Jamf Nation Community

I tried that. I don't think that method is really doing the same thing. With Munki the updates that could be installed without a restart would just be automatically installed in the background when Munki ran at it's normal interval, similar to the way ASU would do it if configured accordingly in System Prefs. Then if there was an update that required a restart it would only show that pending update in Munki's Managed Software Center. Via a metadata plist we could then put a deadline on that pending update if necessary.

With your method above isn't it just running software update then warning the user of a restart with no options to delay, or if using Self Service just running the policy when the users runs it in Self Service which then does the software update check and just installs any pending updates whether they could be automatically installed or not? So at that point if there isn't a deferral deadline configured then none of the updates will be installed if the user ignores it?

@scottlep Welcome!!! I live in both worlds JAMF/Munki. if you know of Munki then you must have heard of Reposado. JAMF has their own vm version, but you could roll your own on baremetal,docker or vm. then update the settings in the JSS as mentioned. Might also want to look at Repotoddy to automate rolling out your updates. Also do a quick search as there are ways to let users delay or postpone updates a number of times before they must install them

Cheers

You can sort of do it.. you can add the option to defer, but it's only a date in the future (it's under User Interaction tab). This limit forces you to have have change the defer date and flush the policy every-time Apple release a update that requires a reboot.

There are a few FR for a time delay like this that we will get in the future.

https://www.jamf.com/jamf-nation/feature-requests/1418/deferral-limit-as-net-days-or-n-times

Most security groups require that security update are installed in X days and most Apple updates that require a reboot are security updates, so you can kinda fake it with setting the "execution frequency" and "client side limitations" to match what you security rules are.

C

Thanks for everyone's input.

Coming from 7+ years the Munki world, I am just finding Jamf's patch management and Apple Software Update capabilities kind of weak. But on the other side, there are many things that Jamf does way better than Munki including MDM which is nonexistent in Munki. I am taking the CCT course in a few weeks, so maybe that class will address some of my questions and misunderstandings. Working for a MSP provides it own challenges since we are limited as far as forcing updates and creating the policies to force updates, etc. We can make all the recommendations in the world, but the final say comes from the clients. I also inherited a mess with my new job with 20+ neglected client JSSs and MSP clients that are very far behind with critical updates. Being able to do the updates that do not require a reboot in the background without user interaction would be a huge help, but it seems like the way Jamf is handling the ASUs is more of an all or nothing approach since when ASU is triggered nothing can happen until the computer is forcefully restarted or the user allows it to happen via Self Service. I recently watched some good videos about jamJAR.....I am thinking this is the direction we might have to go so we have the best of both worlds by combining Jamf and Munki and let them each deal with what they are strong at.

~Scott

We find a Self Service policy running softwareupdate -ir for users to run at their convenience, and a second policy to PUSH the same to them on N day of the month with daily countdown Notification Center prompts starting 7 days out to warn of impending PUSH does wonders in getting recommended macOS security patches installed. ;)

@scottlep It sounds like what would serve you is to use a scripted SWU process, rather than relying on built in functionality. For example, there are existing scripts out there, at least a couple here on JamfNation in fact, that will pull a list of available updates on a machine and parse out just the ones that don't require a reboot, which can be placed into an array or string to pass to a softwareupdate -i command. All reboot required updates are clearly labeled as such when pulling an update list with the softwareupdate binary.

Similarly, you could script a notification to the user about pending reboot required updates. Policies also have the ability to set deferral options and a drop dead date of when the policy must run. Look at the User Interaction tab when setting up a Jamf Pro policy and you will see the options there.

So, while what you're after is not a straight built in checkbox or policy payload, it can definitely be done with Jamf Pro. It will just take a little work in developing the process.

@donmontalvo Hey Don. Your strategy for Apple updates sounds interesting. I'd be curious to know more about how you're deploying your daily countdown Notification Center prompts. For example, do you have one policy dedicated for these notifications? Are you using cocoadialog?