Automatic MacOS Updates

amorse
New Contributor II

I'm not sure why I'm struggling with this one as I"m sure it's easy but

With Jamf Pro does anyone know how to enforce automatic OS updates? Mostly just want to make sure all my macs are getting security updates but I'm not seeing it anywhere.

1 ACCEPTED SOLUTION

rtrouton
Release Candidate Programs Tester

I have a script that can enable the OS's automatic macOS updates option. It's available via the blog post linked below:

https://derflounder.wordpress.com/2018/12/28/enabling-automatic-macos-software-updates-for-os-x-yose...

View solution in original post

11 REPLIES 11

rtrouton
Release Candidate Programs Tester

I have a script that can enable the OS's automatic macOS updates option. It's available via the blog post linked below:

https://derflounder.wordpress.com/2018/12/28/enabling-automatic-macos-software-updates-for-os-x-yose...

amorse
New Contributor II

This is great thanks so much!

amorse
New Contributor II

@rtrouton Finally getting around to trying to deploy this script. Am I missing something? I'm trying to just run the script locally and I just get hit with a ton of errors. Is there something special you need to do before executing the script.

eDooku
New Contributor III

You can also accomplish the same using a Configuration Profile with a custom Plist-file containing:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>AutomaticCheckEnabled</key>
    <true/>
    <key>AutomaticallyInstallMacOSUpdates</key>
    <true/>
    <key>AutomaticDownload</key>
    <true/>
    <key>CriticalUpdateInstall</key>
    <true/>
    <key>ConfigDataInstall</key>
    <true/>
</dict>
</plist>

...and use the domain "com.apple.SoftwareUpdate"

chrisB
Contributor II

@eirikw

Why not just using a Configuration Profile which is already prepared in Jamf Pro?

f4f6ac66ad8e4923a8e5426532580425

jpuebs
New Contributor III

Nice @eirikw! Does this automatically pull from Apple or is an update server actually required?

ian_sterling
New Contributor II

Does either the script or the configuration policy allow for deferrals so that the installs won't just be run when a user isn't expecting them? Especially if the updates require a reboot?

agrant
New Contributor III

@jpuebs If left blank it will use Apples servers to pull the updates.
@ian.sterling JAMF recommend using the Restart Options payload alongside the Software Update payload to define restart prefs & the user interaction tab to manage deferrals.

https://docs.jamf.com/10.25.0/jamf-pro/administrator-guide/Running_Software_Update.html

The config profile basically just hard codes the settings in System Preferences > Software Update.

SureExclamation
New Contributor III

With the config profile for software updates , does it allow users to update organically? They get pop ups to install updates and have options to defer, and they don't apply until they manually reboot or does it happen while idle?

Still not clear how the software update policy works in comparison, with or without the restart options and how is it better?

25ee27c2696a413dbe46272c9bc36c59

I'm coming around to this and have further questions.

Does "Automatically install macOS updates" includes major updates?  For instance, when macOS Monterey is released, will my clients automatically upgrade to that?  Because I want my clients to be on the latest version of their currently installed OS but not to jump major versions like Big Sur to Monterey.

Are there any controls to avoid that scenario?  And from what I understand, we can no longer ignore updates via the command line, correct?  So that's out as well.

eDooku
New Contributor III

@chrisB The main reason to avoid the built-in settings in some cases is that they tend to add empty fields in the configuration when you don't need them. In this instance, Jamf Pro adds "<key>CatalogURL</key><string/>" to the plist. Granted, macOS probably ignores that and uses the default server setting, but in other cases it actually breaks functionality.