Skip to main content

I am frequently tasked with updating the many agents we run on our Macs. Often, the update process does not involve simply running a package that would register a failure if the policy failed to run the install for some reason. If the update process is driven entirely by a script, and the update is not a success, Jamf Pro will show that the policy completed. It did actually complete but the update was a failure. When I noticed that this was happening with one of my recent updates, I added a conditional statement to check if the version of the app was the newer version. 


if [ $Version = "7.13" ]; then
echo "Upgrade to version 7.13 was successful"
exit 0
else
echo "Upgrade to version 7.13 failed"
exit 1
fi

Since I have noticed that some Macs did not get the latest version of the app and the policy shows as completed, I'm obviously not doing this right. What else do I need to do to get Jamf Pro to show the policy as failed instead of completed?

@howie_isaacks Do the policy logs for the Macs that didn't actually update show that the script went through the code path which ended with an exit 1?

@howie_isaacks Do the policy logs for the Macs that didn't actually update show that the script went through the code path which ended with an exit 1?


Yes. It does, which is why I think I may be doing something wrong. Here's a sample of what I see in the policy log for a Mac that failed to get the update package downloaded. Since the package did not download the specified path to the install package was invalid. For the 7.13 version rollout, I have included a step to check if the install package is there. Since the new version of CrowdStrike was not present at end of the process, the exit code was 1. 


installer: Error - the package path specified was invalid: '/private/tmp/CrowdStrike/FalconSensorMacOS.MaverickGyr 7.12.pkg'.
Removing the staged installer package
Checking if the upgrade was successful
CrowdStrike upgrade to version 7.12 failed

Error running script: return code was 1.
Running Recon...

 

Yes. It does, which is why I think I may be doing something wrong. Here's a sample of what I see in the policy log for a Mac that failed to get the update package downloaded. Since the package did not download the specified path to the install package was invalid. For the 7.13 version rollout, I have included a step to check if the install package is there. Since the new version of CrowdStrike was not present at end of the process, the exit code was 1. 


installer: Error - the package path specified was invalid: '/private/tmp/CrowdStrike/FalconSensorMacOS.MaverickGyr 7.12.pkg'.
Removing the staged installer package
Checking if the upgrade was successful
CrowdStrike upgrade to version 7.12 failed

Error running script: return code was 1.
Running Recon...

 


So the package and the script both failed. I would definitely expect the policy to report as failed in that case. Time to open a support case with Jamf asking why that's not happening.

So the package and the script both failed. I would definitely expect the policy to report as failed in that case. Time to open a support case with Jamf asking why that's not happening.


I will do that since I will likely want to do something like this again. I should add that we will be doing auto-updates for CrowdStrike soon so I won't need to do anything but manage the new install policy. Until then, I have to use a script to stop the CrowdStrike agent, and install the staged install package for the new version. And while I was writing this response, it occurred to me that I should include a check for the staged installer before the script tries to run the installer. Just being able to talk about this stuff helps me improve my processes!

I will do that since I will likely want to do something like this again. I should add that we will be doing auto-updates for CrowdStrike soon so I won't need to do anything but manage the new install policy. Until then, I have to use a script to stop the CrowdStrike agent, and install the staged install package for the new version. And while I was writing this response, it occurred to me that I should include a check for the staged installer before the script tries to run the installer. Just being able to talk about this stuff helps me improve my processes!


I would definitely recommend having CrowdStrike auto update rather than trying to push updates via Jamf Pro.


And speaking of improving process, if you're not already using @franton 's scripted install approach for your initial CrowdStrike install, do yourself a favor and take a look at https://richard-purves.com/2022/05/03/downloading-crowdstrike-via-api-for-fun-and-profit/

I would definitely recommend having CrowdStrike auto update rather than trying to push updates via Jamf Pro.


And speaking of improving process, if you're not already using @franton 's scripted install approach for your initial CrowdStrike install, do yourself a favor and take a look at https://richard-purves.com/2022/05/03/downloading-crowdstrike-via-api-for-fun-and-profit/


The plan is to move to auto-updates. Thanks for the link. I will look at it.

Reply


Terms & ConditionsCookie settings