Skip to main content

I want to say first and foremost that Jamf as a whole is a great product, however, patch management is terrible. It's missing some really basic features such as scheduling. There are some glaring issues as well. Notifications are basically non existent for the end user. If the user is not in front of their machine, they won't know what's happening when/if apps start shutting down due to updates. Finer control needs to be had over notifications and updates.

There are no controls over OS updates/upgrades. Nothing. Every inquiry into this to Jamf results in either no real response, a different answer depending on who I talk to, a deferred response (will get back to you, never do) or just a flat out, it's not supported. However prior to us choosing Jamf, it was marketed as a big selling point - especially patch management when we asked about it.

As much as I despise our current patch management solution, it does some really nice things that I can only dream of Jamf doing. It sucks for reporting and a few other things but I can schedule, notify users, give the option to users of deferring the update/install for certain periods of time, etc.

Another instance for patch management that's bad is there is no way to disable a certain macOS version from showing up. For example, I have disable the install of Mojave 10.14 on all Jamf machines. No machine has 10.14 installed. Yet, Jamf shows my machines are not up to date because none have 10.14 installed. Exactly, I don't want it installed yet as it's not tested with our apps for compatibility. Therefore, it throws off the reporting. Were up to date for 10.13 but the graphs will always show 0% because there is not way to limit what to include/not include.

Flash updates - There are two versions NPAPI and PPAPI - however Jamf only has Flash Player that shows NPAPI.. nothing for PPAPI. Why? In order for me to properly update Flash for all users, I have to install it as a Policy, negating the patch definition feature. It becomes useless because of that.

Same with Office updates. There are several versions now. 2016 and 2019. Yet they are all bunched together.

It's a mess.

There is no clarification or support on what is supported and no unified answer as to how things are suppose to work. I would love to know what the real answer is. A lot is riding on this for us and if we can't manage patches and os level updates/upgrades with Jamf, it might be an issue.

Until vendor-based integrated third-party patch management gets (a lot) better, one way to deal with the issue is to spin up your own collection of third-party patches. In other words you simply use the generic 'packages' storage area (that all the major vendors provide) to define a collection of all the latest third-party patches and use a naming convention of your own to organize things. Mine starts by vendor name, then the app name, any specifics, and version:

Adobe-FlashPlayer-NPAPI-32.0.0.101

You can power this via apps like AutoPKG or (even better) just generate them manually with cmd lines like this:

pkgbuild --install-location /Applications --component /Volumes/Firefox/Firefox.app ~/Desktop/Mozilla-Firefox-64.pkg

I'm a fan of making them manually so that I control the source of the software. Yes, vendors should be doing this for us, but their existing solutions obviously haven't lived up to our hopes up to now, so if you want to take over this task I can tell you that once you get going with it, third-party patching becomes fairly effortless. I have little trouble keeping up with pushing out the latest of at least 50 third-party apps that get sent to all my labs. The JAMF Nation site is the single greatest source on the web for what newly-released software is available --and that's where I get mine. Many vendors download pre-packaged updates so all you have to do is upload them, like Microsoft Office 2016/2019. I get those from https://macadmins.software.

@Kristopher Welcome to the club!

You might want to mosey on over to these threads, just as a few examples, of where some of us have been voicing some dissatisfaction on the current patch offerings from Jamf.

https://www.jamf.com/jamf-nation/discussions/30394/software-patching-what-s-the-future
https://www.jamf.com/jamf-nation/feature-requests/1418/deferral-limit-as-net-days-or-n-times
https://www.jamf.com/jamf-nation/feature-requests/5704/allow-for-selecting-approved-software-version-s-in-patch-management

The 2nd one is a Feature Request, not a discussion thread, but it discusses one of the main problems with policy notifications, which spills over into Patch Management. Same problem in both.
The last one is a Feature Request that specifically spells out what you mention regarding 10.14 and Patch showing you are "out of date" when you are in fact not. Go vote that up if you haven't already.

There are undoubtedly other similar threads, but there have been some good discussions and opinions expressed so far on those. I'm not saying you should not have posted your own thread. You make valid points. But if we can strive to keep some of these on the same thread, or upvote existing Feature Requests that ask for these changes so Jamf can monitor them and see them, it might help push them to respond to the issues faster.

@Kristopher

Great post! You touched on all the annoyances we are currently working through ourselves. We ended up scrapping the patch management feature for installing patches and simply are using it for reporting right now. To address some of the reporting shortcomings such as Microsoft Office getting all jumbled together and macOS Versions, we are utilizing a JAMF Patch Server to create our own patch definitions. There is also a Community Patch Server that is currently in Beta if you can't host your own.

We used to create Smart Groups based off the patch reporting data to make it easy to scope our own patch policies/process but as of JAMF 10.7.1 there is a bug that breaks the Patch Reporting Smart Group Criteria. We didn't catch this in our testing and after updating to 10.8.1, we discovered that the Smart Groups were no longer updating correctly and would include computers that didn't match the search criteria and would push out our patches to systems that already had the patch, or weren't even in scope. Luckily we caught it almost immediately after the upgrade, but not without some headaches. JAMF has told us that a fix is in the works but I am not sure if that will be in the 10.9 release or not. For now we had to drastically change our smart groups criteria to explicitly identify all versions of an application we don't want to include in our criteria.

Patch management is more for reporting, i agree - propably wrong naming.
But why not use the several scripts that exist for various applications for Update of software ?
It is then not inside Jamf as such - but still Works

@Captainamerica Well, it WAS called Patch Reporting before Patch Policies came into existence. I think people's point is that Patch Management / Patch Policies are lackluster (compared, say, to Munki), and that development to refine and improve the Patch Management capabilities seems to have stagnated. This is a shame, as Jamf touts this as a key feature in Jamf 10.

@mm2270 Thanks!

I understand the need to keep things together and make sure voices are heard so Jamf can notice it but really? Does Jamf really need posts on a board to realize their system (patch management, notifications) are broken AF? No. I'm sure they are well aware of it. The problem is whether or not they will fix it by how loudly people complain/how much.

What really aggravates me about all this was when I was in training (our jump start), they specifically billed this as the best patch management system out there for Mac. It is not from my experience thus far. Not even close. My boss doesn't understand why I can't push out macOS updates. I told him I can't because testing has shown it either A: breaks the system or B: results in the system randomly restarting without notifying the end user at all. Nothing. No notice. At least, nothing that makes any sense.

This is not something advanced. This is basic. BASIC device management. I can push out all this software - YAY! Yet I can't send out patches with any normal means. Self service IS NOT AN OPTION. We don't want users using self service for patches!!!! Defeats the whole purpose! We want to provide the patches, with notifications that it's happening within this time frame, give the user time to save work, restart if necessary, etc. Not a quick 3 second popup and then nothing ever again.

It's a major part of Jamf that's not up to part - at all. Having to rely on scripting and posts on this forum to fill in the void (while I am thankful it exists and it's helped somewhat), should NOT be the solution.

Terms & ConditionsCookie settingsAccessibility statement