Skip to main content

In light of the new "Force a Computer Restart to Install macOS Updates" feature in Jamf Pro 10.38.0, I've decided to create a bash function that should make life easier for admins that want to force updates on M1 machines.

Please refer to the screenshot below for more information on this feature.

New to bearer tokens? Don't worry about it, I've already done the work for you. Simply fill in your api account data and let the function take care of the rest. 

 

#!/bin/bash

# Server connection information
URL="https://url.jamfcloud.com"
username="apiusername"
password="apipassword"

# Determine Serial Number
serialNumber=$(system_profiler SPHardwareDataType | awk '/Serial Number/{print $4}')

initializeSoftwareUpdate(){
# create base64-encoded credentials
encodedCredentials=$( printf "${username}:${password}" | /usr/bin/iconv -t ISO-8859-1 | /usr/bin/base64 -i - )

# Generate new auth token
authToken=$( curl -X POST "${URL}/api/v1/auth/token" -H "accept: application/json" -H "Authorization: Basic ${encodedCredentials}" )

# parse authToken for token, omit expiration
token=$(/usr/bin/awk -F \\" 'NR==2{print $4}' <<< "$authToken" | /usr/bin/xargs)

echo ${token}

# Determine Jamf Pro device id
deviceID=$(curl -s -H "Accept: text/xml" -H "Authorization: Bearer ${token}" ${URL}/JSSResource/computers/serialnumber/"$serialNumber" | xmllint --xpath '/computer/general/id/text()' -)

echo ${deviceID}

# Execute software update
curl -X POST "${URL}/api/v1/macos-managed-software-updates/send-updates" -H "accept: application/json" -H "Authorization: Bearer ${token}" -H "Content-Type: application/json" -d "{\\"deviceIds\\":[\\"${deviceID}\\"],\\"maxDeferrals\\":0,\\"version\\":\\"12.3.1\\",\\"skipVersionVerification\\":true,\\"applyMajorUpdate\\":true,\\"updateAction\\":\\"DOWNLOAD_AND_INSTALL\\",\\"forceRestart\\":true}"

# Invalidate existing token and generate new token
curl -X POST "${URL}/api/v1/auth/keep-alive" -H "accept: application/json" -H "Authorization: Bearer ${token}"
}

initializeSoftwareUpdate

 

Upload this script in combination with a user interaction / jamfhelper dialog policy to start forcing updates again!!!

 

Lessons Learned 06/01/2022: 

1. The update can take an extremely long time to kick off. I'm talking 1-2 hours +

2. While the Jamf Pro GUI can do full OS upgrades, it doesn't seem to be supported in the API.

 

Lessons Learned 06/23/2022:

1. I cannot recommend putting this into production. While my jamf helper script does guide the user through the update, The targeted device does not restart in a reasonable time.

2. At this time, the best options for Monterey updates and upgrades seems to be using Nudge or the startosinstall executable that comes packaged with macOS installers: Solved: Re: macOS installer script not working for Apple S... - Jamf Nation Community - 249859

 

That's very strange because my script is basically an MDM Command in API form. If you don't want any interaction you can copy my original function above and just trow it in a policy.


Hi @bwoods - I've noticed on my test Mac when rebooting the machine the osupdate.plist file disappears from tmp folder. The file is still in the tmp folder when testing with logging the user off which is great.

Would you know a solution on how we can make the file not disappear after a reboot? Thank you


When running either the Part B or your original function, does the user have to be logged on for the update complete?


Yes sir.


Hi @bwoods - I've noticed on my test Mac when rebooting the machine the osupdate.plist file disappears from tmp folder. The file is still in the tmp folder when testing with logging the user off which is great.

Would you know a solution on how we can make the file not disappear after a reboot? Thank you


You need to change the path in the Launch Daemon to:

/Library/LaunchDaemons

 


You need to change the path in the Launch Daemon to:

/Library/LaunchDaemons

 


All of the highlighted paths below will need to be changed.

 


I'm still having such a hard time for updates to deploy. We have a user that we deployed the script to a couple of weeks ago and under software updates, it's waiting to install, but it's prompting for a username and password and his logon info doesn't work. Is this something related to maybe the securetoken?


I've got good results with this, better than Mass MDM Commands.


@bwoods Really nice work, does this work for Ventura?

Is the syntax where you specify the version as below for 13.1 13.1.0 or 13.1

"version\\":\\"12.4\\"


 


@bwoods Really nice work, does this work for Ventura?

Is the syntax where you specify the version as below for 13.1 13.1.0 or 13.1

"version\\":\\"12.4\\"


 


@MatG I haven't tested this in quite a while. I switched to using Nudge. Some people are telling me that it's not working for Ventura.


 Hey  

Did you have try with an Updates Script with the new Priorty MDM Key for forcing Updates?

priority
string

Priority can only be configured on macOS 12.3 and above, for minor updates only. Any version below 12.3 is always Low and cannot be changed until prerequisites are met. When qualified, if not explicitly set, priority will default to High

HIGHLOW

 


Warning: Deprecated

Well made. But unfortunately the function is no longer usable. :(


Warning: Deprecated

Well made. But unfortunately the function is no longer usable. :(


@bwoods do you have an alternate to above?

thanks @kcadm I was able to still use for macOS13. not sure if this doesnt work within macOS14


look to do Declarative Software updates via jamf


We have that enabled in Sandbox and have seen issues since the Software Update is in Beta


We have that enabled in Sandbox and have seen issues since the Software Update is in Beta


yeah there is an Apple bug. make sure devices are on 14.2 or later


Reply