Posted on 02-11-2021 07:55 AM
Anyone having issues attempting to update Big Sur devices via Policy and using Apple's Software Update server? The policy is not working for Big Sur including intel machines. Attempting to get the latest update (20D74).
With the terminal open, it states it downloads. It shows as completed in Jamf within the policy. Also within client history. Yet reboot does not install the update.
Mojave and Catalina devices update fine.
Posted on 03-01-2021 12:35 PM
We're seeing the same issue, have you been able to find a solution?
Posted on 03-04-2021 03:51 PM
Same issue here. Would love to know when you have been able to find a solution.
Posted on 03-05-2021 03:45 AM
I ran an update via policy yesterday, and it downloaded and prompted me to reboot. After entering my non-admin user account password, machine rebooted and installed 11.2.2.
Posted on 08-13-2021 07:17 AM
Hi Sir
I'm new to jamf could you please share your workflow how you done it
Posted on 08-13-2021 07:25 AM
The issue is that there used to be a great work flow in Jamf Pro for running Apple Security updates
Policies
Payload: Software Updates
Install from Apple Software Update Server
This worked great up until about 6 months ago! The issue is with Intel based iMacs running mac OS 11 Big Sur. Now this Policy no longer works. Apple's response is that they are not an enterprise solution and that is why you pay for an MDM like Jamf Pro. It is there issue.
Apple is requiring a manual reboot on M1 Apple Silicon Macs and that we know, but I am still just trying to update Intel based iMacs which are requiring a manual reboot like the M1s so obviously there's a disconnect between Intel and M1s in Jamf Pro.
Tried a dozen scenarios and this is the latest, the issue is it will download the Apple update, but I have to log in to each iMac and click Restart which is a bit challenging when you have hundreds.
Latest Policy:
Just Files & Processes: softwareupdate -iaR --force
I got this to work on one Intel iMac and that gave me hope, but it is not working. Same issue will not Restart automatically.
Posted on 03-05-2021 06:03 AM
I ran an update via policy today. The download was bit to fast. After download the terminal says "no reboot required". But this is wrong.
AUtomaticly no reboot will be forced on our side and forcing it manually nothing happens.
So on our side this not work like expected.
Mac which I test is on 11.1 and should be updated to 11.2.2(20D80)
Posted on 03-05-2021 06:51 AM
As a workaround we are just executing this command to update "/usr/sbin/softwareupdate --install --all --restart"
Posted on 03-05-2021 07:02 AM
I have seen install issues on Catalina and Big Sur for months now. Some updates work on some machines, others downloaded and install, but when the OS comes back up the install didn't take. No idea what the hell is going on. Only thing I can find is a bad BridgeOS update.
Posted on 03-08-2021 06:00 AM
Same issue doesn’t to Restart after Apple Security Update is downloaded but JAMF Pro gives a false Completed.
Posted on 03-15-2021 11:46 AM
Same here. I also created a test policy with "Restart Options" set to "Restart Immediately" and while it rebooted the update was still not installed.
Posted on 03-18-2021 08:49 AM
Same issue, Apple updates through Jamf show "No Reboot Required".
I have been working with Jamf support on this issue and we have created a policy to execute a command "softwareupdate -i -a -R". This does work and installs updates, however, we don't like to reboot user machines with out warning. We tried to modify the command a little bit and do "softwareupdate -i -a; shutdown -r +30" which does schedule a reboot in 30 minutes and warn the user but in initial testing it downloads all updates, reboots in 30 minutes, but OS versions still shows updates pending in sys pref. It seems either the OS or Jamf takes the scheduled shutdown as a separate command and does not install updates when powering back up.
I am still testing with but if anyone have any ideas on how to force install updates and schedule a reboot in 30 minutes while prompting the user or if I am just doing something wrong, let me know.
Posted on 03-19-2021 06:39 AM
It's a bit annoying that we moved away from patching using a Files & Processes payload for Big Sur, only to find that what we were told to move to (Software Update payload) is completely broken. In my case all of the Big Sur clients I need to patch in an automated fashion are headless, so I can reboot them without warning. I'll give the old method a try and report back.
Posted on 03-29-2021 08:29 AM
Just reporting back on this. The "Files & Processes" payload method is working for me, the downside being that they restart even if there are no updates pending. This is a good stopgap method until, presumably, Jamf update the "Software Update" payload to support whatever changed in Big Sur.
Posted on 04-07-2021 06:40 PM
@jtrant Can you elaborate on the "Files & Process" payload method?
Posted on 04-08-2021 09:43 AM
@jtrant - Please let us know in detail what is the exact command which goes in "Files & Processes" payload. Additionally have anyone noticed the password authorisation while installing macOS Big Sur security updates.
Posted on 04-30-2021 06:12 AM
Sorry for the delay. My Files & Processes payload is simply:
softwareupdate -i -a -R
However, it doesn't seem to work after 11.2.3 (attempting to install 11.3) so I'm back to square one.
Posted on 08-25-2021 06:34 AM
Does this notify the user that they're machine is restarting or does it run silently in the background?
Posted on 08-25-2021 08:11 AM
We use the same process and notify the user via the policy. It's simple but we've had a lot of issues with Macs consistently updating. I cannot get it to work on M1's either
Posted on 05-03-2021 06:30 AM
for me it works with softwareupdate -i -a -R +"Time you want give until restart" and the policy shows the restart in through user interaction. The restart is configured as well in the restart payload.
So when I am giving 60 Minutes to restart in the processes payload, I add the restart payload with 60 minutes to the same policy
Posted on 05-04-2021 10:33 AM
@user-faWBxyKMJD How are you getting that to work in Files and Processes within a Policy? When it runs on a client device it hangs. Like it is waiting for authentication.
Security Updates for Big Sur through Jamf seems impossible
Posted on 05-05-2021 05:14 AM
So the fix is to add a Policy using Payload Files and Processes - Execute Command softwareupdate -i -a -R and now that does not work in Big Sur? So what can we do it install an update considering how important it is right now with real security vulnerabilities being reported for Apple products not running 11.3.1?
Posted on 05-05-2021 06:29 AM
@dmichels after further testing it does seem to work on intel devices with Big Sur but it takes a very long time to download then about 40 minutes to install.
I cannot get it to work on M1 devices. I would think that is due to the new authentication.
Still not the best process for managed devices
Posted on 05-05-2021 10:28 AM
'softwareupdate -i -a; shutdown -r' and 'softwareupdate -i -a; shutdown -r +30' on Big Sur Intel Macs seem to work, but only if they are run by the user. A Jamf Files & Processes payload in a policy seems to download and reboot, but not actually install the update.
Posted on 05-05-2021 11:01 AM
I couldn't get it to work via JAMF policy so I had it manually install via terminal - sudo softwareupdate -aiR
this is regarding the 11.3.1. update
Posted on 05-05-2021 12:23 PM
I have been beating on an M1 MacBook Air in an attempt to issue an unattended macOS software update from 11.3 to 11.3.1 and I believe I have it working.
I crafted a very rough API script that issues the ScheduleOSupdate command and once I ran it on the M1, it showed in Jamf that the MDM command was in fact pending and eventually reported successful, but I saw no indication on the Mac itself that anything occurred or that the update was even downloading. I left it alone for toughly 7 minutes when all of the sudden it just restarted and did perform the update. I was never prompted to enter a password, it simply restarted and forced closed all apps open.
The only issue is that I was logged in at the time so I cannot confirm if this will work at the login screen. I have pasted the script I ran in here so if someone else wants to give it a try please do. Maybe it was a fluke.
#!/bin/sh
#API login info
temp_nu="Temp Username"
apiuser=$(echo $temp_nu | openssl base64 -d)
temp_np="Temp Password"
apipass=$(echo $temp_np | openssl base64 -d)
jamfProURL="https://ORG.jamfcloud.com"
#Grab serial number and OS Version of computer
SerialNumber=$(system_profiler SPHardwareDataType | grep 'Serial Number (system)' | awk '{print $NF}')
macOSVersion=$(sw_vers -productVersion)
#Check macOS Major
CheckIt=$(echo $macOSVersion | cut -d . -f 1)
#Set xpath option based on macOS major version
if [[ "$CheckIt" == "11" ]]
then
xpath="xpath -e"
else
xpath="xpath"
fi
jamfProCompID=$( /usr/bin/curl -s -u ${apiuser}:${apipass} ${jamfProURL}/JSSResource/computers/serialnumber/${SerialNumber}/subset/general | $xpath "/computer/general/id/text()" )
echo $jamfProCompID
#/usr/bin/curl -s -X POST -H "Content-Type: text/xml" -u ${apiuser}:${apipass} ${jamfProURL}/JSSResource/computercommands/command/ScheduleOSUpdate/action/InstallForceRestart/id/${jamfProCompID}
#/usr/bin/curl -s -X POST -H "Content-Type: text/xml" -u ${apiuser}:${apipass} ${jamfProURL}/JSSResource/computercommands/command/ScheduleOSUpdate/action/Default/id/${jamfProCompID}
/usr/bin/curl -s -X POST -H "Content-Type: text/xml" -u ${apiuser}:${apipass} ${jamfProURL}/JSSResource/computercommands/command/ScheduleOSUpdate/action/install/id/${jamfProCompID}
exit 0
Posted on 05-06-2021 08:08 AM
I have 100+ headless Intel Mac minis to update from 11.23/11.3 to 11.3.... Running 'softwareupdate -iaR' via ARD command or Jamf policy isn't working so well. Logs show the update downloads and says restarting but nothing happens.
Posted on 05-10-2021 08:33 AM
I'm trying to update via mass action to a Smart Group, and getting this error:
Unsupported InstallAction for this ProductKey
Anyone else have similar? Both machines running 11.2.3, one M1, the other Intel chip
Posted on 10-13-2022 05:02 PM
I get this as well through the GUI trying to do a mass action MDM command OS update push. Did you ever figure it out?
Computer is on 10.15.7 and just went with the latest major update it could go, and set to reboot without warning.
Posted on 05-10-2021 08:42 AM
jason33, I was getting the same error when I would run an API script using the flag "InstallForceRestart". Once I changed it to just "install" it would work without issue.
Posted on 05-10-2021 10:03 AM
@nelsoni I'm not even forcing an install or reboot - I chose just to download the update for user to install.
Posted on 05-11-2021 01:50 AM
Hi @nelsoni
I kept getting this error.
Script result:
mismatched tag at line 10, column 2, byte 404:
<p>You can get technical details <a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.2">here</a>.<br>
Please continue your visit at our <a href="/">home page</a>.
</p>
=^
</body>
</html>
at /System/Library/Perl/Extras/5.30/darwin-thread-multi-2level/XML/Parser.pm line 187.
<html>
<head>
<title>Status page</title>
</head>
<body style="font-family: sans-serif;">
<p style="font-size: 1.2em;font-weight: bold;margin: 1em 0px;">Unauthorized</p>
<p>The request requires user authentication</p>
<p>You can get technical details <a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.2">here</a>.<br>
Please continue your visit at our <a href="/">home page</a>.
</p>
</body>
</html>
Any clues?
Posted on 05-11-2021 05:04 AM
Pretty sure I was getting that when I forgot to add my API credentials.
Posted on 05-11-2021 05:13 AM
Strange, i did add them. I can try again.
Posted on 05-11-2021 05:20 AM
@nelsoni What permissions have you given your API user?
Posted on 05-11-2021 05:36 AM
My API user is full admin for the purposes of testing, so as to eliminate any potential errors I would run into. Did you add the URL of your Jamf instance? that may also what causes the error. Also make sure you remove the salted passphrase portions of the script and just use a plain text username and password for testing purposes.
Posted on 05-11-2021 06:09 AM
ill try and see what i can find ^^Thanks for the tips!
Posted on 05-11-2021 11:32 AM
I'd be interested to see if the success rate improves now that Jamf have added the "InstallASAP" key in Jamf Pro 10.29.0.
Posted on 06-02-2021 10:59 AM
@jtrant , No improvement.. The InstallASAP
key doesn't immediately restart the device.. And of course shutdown -r
is only restarting but the update isn't being applied....
This is my attempt to update from 11.3.1 to 11.4
Edit.. As I'm sitting here typing.. It just rebooted out of nowhere using the Install
key, and installed the update.. Lovely
08-26-2021 09:42 AM - edited 08-26-2021 09:42 AM
what command was this?
the softwareupdate one?
lastly, was this for minor or major? IIRC minor works without creds along with safari or what not, but its the majors that cause problems, but i could be mistaken