and (1) other Mac admin at my org, we are in a scope that excludes us both from any SU deferments so we see Apple updates (Major and minor) at zero-day and thus we can start testing ASAP.

---

@maurits-pro wrote:

for those following this thread: read this blog post for the sorry state of managing softwareupdates in 2021...:-(
https://travellingtechguy.blog/demystifying-macos-big-sur-updates-and-jamf-pro-10-29/five nights at freddy's

---

Thank for your sharing.