Nudge used for General Software Updates?

NPU-Casper
New Contributor III

Correct me if I am wrong but Jamf does not have any way of enforcing software updates anymore correct? For example on my specific Test mac I have a couple available updates. An update to 11.6.7 and then a Safari update.

NPUCasper_0-1656608727070.png

From what I heard Jamf cannot enforce a user to install these, I was recommended to use Nudge but from my understanding Nudge is designed to take care of the security updates and macOS minor and major updates but does not tackle other updates like in my case, safari? I know nudge doesn't really auto enforce these besides gently nudging all the way to annoyingly nudge the user but will it also look and nudge based off other software updates like Safari?

Thanks!

 

6 REPLIES 6

mm2270
Legendary Contributor III

I've only played with it a little, but my understanding of Nudge was that it would prompt to install any updates from Apple that show up in the Software Update preference pane. So, yes, unless I'm mistaken, it should "nudge" to install a Safari update as well.

AJPinto
Valued Contributor

Its a bit more complex than that. JAMF has consistently been horrible at managing macOS Updates. Nothing is new there, but a lot of this is Apple is just miserable with OS update management options. Can JAMF force OS updates? In short yes, it can force OS updates. However the long answer is JAMF has no way of telling you if OS updates fail, or if updates succeed for that matter. 

  • For intel devices JAMF never added any internal support for managing OS updates. You could wrap a script in a policy and tell macs to run updates from CLI. It was fairly reliable. Not the best but it did the job.
  • For Apple Silicon Macs. You cannot install OS updates from CLI without user involvement. This is where MDM commands come in. JAMF supports all the necessary MDM commands to force OS updates. However in typical JAMF fashion lacks the MDM commands that allow JAMF to monitor OS updates. Basically you send the command out and have no idea what they do.

 

 

I have looked at nudge a few times. It always comes out to be more of a pain than its worth. Lots of high maintenance and configuration. Sure its all done with a config profile, but you have to keep modifying that config profile and potentially keeping several config profiles for groups you want on different OS versions. If we are just harassing users we could do that with JAMF Helper and policies to trigger it.

 

Last comment. Nudge does not install OS updates. It "nudges" the user to install updates with persistently more annoying notifications to install updates. Nudge cannot force updates to install, the user must do that. Again JAMF can force updates to install, reporting is horrible and the success rate is about 70% because of Apple not JAMF. Apple tossed the MDM commands to run OS updates out there without thinking things through and it shows.

sujal1208
New Contributor III

Can you share how you handle updates via policy and Jamf helper?

AJPinto
Valued Contributor

Make a JAMF helper script to say whatever you want. In mine we basically detail the mac is out of date and you need to update before you lose access to things, and have two buttons. One button differs and drops a log the user differed, it acknowledged they will lose access to things. The other button opens JAMF SS to a policy with a script to run updates and tells the user to enter creds if on apple silicon. We cant go directly to software update in system preferences because our VPN client is stupid. 

 

The OS update policy is simple. We unload our VPN client and basically run sudo softwareupdate -aiR. You may be able to go directly to the software update pane which would be better.

 

To make the policy work, just set it on recurring checkin on whatever interval you want. Have various groups that you update for the OS version you want the policy to target. You can even put teeth behind it. For example if someone gets too far out of date start using software restrictions to start blocking things like Mail and Chat with messages they are out of complains and need to run OS updates.

 

I dont have the scripts handy, but they are not too hard to make. You can really get as nasty as you want if you need a heavy hand.

glennu
New Contributor II

I'm currently testing Nudge right now with a small group. I like how it can be more present than some other methods and how it displays a due date. I'm hoping if I kind of set the expectation visually in the moment that the update should be completed by a certain time that hopefully it will be.

 

I also use a different notification using a policy with only the user interaction section in use. I scope it to a smart group called software update available for anyone on a OS Version not with at least the value of my targeted OS. Then in the user interaction section of the policy I have it display a message that there's an update available, and I have it run daily at check in. Once they update they're out of that smart group and the message disappears. All you need to do is change the OS version specified in the smart group when a new one comes out.

 

It works but it's a little hidden in notification center. Nudge is more in your face. I could use JAMF helper as well, but Nudge was the answer from a bunch of people so I said lets give it a whirl.

mm2270
Legendary Contributor III

Spot on @AJPinto

In my response I intentionally decided not to wade into the quagmire that is macOS Software Update management these days. It's such a mess it sometimes makes me want to cry, or scream, or sometimes both. I sometimes can't believe that Apple is choosing to leave it in such a horrible state. For something they should be going out of their way to help us admins achieve - installing available updates, reliably - they sure have made it very complicated to get done. It's as if they don't want us doing it, but that just doesn't scan.

Or, maybe it does. I think Apple has a problem where a faction in the organization is hell bent on giving the "user" as much control as possible. And they keep winning the battles. For stuff like access to the user's personal data and privacy considerations, I totally get it. I'm on board with that. But for software updates?? Nope, that should be entirely within our control to manage as the admins of company owned devices. Apple has really messed this one up. I hope they see the light and fix this at some point, but I'm losing some hope that we'll ever see it.