Leveraging Microsoft AutoUpdate 3.18 "msupdate" binary with Jamf Pro 10 Patch Policies

While we're waiting for Patch Management to support scripts, here's one method to leverage Microsoft AutoUpdate (MAU) version 3.18 msupdate command-line tool to update Office apps via Jamf Pro 10's built-in patch features, inspired by @pbowden.

Also available on GitHub.

Background

After testing @pbowden's MSUpdateHelper4JamfPro.sh script in our environment, my first thought was to use a payload-free package's post-install script to simply call a policy which ran Paul's script:

Microsoft Office 2016 Update 1.0.0.pkg

Post-install Script

#!/bin/sh

## postinstall



pathToScript=$0

pathToPackage=$1

targetLocation=$2

targetVolume=$3



echo " "

echo "###"

echo "# Microsoft Office 2016 Update"

echo "###"

echo " "



/usr/local/bin/jamf policy -trigger microsoftUpdate -verbose



exit 0

After counseling with @ted.johnsen, he convinced me that a Patch Policy calling a standard policy was too much of a hack.

Payload-free Post-install Script

Using Composer, create a payload-free package which contains the following post-install script. (In Composer, I named the package Microsoft Office 2016 msupdate.)

The post-install script will use the word after "Microsoft" in the pathToPackage variable as the application name to be updated (i.e., "Excel") and the word after "msupdate" in the pathToPackage variable as the target version number (i.e., "16.12.18041000").

In Composer, build the .PKG and in the Finder, manually duplicate and rename it based on the application to update and the desired version.

For example:
• Microsoft Word 2016 msupdate 16.12.18041000.pkg
• Microsoft Excel 2016 msupdate 16.12.18041000.pkg
• Microsoft PowerPoint 2016 msupdate 16.12.18041000.pkg
• Microsoft Outlook 2016 msupdate 16.12.18041000.pkg
• Microsoft OneNote 2016 msupdate 16.12.18041000.pkg

Add the packages to the definitions of the Microsoft Office Patch Management Software Titles.

When the patch policies run, the post-install script will leverage the "msupdate" binary to apply the updates.

Updated patch definitions are available on GitHub.

Script

#!/bin/sh

## postinstall



pathToScript=$0

pathToPackage=$1

targetLocation=$2

targetVolume=$3



####################################################################################################

#

# ABOUT

#

#   Microsoft Office 2016 msupdate Post-install

#   Inspired by: https://github.com/pbowden-msft/msupdatehelper

#

#   Microsoft AutoUpdate (MAU) version 3.18 and later includes the "msupdate" binary which can be

#   used to start the Office for Mac update process.

#   See: https://docs.microsoft.com/en-us/DeployOffice/mac/update-office-for-mac-using-msupdate

#

#   Jamf Pro 10 Patch Management Software Titles currently require a .PKG to apply updates

#   (as opposed to a scripted solution.)

#

#   This script is intended to be used as a post-install script for a payload-free package.

#

#   Required naming convention: "Microsoft Excel 2016 msupdate 16.12.18041000.pkg"

#   • The word after "Microsoft" in the pathToPackage is the application name to be updated (i.e., "Excel").

#   • The word after "msupdate" in the pathToPackage is the target version number (i.e., "16.12.18041000").

#

####################################################################################################

#

# HISTORY

#

#     Version 1.0.0, 26-Apr-2018, Dan K. Snelson

#     Version 1.0.1, 21-Jun-2018, Dan K. Snelson

#         Updated PerformUpdate function; thanks qharouff

#         Recorded the version of msupdate installed

#

####################################################################################################



echo " "

echo "###"

echo "# Microsoft Office 2016 msupdate Post-install"

echo "###"

echo " "







###

# Variables

###





# IT Admin constants for application path

PATH_WORD="/Applications/Microsoft Word.app"

PATH_EXCEL="/Applications/Microsoft Excel.app"

PATH_POWERPOINT="/Applications/Microsoft PowerPoint.app"

PATH_OUTLOOK="/Applications/Microsoft Outlook.app"

PATH_ONENOTE="/Applications/Microsoft OneNote.app"



# Path to package

echo "• pathToPackage: ${1}"



# Target app (i.e., the word after "Microsoft" in the pathToPackage)

targetApp=$( /bin/echo ${1} | /usr/bin/awk '{for (i=1; i<=NF; i++) if ($i~/Microsoft/) print $(i+1)}' )



# Target version (i.e., the word after "msupdate" in the pathToPackage)

targetVersion=$( /bin/echo ${1} | /usr/bin/awk '{for (i=1; i<=NF; i++) if ($i~/msupdate/) print $(i+1)}' | /usr/bin/sed 's/.pkg//' )



echo " "











###

# Define functions

###





# Function to check whether MAU 3.18 or later command-line updates are available

function CheckMAUInstall() {

    if   ! -e "/Library/Application Support/Microsoft/MAU2.0/Microsoft AutoUpdate.app/Contents/MacOS/msupdate" ]; then

        echo "*** Error: MAU 3.18 or later is required! ***"

        exit 1

  else

    mauVersion=$( /usr/bin/defaults read "/Library/Application Support/Microsoft/MAU2.0/Microsoft AutoUpdate.app/Contents/Info.plist" CFBundleVersion )

    echo "• MAU ${mauVersion} installed; proceeding ..."

  fi

}







# Function to check whether Office apps are installed

function CheckAppInstall() {

    if ( ! -e "/Applications/Microsoft ${1}.app" ]; then

        echo "*** Error: Microsoft ${1} is not installed; exiting ***"

        exit 1

    else

            echo "• Microsoft ${1} installed; proceeding ..."

    fi

}







# Function to determine the logged-in state of the Mac

function DetermineLoginState() {

    CONSOLE=$( stat -f%Su /dev/console )

    if so "${CONSOLE}" == "root" ]] ; then

    echo "• No user logged in"

        CMD_PREFIX=""

    else

    echo "• User ${CONSOLE} is logged in"

    CMD_PREFIX="sudo -u ${CONSOLE} "

    fi

}







# Function to register an application with MAU

function RegisterApp() {

    echo "• Register App: Params - $1 $2"

    $(${CMD_PREFIX}defaults write com.microsoft.autoupdate2 Applications -dict-add "$1" "{ 'Application ID' = '$2'; LCID = 1033 ; }")

}







# Function to call 'msupdate' and update the target application

function PerformUpdate() {

    echo "• Perform Update: ${CMD_PREFIX}./msupdate --install --apps $1 --version $2 --wait 600 2>/dev/null"

    result=$( ${CMD_PREFIX}/Library/Application Support/Microsoft/MAU2.0/Microsoft AutoUpdate.app/Contents/MacOS/msupdate --install --apps $1 $2 --wait 600 2>/dev/null )

    echo "• ${result}"

}







###

# Command

###



CheckMAUInstall

CheckAppInstall ${targetApp}

DetermineLoginState



echo " "

echo "• Updating Microsoft ${targetApp} to version ${targetVersion} ..."



case "${targetApp}" in



 "Word" )



         RegisterApp "${PATH_WORD}" "MSWD15"

         PerformUpdate "MSWD15" "${targetVersion}"

         ;;



 "Excel" )



         RegisterApp "${PATH_EXCEL}" "XCEL15"

         PerformUpdate "XCEL15" "${targetVersion}"

         ;;





  "PowerPoint" )



         RegisterApp "${PATH_POWERPOINT}" "PPT315"

         PerformUpdate "PPT315" "${targetVersion}"

         ;;



  "Outlook" )



         RegisterApp "${PATH_OUTLOOK}" "OPIM15"

         PerformUpdate "OPIM15" "${targetVersion}"

         ;;



   "OneNote" )



         RegisterApp "${PATH_ONENOTE}" "ONMC15"

         PerformUpdate "ONMC15" "${targetVersion}"

         ;;



 *)



         echo "*** Error: Did not recognize the target appliction of ${targetApp}; exiting. ***"

         exit 1



         ;;



esac



echo "• Update inventory ..."

/usr/local/bin/jamf recon



echo " "

echo "Microsoft Office 2016 msupdate Post-install Completed"

echo "#####################################################"

echo " "







exit 0      ## Success

exit 1      ## Failure

Page 3 / 3

@sdagley and @pbowden Thanks for responding. I will definitely follow the Microsoft AutoUpdate channel to get more info. I have 8 Jamf Pro servers that I have been uploading about 5.5GB of Office updates to once a month. When I do that the process takes nearly my whole day. My download speed in my home office is 1Gb/s but my upload is only around 40Mb/s. If I could get this process working, I could stop doing that.

@howie_isaacks I think you're probably running into the same problem I am which is the script is being run from a post-install on a package which is holding up the installer process. As soon as the script exits installer gets freed up and installs the update. I'm not sure how @dan-snelson has gotten around this issue.

@howie_isaacks: I, too, am impacted by the issue described immediately above by @lmatthews.

At @pbowden's suggestion, I'm now calling ./msupdate --install once to update all Office apps, using Outlook as a reference.

(You'll need to use something similar to "MicrosoftOffice2019-msupdate" from dan-snelson (024201f66e32b719aad0ce2372d5a1e8) Community Patch as the Patch Definition.)

#!/bin/sh

## postinstall



pathToScript=$0

pathToPackage=$1

targetLocation=$2

targetVolume=$3



####################################################################################################

#

#   ABOUT

#

#   Microsoft Office 2019 msupdate Post-install

#   Inspired by: https://github.com/pbowden-msft/msupdatehelper

#

#   Microsoft AutoUpdate (MAU) version 3.18 and later includes the "msupdate" binary which can be

#   used to start the Office for Mac update process.

#   See: https://docs.microsoft.com/en-us/DeployOffice/mac/update-office-for-mac-using-msupdate

#

#   Jamf Pro 10 Patch Management Software Titles currently require a .PKG to apply updates

#   (as opposed to a scripted solution.)

#

#   This script is intended to be used as a post-install script for a payload-free package.

#

#   No required naming convention; all Office apps are updated to their latest version.

#

####################################################################################################

#

# HISTORY

#

#   Version 2.0.1, 10-Mar-2020, Dan K. Snelson

#       Based on "Microsoft Office 2019 msupdate 1.0.5"

#

####################################################################################################







###

# Variables

###



msUpdatePause="300"       # Number of seconds for msupdate processes to wait (recommended value: 600)

numberOfChecks="2"        # Number of times to check if the target app has been updated

delayBetweenChecks="10"   # Number of seconds to wait between tests



# IT Admin constants for application path

PATH_WORD="/Applications/Microsoft Word.app"

PATH_EXCEL="/Applications/Microsoft Excel.app"

PATH_POWERPOINT="/Applications/Microsoft PowerPoint.app"

PATH_OUTLOOK="/Applications/Microsoft Outlook.app"

PATH_ONENOTE="/Applications/Microsoft OneNote.app"

PATH_SKYPEBUSINESS="/Applications/Skype for Business.app"

PATH_REMOTEDESKTOP="/Applications/Microsoft Remote Desktop.app"

PATH_COMPANYPORTAL="/Applications/Company Portal.app"

PATH_DEFENDER="/Applications/Microsoft Defender ATP.app"



APPID_WORD="MSWD2019"

APPID_EXCEL="XCEL2019"

APPID_POWERPOINT="PPT32019"

APPID_OUTLOOK="OPIM2019"

APPID_ONENOTE="ONMC2019"

APPID_SKYPEBUSINESS="MSFB16"

APPID_REMOTEDESKTOP="MSRD10"

APPID_COMPANYPORTAL="IMCP01"

APPID_DEFENDER="WDAV00"



# Target app (i.e., the word after "Microsoft" in the pathToPackage)

#targetApp=$( /bin/echo ${1} | /usr/bin/awk '{for (i=1; i<=NF; i++) if ($i~/Microsoft/) print $(i+1)}' )

targetApp="Outlook" # Hard-code a check for Outlook



# Target version (i.e., the word after "msupdate" in the pathToPackage)

#targetVersion=$( /bin/echo ${1} | /usr/bin/awk '{for (i=1; i<=NF; i++) if ($i~/msupdate/) print $(i+1)}' | /usr/bin/sed 's/.pkg//' )







###

# Define functions

###





# Function to check whether MAU 3.18 or later command-line updates are available

function CheckMAUInstall() {

    if [[ ! -e "/Library/Application Support/Microsoft/MAU2.0/Microsoft AutoUpdate.app/Contents/MacOS/msupdate" ]]; then

        jssLog "*** Error: MAU 3.18 or later is required! ***"

        exit 1

    else

        mauVersion=$( /usr/bin/defaults read "/Library/Application Support/Microsoft/MAU2.0/Microsoft AutoUpdate.app/Contents/Info.plist" CFBundleVersion )

        echo "• MAU ${mauVersion} installed; proceeding ..."

    fi

}



# Function to check whether we are allowed to send Apple Events to MAU

function CheckAppleEvents() {

    MAURESULT=$(${CMD_PREFIX}/Library/Application Support/Microsoft/MAU2.0/Microsoft AutoUpdate.app/Contents/MacOS/msupdate --config | grep 'No result returned from Update Assistant')

    if f  "$MAURESULT" = *"No result returned from Update Assistant"* ]]; then

        echo "ERROR: Cannot send Apple Events to MAU. Check privacy settings."

        exit 1

    fi

}



# Function to check whether MAU is up-to-date

function CheckMAUUpdate() {

    MAUUPDATE=$(${CMD_PREFIX}/Library/Application Support/Microsoft/MAU2.0/Microsoft AutoUpdate.app/Contents/MacOS/msupdate --list | grep 'MSau04')

    if f  "$MAUUPDATE" = *"MSau04"* ]]; then

        echo "Updating MAU to latest version... $MAUUPDATE"

        echo "$(date)"

        RESULT=$(${CMD_PREFIX}/Library/Application Support/Microsoft/MAU2.0/Microsoft AutoUpdate.app/Contents/MacOS/msupdate --install --apps MSau04)

        sleep 120

    fi

}



# Function to check whether its safe to close Excel because it has no open unsaved documents

function OppCloseExcel() {

    APPSTATE=$(${CMD_PREFIX}pgrep "Microsoft Excel")

    if f ! "$APPSTATE" == "" ]; then

        DIRTYDOCS=$(${CMD_PREFIX}defaults read com.microsoft.Excel NumTotalBookDirty)

        if f "$DIRTYDOCS" == "0" ]; then

            echo "$(date)"

            echo "Closing Excel as no unsaved documents are open"

            $(${CMD_PREFIX}pkill -HUP "Microsoft Excel")

        fi

    fi

}



# Function to check whether Office apps are installed

function CheckAppInstall() {

    if f  ! -e "/Applications/Microsoft ${1}.app" ]]; then

        echo "*** Error: Microsoft ${1} is not installed; exiting ***"

        exit 1

    else

        echo "• Microsoft ${1} installed; proceeding ..."

    fi

}







# Function to determine the logged-in state of the Mac

function DetermineLoginState() {

    # The following line is courtesy of @macmule - https://macmule.com/2014/11/19/how-to-get-the-currently-logged-in-user-in-a-more-apple-approved-way/

    CONSOLE=$(/usr/bin/python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or  None])n0]; username = eusername,""]3username in  u"loginwindow", None, u""]]; sys.stdout.write(username + "

");')

    if   "$CONSOLE" == "" ]; then

        echo "No user currently logged in to console - using fall-back account"

        CONSOLE=$(/usr/bin/last -1 -t ttys000 | /usr/bin/awk '{print $1}')

        echo "Using account $CONSOLE for update"

        CMD_PREFIX="sudo -u $CONSOLE "

    else

        echo "User $CONSOLE is logged in"

        CMD_PREFIX="sudo -u $CONSOLE "

    fi

}



# Function to register an application with MAU

function RegisterApp() {

    echo "• Register App: $1 $2"

  $(${CMD_PREFIX}defaults write com.microsoft.autoupdate2 Applications -dict-add "$1" "{ 'Application ID' = '$2'; LCID = 1033 ; }")

}



# Function to flush any existing MAU sessions

function FlushDaemon() {

    $(${CMD_PREFIX}defaults write com.microsoft.autoupdate.fba ForceDisableMerp -bool TRUE)

    $(${CMD_PREFIX}pkill -HUP "Microsoft Update Assistant")

}



# Function to call 'msupdate' and update the target application

function PerformUpdate() {

    echo "• Perform Update: ${CMD_PREFIX}./msupdate --install" # Update ALL Office apps

    result=$( ${CMD_PREFIX}/Library/Application Support/Microsoft/MAU2.0/Microsoft AutoUpdate.app/Contents/MacOS/msupdate --install  2>/dev/null ) # Update ALL Office apps

    echo "• ${result}"

}



# Function to check the currently installed version

function CheckInstalledVersion() {

    installedVersion=$( /usr/bin/defaults read "${1}"/Contents/Info.plist CFBundleVersion )

    echo "• Installed Version: ${installedVersion}"

}



# Function to confirm the update, then perform recon

function ConfirmUpdate() {

    echo "• Target Application: ${1}"

    CheckInstalledVersion "${1}"

    counter=0

    until  / ${installedVersion} == ${targetVersion} ]] || er ${counter} -gt ${numberOfChecks} ]]; do

        ((counter++))

        echo "• Check ${counter}; pausing for ${delayBetweenChecks} seconds ..."

        /bin/sleep ${delayBetweenChecks}

        CheckInstalledVersion "${1}"

    done



    if >
 ${installedVersion} == ${targetVersion} ]]; then

        echo "• Target Version:    ${targetVersion}"

        echo "• Installed Version: ${installedVersion}"

        echo "• Update inventory ..."

        /usr/local/bin/jamf recon

    else

        echo "WARNING: Update not completed within the specified duration; recon NOT performed"

        echo "•       Target Version: ${targetVersion}"

        echo "•    Installed Version: ${installedVersion}"

        echo "• Delay Between Checks: ${delayBetweenChecks}"

        echo "•     Number of Checks: ${numberOfChecks}"

    fi



}







###

# Command

###







echo " "

echo "#########################################"

echo "# Microsoft Office 2019 msupdate v2.0.1 #"

echo "#########################################"

echo " "

echo "• Path to Package: ${1}"

echo "• Target App: ${targetApp}"

#echo "• Target Version: ${targetVersion}"

echo " "



CheckMAUInstall

CheckAppInstall ${targetApp}

DetermineLoginState

FlushDaemon

CheckAppleEvents

CheckMAUUpdate

FlushDaemon

RegisterApp "$PATH_WORD" "$APPID_WORD"

RegisterApp "$PATH_EXCEL" "$APPID_EXCEL"

RegisterApp "$PATH_POWERPOINT" "$APPID_POWERPOINT"

RegisterApp "$PATH_OUTLOOK" "$APPID_OUTLOOK"

RegisterApp "$PATH_ONENOTE" "$APPID_ONENOTE"

#RegisterApp "$PATH_SKYPEBUSINESS" "$APPID_SKYPEBUSINESS"

#RegisterApp "$PATH_REMOTEDESKTOP" "$APPID_REMOTEDESKTOP"

#RegisterApp "$PATH_COMPANYPORTAL" "$APPID_COMPANYPORTAL"

#RegisterApp "$PATH_DEFENDER" "$APPID_DEFENDER"

OppCloseExcel



echo " "

#echo "• Updating Microsoft ${targetApp} to version ${targetVersion} ..."

echo "• Updating Microsoft Office to the latest version ..."



case "${targetApp}" in



    "Word" )



        RegisterApp "${PATH_WORD}" "MSWD2019"

        PerformUpdate "MSWD2019" "${targetVersion}"

        #ConfirmUpdate "${PATH_WORD}"

        ;;



    "Excel" )



        RegisterApp "${PATH_EXCEL}" "XCEL2019"

        PerformUpdate "XCEL2019" "${targetVersion}"

        #ConfirmUpdate "${PATH_EXCEL}"

        ;;



    "PowerPoint" )



        RegisterApp "${PATH_POWERPOINT}" "PPT32019"

        PerformUpdate "PPT32019" "${targetVersion}"

        #ConfirmUpdate "${PATH_POWERPOINT}"

        ;;



    "Outlook" )



        RegisterApp "${PATH_OUTLOOK}" "OPIM2019"

        PerformUpdate "OPIM2019" "${targetVersion}"

        #ConfirmUpdate "${PATH_OUTLOOK}"

        ;;



    "Office" )



        RegisterApp "${PATH_OUTLOOK}" "OPIM2019"

        PerformUpdate "OPIM2019" "${targetVersion}"

        #ConfirmUpdate "${PATH_OUTLOOK}"

        ;;



    "OneNote" )



        RegisterApp "${PATH_ONENOTE}" "ONMC2019"

        PerformUpdate "ONMC2019" "${targetVersion}"

        #ConfirmUpdate "${PATH_ONENOTE}"

        ;;



    *)



        echo "*** Error: Did not recognize the target application of ${targetApp}; exiting. ***"

        exit 1

        ;;



esac







echo " "

echo "Microsoft Office 2019 msupdate completed"

echo "# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #"

echo " "







exit 0      ## Success

exit 1      ## Failure

I lost focus on this due to other more pressing issues, but next week, I will start working on it again.

NOTE: The helper scripts are now deprecated. Use the new deffered and version pinning capability in Microsoft AutoUpdate for scenarios where you need more control over the timing of updates. See https://www.kevinmcox.com/2021/10/microsoft-now-provides-curated-deferral-channels-for-autoupdate/ for more details.

Background

Microsoft Office 2016 Update 1.0.0.pkg

Post-install Script

Payload-free Post-install Script

Script

Reply

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded