MacOS updates management with Nudge

Since moving to the SUPER method, our macOS Major update workflow has been much more streamlined with simply requiring a small adjustment/upgrade of the script for each new version and updating of the blocking mechanism for when we want to restrict deployment to endusers to allow for internal testing (a restriction config blocking only major software updates for X period and excluding IT Test devices group from the scope).

https://github.com/Macjutsu/super

Our Updates Config Plist looks like this (not updated for Tahoe yet).

 

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
	<dict>
		<key>AuthJamfComputerID</key>
		<string>$JSSID</string>


<key>InstallMacOSMajorUpgrades</key>
<true/>
<key>InstallMacOSMajorVersionTarget</key>
<string>15</string>
<key>InstallRapidSecurityResponses</key>
<true/>
<key>DeferralTimerDefault</key>
<string>480</string>
<key>DeadlineCountSoft</key>
<string>3</string>
<key>DisplayUnmovable</key>
<string>ALWAYS</string>
<key>DisplayHelpButtonString</key>
<string>Your IT - For assistance please contact us at support@your.org</string>

</dict>
</plist>

• allows minor/security updates,
• allowed deferral amount (3 in this case)
• time between deferrals (480 minutes / 8 hours)

We then obviously scope this to devices that

• are compatible/eligible with the latest update (via smart groups and extension attributes).

I gave up on nudge years ago. Its okay, but considering you cant trigger updates from CLI anymore its literally just a notification tool and for that I use Jamf Helper. As ​@Ke_ReM said look in to using SUPERMAN, or look in to blueprints. 

Don’t get stuck in the past with some third party patching tooling (which was great when MDM protocols were the only way updates could really be had). Declarative updates is the future and will be the best bet here - considering it’s all native to the OS.  I’d recommend using Software Updates or Blueprints to apply updates.  

I agree that its good to stay upto date with developments but its not broken, so no fix required.
Also we are primarily a Windows org so I have minimal time to invest into new methods when the existing just works. Any pointers to the new methods appreciated though, I will put some time aside to read up on it.

Also, not impressed by Apples “in-house” methods from the past which might have been fine for non enterprise level endusers but were not suitable for our standards. Hence the need for things like SUPER and previously Nudge..

The world of Open Source is all giving as someone mentioned in a blog post somewhere...
I would hate to have to rely on Apple for (working) solutions when you need them..

Pointers to the new method?  Just create a blueprint and test.  It has been an awesome resource for us.  We leveraged the old MDM push method for years and it was pretty reliable.  DDU has been flawless minus some of the older devices that are ornery….but that’s like .02% of our fleet.  We turned on jamf SSO less than a month ago and are currently leveraging blueprints for updates.  Just did the 26.1 update to our mobile devices last night and it got over 95% of them up to date.