I was in the process of performing some patch management for the Zoom client and found there are two different versions offered, one for Intel and one for Apple silicone. How do I create separate patch management policies for the two separate architectures? I can only select 1 package in patch management for the Zoom client.
Page 1 / 2
You can't. I asked this of Jamf Support yesterday. I asked them to clarify how we can do it then but I've yet to receive an answer.
Maybe setup a whole new Site within your instance for just new machines?
A workaround I can think of is to roll your own patch management server then set up a separate Zoom patch feed so that you can set up a new patch management profile specific for M1 apps. I have yet to test if this works.
You can also create your own custom package that has both of them included and some code to detect M1 use this package, non M1 use this one.
way too difficult for me. Seems Jamf have no plan to fix this either which is a shame.
Really, all we'd need is two Definition lines for each release.
e.g. for Zoom:
5.5.1 (12484.0202) x86_64
5.5.1 (12484.0202) arm
Indeed but they won't do it and I can't see all apps suddenly working any time soon.
The Zoom 5.5.1 IT installer looks to be a universal binary. Perhaps they received some feedback that distributing separate binaries for each architecture wasn't enterprise friendly...
Make it easy on yourself, use the Zoom for IT installer which has a Universal binary.
Now when it comes to something like VLC, that's a different type of problem. 3.0.12 is x86_64 and 3.0.12.1 is arm64 - Jamf only updated the definition to 3.0.12.
Who knows what other crazy things developers will do when they update their apps, and how often will they change their mind. Until Patch is improved, we'll need to use a good external patch definition source (or make one), and make some smart groups to scope to the right architecture.
OK thanks I'll see if the universal binary takes on my M1 macbook
Not all apps will have universal binaries, upvote this one:
https://www.jamf.com/jamf-nation/feature-requests/10107/patch-management-for-apple-silicone-mac-s
Cisco Webex another one that comes in x86 or ARM only.
If y'all would like to have a separate Apple Silicon patch title for any applications in particular make sure you submit an individual feature request for each one. That helps the teams see what's in highest demand to best prioritize building out that patch title in the Patch Management service.
As if Patch Management wasn't hard enough, multiple architectures now complicates it even further. Those interested in an intelligent Patch Management solution that easily accommodates both x86_64 and arm64 architectures might want to check out Alectrona Patch in the Jamf Marketplace. Feel free to chat with us for more details.
You can also just add Jamf again as an external path source with https://jamf-patch.jamfcloud.com/v1
Use the secondary one for arm64 titles. That doesn't help for titles like VLC where the version is slightly different but it's a quick fix for those where the version is the same across architecture.
Hey @darth_undesirable ,
This is not exactly what you asked for, but it helps a lot to keep the environment up to date, and from my knowledge, it's for both Intel and M1 chips.
just run it once a week and all your zoom clients will be upgraded to the latest version.
#!/bin/bash
#https://www.jamf.com/jamf-nation/third-party-products/files/1051/install-latest-zoom-client
# this is the full URL
url="https://zoom.us/client/latest/ZoomInstallerIT.pkg"
# change directory to /private/tmp to make this the working directory
cd /private/tmp/
# download the installer package and name it for the linkID
/usr/bin/curl -JL "$url" -o "ZoomInstallerIT.pkg"
# install the package
/usr/sbin/installer -pkg "ZoomInstallerIT.pkg" -target /
# remove the installer package when done
/bin/rm -f "ZoomInstallerIT.pkg"
exit 0Hope that helps something.
I must be missing something, why are companies pushing out non universal binaries? Isn't the fact that you can compile the app to work natively across either architecture the selling point of it?
Having to start putting multiple versions of packages into JAMF to deal with both sounds horrible :(
@ianatkinson, horrible is a good word for it. I do not know why they are, but they are. In particular Adobe is the biggest offender right now. I'm sure that there are others. With Adobe, you cannot even install an intel application using a package from the Adobe Admin Console unless you choose Apple Silicon when creating that package. To clarify, even if the Adobe application doesn't have an Apple Silicon version yet, you still have to create the installer package for Apple Silicon.
The gist of what I am saying here is that as administrators, we do not directly control what packages are available. In an ideal world everything would be universal, but we don't live in that world. It makes sense then for the tools we use for Mac administration to support the situation where multiple packages are being offered by vendors, as that is the world that we currently live in.
100% not surprised that we're upset about Adobe installers again, but hey, at least flash is finally and actually dead.
Ah Adobe. I can feel my hair getting a bit greyer already.
@timdambrosio It seems that Jamf will not allow external patch source set to the URL of the "internal" one https://jamf-patch.jamfcloud.com/v1/. The error is "invalid hostname". If specifying just jamf-patch.jamfcloud.com you get connection error when trying to use it. I'm on 10.29 Jamf cloud
Worked like a charm @timdambrosio
You can also just add Jamf again as an external path source with https://jamf-patch.jamfcloud.com/v1
Use the secondary one for arm64 titles. That doesn't help for titles like VLC where the version is slightly different but it's a quick fix for those where the version is the same across architecture.
Hi Tim, I loved your suggestion for the problem, but I just can't seem to add that again. I get "invalid source" when I try. How did you manage to do this?
Hi Tim, I loved your suggestion for the problem, but I just can't seem to add that again. I get "invalid source" when I try. How did you manage to do this?
Probably need to drop the https:// from the url, see below he responded to someone with that suggestion and a screenshot.
@timdambrosio - I would like to give this a try. I've setup the secondary patch source for Apple Silicon software.
I selected Adobe Creative Cloud in both.
It has ingested data from our fleet from both, looks identical as it should.
So now I would attach the Intel package to one, and the Apple Silicone package to the other.
I guess I'm just worried about things colliding? Our Creative Cloud desktop app policies are setup with smart group targets/exclusions so that intel will only show up if you have intel, apple silicone will only show up if you have apple silicone.
How will patch management know to install the silicone version on ARM computers and the intel version only on intel? Or will both run on all machines and the version is isn't compatible will just fail.
I might be overthinking this, but I was just worried about things colliding somehow.
Seems like a good suggestion, I just wanted to hear more before I actually try it.
Thanks.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.