Jamf Nation Community

colordean · ‎08-13-2022

Hey there, we are looking to get more aggressive about installing OS updates. I was curious to hear any feedback on what method might be better: Nudge or Apple MDM commands. Environment is around ~8000 Macs, most of which are DEP enrolled and should have bootstrap tokens.

Historically MDM commands have been pretty hit or miss in terms of reliability. Any thoughts? Thanks!

brockwalters · ‎08-14-2022

https://t-lark.github.io/posts/data-enabled-nudge-results/

Ismere · ‎08-15-2022

Hi,

the Apple MDM commands are still hit or miss with more miss then hit.
For Nudge you have to make sure that your computers are able to find the Update for your target Version, since it will use the System Preference.
For computers that are not able to find any updates we are sending them a kickstart command which is also the most recommend fixed in the MacAdmins Slack

launchctl kickstart -k system/com.apple.softwareupdated

To find out which computers are not able to find updates you can try different extension attribute ways.
At the moment we are using this:

#!/bin/bash


killNach=40 # kill after x seconds ...

function waechterImHintergrund()
{
	bewacht=$$
	sleep $killNach
        if ps $bewacht
	then
	        # echo $bewacht still running
	        echo "<result>affected</result>"
		kill -9 $bewacht
		exit
	else
	        echo "<result>not affected</result>"
	        exit
        fi
	
}

waechterImHintergrund &

softwareupdate -l

exit

this will increase the duration of collecting the inventory by the given amount of seconds since it will wait for the result of the Extension Attribute.
But to be honest any Mac having this problem will not submit any inventory as long as you have checked the "Collect available software updates" in the inventory collection.

This pre checks are helpful because Nudge is not checking if a computer can download and find the given update. It just checks the installed OSVersion against the target version and starts to nudge the user to install it trough system preferences in an increasingly aggressive variant (depending on your configuration).

AJPinto · ‎08-15-2022

Nudge does not actually manage OS updates. It just "nudges" the users to be nice and handle their own updates, and gets more annoying with notifications along the way. At not point does Nudge ever actually install the updates for the user.

As far as managing updates, MDM commands are your only option. We see about a 70% success rate in OS updates. The problem is not on JAMFs side, though JAMF could do a lot better at supporting software updates. The Software update process is broken has hell on macOS in general.

colordean · ‎08-15-2022

Gotcha -- we do have the kickstart command running daily on all machines now due to the hung daemon issue. That being said, my understanding is that has been more or less resolved in later versions of Jamf (recon will move on after some period of time).

I am also familiar with the core differences between the two approaches, just curious as to which one might be more effective in practice.

Ismere · ‎08-16-2022

Yes the recon will move on but then you will still not know if a computer is able to find the update since the jamf recon added a timeout continue if there is no feedback in the update request.
The question here is not what is more effective, but how do you want to interact with your users.
If your target is to have full control over updates then the MDM commands is the only option to safe trigger the update.
In the case of Nudge, well if you have a rather resistant user, even the most aggressive configuration is not triggering the update just "nudging" the user in a really aggressive way. Like minimising all the other windows or in the newest version, blurring out everything else until the user klicks on the button which opens the system preference for the User to start the Update.
But you can define the length of the phases before it gets to the next level of aggression and give your users the option to get the update done when it best suits there schedule.

AJPinto · ‎08-17-2022

Exactly this. Nudge is just politely asking a user, and gets a bit less polite over time but it totally lacks the ability to force anything. I gave up on using nudge some time back. in a properly setup environment you can just force a user to comply and move on.

colordean · ‎08-17-2022

How are people working around updates not being found (aside from the kickstart command)? Are you only scoping the Nudge profile to devices which are actually reporting available updates to Jamf inventory or...?

AJPinto · ‎08-17-2022

If you are not seeing OS updates, that is a MDM configuration profile or network configuration problem. Insure you do not have OS update deferrals in place that are messing with you, AND that your Macs can reach Apples OS update servers.

There are also tons of really complicated and clever solutions to attempt to work around forcing users to reboot. Dont bother with super complicated things when a Mac just needs to be rebooted. Make the user reboot and spend your time on something more important, like taking a nap :).

Ismere · ‎08-17-2022

In our Case we are using the extension Attribute to see if a Computer can find updates. If he told us with his last Inventory that he is not able to see the Updates it will not get the Profil, if a Computer can find the Updates he gets the Profil. And beside the Configuration or Network Profil problems sometimes it just seem to be utterly broken to find Updates.... In the end there is no 100% sure way to always fix the updates not found problem.... and as AJPinto wrote sometimes a reboot is all the Mac really needed to work properly again.

Jamf Nation Community

Nudge vs. MDM Commands