Skip to main content

Hello, fellow Mac Systems Administrators,

I imagine a lot of you are here to maybe see if this solution will work with possible issues you've been having on your AutoUpdating for Mac 2019, we've spent quite some time on it on and off, and I think we've come up with a solution that works well (at least in our environment).

First off I'd like to start by giving credit to the people who've contributed to this project:

  • @pbowden for creating resources and utilities and providing the tools and scripts to make this work - And the countless hours of endless support given to the community.

  • Duper51 a fellow co-worker of mine who helped immensely with the debugging and solution of this.

  • Carl Ashley for providing some useful documentation on viewing the MacOS TCC log to solve the PPPC violations that no one really knew were happening.

GitHub repo to our modified @pbowden script and MobileConfigs: https://github.com/GN/Microsoft-AutoUpdate-for-Mac-Jamf-Deployment

The problems:

  • With the release of macOS 10.14 (Mojave), there were a lot of security changes namely PPPC restrictions that caused the command-line MSUpdate tool to not be able to communicate with the Microsoft AutoUpdate Daemon, and JAMF not having the correct PPPC permissions to run and interact with everything that it needed to. @pbowden's MobileConfig seems to not be updated to the latest security settings that we've determined JAMF, and the AutoUpdate tools need. This is where we think most of the issues are occurring with people's deployments.

  • The old script MSUpdateHelper4JamfPro.sh provided by @pbowden (which is what we're currently using - we haven't tried the new one. We didn't realize there was a new one released but what we have now works) calls to update the Microsoft AutoUpdater. For whatever reason this function was not working as intended/expected for us, so we shimmed a function in called "downloadMAU()" this downloads and installs the latest release of MAU into its standard location. This mitigates the issue(s) of not having the latest version of MAU and applications not updating because of it.

Please note: Every time the script runs it will download and install the package. With a little bit of work its definitely possible to check the currently installed version and compare it to the one that will be downloaded.

Update: We've updated it with some logic that will check the current version installed v.s. the latest release from Microsoft and if they don't match it'll download and install the latest release(We got un-lazy and made it work)!

We've created an updated script and a new PPPC MobileConfig which provides JAMF and the Microsoft AutoUpdate tools the permissions it needs to run the AutoUpdate cycle. Everything we've made has been published in the provided GitHub repository, it should be a relatively simple plug-n-play solution, we've also added Microsoft ATP as a supported application for this script.

Installation Instructions:

  1. At a minimum, you will need the "PPPCPermissions.mobileconfig" imported to JAMF and scoped to your environment.

  2. To prevent users from updating and/or changing update settings the "MSUpdateFullyManaged.mobileconfig" disables and frontend users from interacting directly with the Microsoft AutoUpdater Application.

  3. The "MSUpdateHelper4JamfPro.sh" must be placed in a policy and scoped to the machines you wish to push automatic updates to.

  4. (Optional) - Change the "UPDATE_*" variables using "true" or "false" to determine which software(s) you'd like to update.

Note(s):

  • We've tested this on an outdated version of Microsoft Office back to 16.29
  • We've tested this on High Sierra, Mojave, and Catalina.

Lastly, I would like to say: Your mileage may vary, this is just a solution that we've come up with that works in our environment. Be sure to test any and everything in a non-production area to be sure nothing breaks.

I hope this helped someone or everyone!

A Configuration Profile to provide the access @greatkemo describes can be found in @pbowden's GigHub repo: https://github.com/pbowden-msft/MobileConfigs/blob/master/Jamf-MSUpdate/Jamf%20Controller%20for%20Microsoft%20AutoUpdate.mobileconfig

Teams does show up as an option in the MAU GUI but it is not yet actually being updated by MAU. It still uses the Microsoft's CDN for independent updates. Hopefully this changes soon.

@greatkemo can you elaborate a bit more? @sdagley I can't seem to get the linked file to work. Keeps returning the error about sending MAU updates to Apple Events

@jwojda If you don't have one already, you need to create a PPPC profile for path 

/usr/local/jamf/bin/jamf

and Allow it AppleEvents access to the msupdate binary found here 

/Library/Application Support/Microsoft/MAU2.0/Microsoft AutoUpdate.app/Contents/MacOS/msupdate

The trigger script tests to see if you have allowed this access or not in this function...

function CheckAppleEvents() {
    MAURESULT=$(${CMD_PREFIX}/Library/Application Support/Microsoft/MAU2.0/Microsoft AutoUpdate.app/Contents/MacOS/msupdate --config | /usr/bin/grep 'No result returned from Update Assistant')
    if [[ "$MAURESULT" = *"No result returned from Update Assistant"* ]]; then
        echo "ERROR: Cannot send Apple Events to MAU. Check privacy settings"
        exit 1
    fi
}

which can be found between lines 52 and 58 of the script.

source: MSUpdateTrigger.sh

Hope this was helpful.

Can anyone please help me determine why Outlook is not being updated?

I quit Outlook then run the policy with the script found here: script

and this is the result: 

Going for Outlook update
Mon 15 Feb 2021 11:48:49 AEDT
RegisterApp: Params - /Applications/Microsoft Outlook.app OPIM2019
Mon 15 Feb 2021 11:48:49 AEDT
Final TARGET_VERSION: 
Mon 15 Feb 2021 11:48:49 AEDT
PerformUpdate: sudo -u rory.powell /Library/Application Support/Microsoft/MAU2.0/Microsoft AutoUpdate.app/Contents/MacOS/msupdate --install --apps OPIM2019  --wait 600
Detecting and downloading updates...
No updates applied
Mon 15 Feb 2021 11:48:55 AEDT

I have all appropriate PPPC mobile configs etc, other apps are updating correctly.

Outlook is version 16.38 but the latest is 16.45... why is it not updating?

@djrory Are you downloading from your public CDN? Or do you have your own MAUCache?

@djrory also, if that Outlook is from MAS, MAU won't update it. You can fix this by deleting the _MASReceipt folder within the .app bundle (which, btw, best and easiest way to switch from MAS version to CDN version).

@greatkemo public CDN. @rstasel I wasn't aware of this, I'll try that out. What does MAS stand for and how did I end up with a MAS Outlook and everything else under MAU?

MAS is Mac App Store. The Office Apps are available through the MAS via VPP, and many of us tried to transition to the MAS version, but saw issues with updates never getting applied (either the MAS process would crash, or users would never quit Word/Outlook and they wouldn't update. So we switched everything to CDN by just deleting that directory, and MAU would pick them up and update them.

Ah Mac App Store, got it. Not sure how that happened but will ensure I deploy all apps via package rather than the App store moving forward.

glad that was it. MAU ignores the MAS version since it would likely result in a corrupted app if it tried to update rather than MAS doing it.

As for how... guessing CDN Outlook was installed, and someone clicked "install" for the MAS version. That would have likely just "adopted" the existing version, or best case, deleted the existing CDN version and installed the MAS version. Either way, hats off to @pbowden for pointing out that you can just delete the _MASReceipt folder. So much easier than having to notify users you're gonna quit the apps, delete them, then reinstall. I was able to silently convert 100's of machines from MAS to CDN in the time it took for them to checkin, run a quick script, and inventory (20-30 minutes). =)

@rstasel great to hear!!

Hmmm...so is there an easy way to pull a report in Jamf of which Microsoft applications are MAS and which aren't? Has anyone written an EA for that?

@jhuls Yup. I use this. Swap out the program name as appropriate. 

#!/bin/bash

app="/Applications/Microsoft Excel.app"

if [ -e "$app/Contents/_MASReceipt" ]; then
    VPPCheck=$(mdls "$app" | awk '/kMDItemAppStoreReceiptIsVPPLicensed/ {print $3}')
    if [ $VPPCheck -eq 1 ]; then
        echo "<result>MAS_VPP</result>"
    else
        echo "<result>MAS_Personal</result>"
    fi
else
    if [ -e "$app" ]; then
        echo "<result>CDN</result>"
    else
        echo "<result>None</result>"
    fi
fi
Terms & ConditionsCookie settings