Best practices for automating Office 2016 updates?

ABigRock
New Contributor III

I am just wondering how everyone is managing automating Office 2016 updates with Jamf? I know that MAU 4.0 is supposed to have system level settings available but as of right now it is still user level. I have a very large number of dispersed lab computers that do not normally have admins login so I am wondering what would be the best way to go about forcing automatic download and installation of updates. I am sorry if this question has been asked and answered in the past. Thank you in advance for the advice.

1 ACCEPTED SOLUTION

stevewood
Honored Contributor II
Honored Contributor II

@ABigRock at the bottom of Rich's article you will find a .mobileconfig link that you can upload into Casper and use as a Configuration Profile. Set it to Install Automatically and at Computer Level.

Enabling Automatic Download

View solution in original post

64 REPLIES 64

Chuey
Contributor III

@rtrav I know the documentation states every 12 hours

MAU detects application updates every 12 hours...

but I left a test machine on and intentionally did not run updates but it did not install anything over night and it's been more than 12 hours.

Does anyone know a way to manipulate the time it takes to check in?

cbruce
New Contributor III

neil.martin83 can you share - the profile that you used to auto download and install and lock out the MAU prefs?

May
Contributor III

I've created a Configuration profile to push out that enables auto downloads in MAU and also registers each application as @neil.martin83 pointed out but it's not automatically updating the closed applications, only the open ones.

Should the configuration profile be user level ? at the moment i have it set to computer level.
(i did test at user level but it still didn't update the applications)

if i look at /Library/Managed Preferences/com.microsoft.autoupdate2.plist i can see the key entries,
when i look in ~/Library/Preferences/com.microsoft.autoupdate2.plist i do not (it's set to Auto Check and has no applications registered)

any pointers ?
here's the custom plist i'm sending in the configuration profile

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Applications</key>
    <dict>
        <key>/Applications/Microsoft Excel.app</key>
        <dict>
            <key>Application ID</key>
            <string>XCEL15</string>
            <key>LCID</key>
            <integer>1033</integer>
        </dict>
        <key>/Applications/Microsoft Lync.app</key>
        <dict>
            <key>Application ID</key>
            <string>UCCP14</string>
            <key>LCID</key>
            <integer>1033</integer>
        </dict>
        <key>/Applications/Microsoft OneNote.app</key>
        <dict>
            <key>Application ID</key>
            <string>ONMC15</string>
            <key>LCID</key>
            <integer>1033</integer>
        </dict>
        <key>/Applications/Microsoft Outlook.app</key>
        <dict>
            <key>Application ID</key>
            <string>OPIM15</string>
            <key>LCID</key>
            <integer>1033</integer>
        </dict>
        <key>/Applications/Microsoft PowerPoint.app</key>
        <dict>
            <key>Application ID</key>
            <string>PPT315</string>
            <key>LCID</key>
            <integer>1033</integer>
        </dict>
        <key>/Applications/Microsoft Word.app</key>
        <dict>
            <key>Application ID</key>
            <string>MSWD15</string>
            <key>LCID</key>
            <integer>1033</integer>
        </dict>
        <key>/Applications/Skype for Business.app</key>
        <dict>
            <key>Application ID</key>
            <string>MSFB16</string>
            <key>LCID</key>
            <integer>1033</integer>
        </dict>
        <key>/Library/Application Support/Microsoft/MAU2.0/Microsoft AutoUpdate.app</key>
        <dict>
            <key>Application ID</key>
            <string>MSau03</string>
            <key>LCID</key>
            <integer>1033</integer>
        </dict>
        <key>/Library/Internet Plug-Ins/Silverlight.plugin</key>
        <dict>
            <key>Application ID</key>
            <string>SLVT</string>
            <key>LCID</key>
            <integer>1033</integer>
        </dict>
    </dict>
    <key>HowToCheck</key>
    <string>AutomaticDownload</string>
    <key>LastUpdate</key>
    <string>2001-01-01T00:00:00Z</string>
</dict>
</plist>

Also, can someone point me to which folder the downloaded updates are stored in before they're installed ? maybe i can monitor that to see if it's working or not.

thanks!

May
Contributor III

i've tested the configuration at user and computer level and looking at the /Library/Logs/Microsoft/autoupdate.log nothing updates when set to Download and Instal Automatically, i created a LaunchAgent and script to register the MAU app and Daemon once per user, is there anyway to confirm that it is registering them correctly ?

#!/bin/sh
LoggedInUser=$( stat -f%Su /dev/console )

if [[ $LoggedInUser = "root" ]]; then
exit 0

fi

#create directory if it doesn't exist
if [ ! -d /Users/$LoggedInUser/Documents/.MAU_check ] ; then
mkdir /Users/$LoggedInUser/Documents/.MAU_check


fi

done=$( cat /Users/$LoggedInUser/Documents/.MAU_check/MAU_register.txt )

if [[ "$done" == *"$LoggedInUser"* ]]; then 

exit 0

fi



if [ -e "/Library/Application Support/Microsoft/MAU2.0/Microsoft AutoUpdate.app" ]
    then 
        /System/Library/Frameworks/CoreServices.framework/Frameworks/LaunchServices.framework/Support/lsregister -R -f -trusted "/Library/Application Support/Microsoft/MAU2.0/Microsoft AutoUpdate.app"
        echo "Autoupdate.app registered for $LoggedInUser" > /Users/$LoggedInUser/Documents/.MAU_check/MAU_register.txt

fi

if [ -e "/Library/Application Support/Microsoft/MAU2.0/Microsoft AutoUpdate.app/Contents/MacOS/Microsoft AU Daemon.app" ]
    then 
        /System/Library/Frameworks/CoreServices.framework/Frameworks/LaunchServices.framework/Support/lsregister -R -f -trusted "/Library/Application Support/Microsoft/MAU2.0/Microsoft AutoUpdate.app/Contents/MacOS/Microsoft AU Daemon.app"
        echo "AU Daemon.app registered for $LoggedInUser" > /Users/$LoggedInUser/Documents/.MAU_check/MAU_register.txt

neil_martin83
Contributor II

Apologies for the late reply, life took over a bit...

@rtrav It checks at least every 12 hours and is invoked when you launch one of the apps. I need to double check the docs but I believe it'll run again after 12 hours if there's a registered app running (e.g. user leaves Word open for that long). It will only check for updates against apps that are registered with it (those <Applications> keys in its preference domain). If you're not managing those keys in a profile or by defaults writing them, registering the apps happens when each app is launched on a per app basis at the user level. If you have a user who never launches OneNote, for example, it won't ever update, unless you manage its <Application> keys.

@cbruce My profile is here, for reference: https://gist.github.com/neilmartin83/cb7ebe5f9afb3aa40e6d97d5bc917ded

Note that I am also managing preferences for our own caching server which holds both the collateral and packages. I also disable the Insider checkbox. I install this profile at system level and the closed apps also update just fine across my fleet.

As a side note, I have another profile which is the same as above, but points to a different set of URLs (subdirectories on my caching server) where I host the current set of updates - this lets me roll those out to a pilot group of machines for testing.

@May Here's the script I use to register MAU with LaunchServices so you don't get the nag dialog. I run it at every login via the JSS - it's not resource intensive and this method means it catches everyone. I noticed that after a MAU update, it needed re-registering, so that's why I did this, otherwise I'd have done it once per user. This method also means the JSS collects the output and logs it. You can get verbose output by adding the -v flag to the lsregister commands: https://gist.github.com/neilmartin83/4e704a0c627453ca216d413c2ae43182

This script runs as root (as it's being run by the jamf binary) so essentially works out who the logged in user is, then runs the commands to register MAU as them, plus deleting the <LastUpdate> preference key so that when they launch one of the Office apps, it'll check for updates right away. I'm lazy and didn't bother with the awesome amount of sanity checking you've put in yours because Office is deployed to our entire fleet. :)

Check /Library/Logs/Microsoft/autoupdate.log to see if it's doing what it should, it's pretty good at telling you that it's checking, downloading, then installing the packages. You can also enable even more verbose logging by managing the <ExtendedLogging> key (true/false).

All the reference material is here: https://macadmins.software/docs/MAU_38.pdf

May
Contributor III

Thanks @neil.martin83, you've been very helpful in laying out the hidden pieces of this puzzle!

Good to know that MAU needs re-registering each update, i'll test out your login policy/script approach so i can set it and forget it rather than messing with LaunchAgents each update.

May
Contributor III

@neil.martin83

Are there any particular tricks to getting login policies to run ?

I just created a policy with the Trigger = login, Frequency = ongoing, Make available offline is checked.

Double checked that Management Settings > Check - In > Login/Logout Hooks has Create login/logout hooks checked.

36fb84b7cb6848bc8287397d2a3a711a

I've logged the user out and in a few times and also ran recon incase that's needed to pull down the script initially but if i check the policy logs it's still shown as pending.

Should i see something from the Policy within /Library/Application Support/JAMF/ManagementFrameworkScripts/loginhook.sh ?
(i can see that com.apple.loginwindow has this set as the LoginHook),
and will login hooks only run if the Mac is on the network ? (i was assuming that the Make available offline option would mean network wasn't required)

JSS 9.96
OS X 10.11.6

May
Contributor III

I'm glad to say i couldn't get a login policy to run as it sent me down a different route, ideally i didn't want to wait for a user to login for MAU to get registered, i was looking at using /bin/launchctl asuser but couldn't get it to work then stumbled across this post which has a wonderfully simple approach to running commands under the user context, thank you @mm2270 !!

Now i can run this to register MAU once per user and each time there's an MAU update, hoorah.

```

!/bin/bash

LoggedInUser=$(stat -f%Su /dev/console)
LoggedInUID=$(id -u "$LoggedInUser")

if [[ "$LoggedInUser" != "root" ]] || [[ "$LoggedInUID" -ne 0 ]]; then

cat << EOF > /private/tmp/MAU_register_script.sh

!/bin/bash

LoggedInUser=$(stat -f%Su /dev/console)

/System/Library/Frameworks/CoreServices.framework/Frameworks/LaunchServices.framework/Support/lsregister -R -f -trusted -v "/Library/Application Support/Microsoft/MAU2.0/Microsoft AutoUpdate.app"
/System/Library/Frameworks/CoreServices.framework/Frameworks/LaunchServices.framework/Support/lsregister -R -f -trusted -v "/Library/Application Support/Microsoft/MAU2.0/Microsoft AutoUpdate.app/Contents/MacOS/Microsoft AU Daemon.app"

mkdir /Users/$LoggedInUser/Documents/.MAU_check/
echo "Autoupdate.app registered for $LoggedInUser" > /Users/$LoggedInUser/Documents/.MAU_check/MAU_register.txt
EOF

else echo "No user logged in. Can't run as user, so exiting" exit 0
fi

if [ -e /private/tmp/MAU_register_script.sh ]; then /bin/chmod +x /private/tmp/MAU_register_script.sh /bin/launchctl asuser "$LoggedInUID" sudo -iu "$LoggedInUser" "/private/tmp/MAU_register_script.sh" sleep 2 echo "Cleaning up..." /bin/rm -f "/private/tmp/MAU_register_script.sh"
else echo "Oops! Couldn't find the script to run. Something went wrong!" exit 1
fi```

monaronyc
Contributor

All we'd like to do is just shoot a simple bash script using a policy in the JSS to our logged in users with the following:

defaults write com.microsoft.autoupdate2 HowToCheck AutomaticDownload

but for some reason, it's not working. If i copy and paste this into Terminal directly under the logged in user, it works.

Any ideas why?

StoneMagnet
Contributor III

@monaronyc You have to write to the logged in user's prefs:

# Set Microsoft updater to automatically install updates from a local cache - requires changing the user's prefs rather than the global prefs in /Library/Preferences
loggedInUser=$(stat -f%Su /dev/console)

/usr/bin/defaults write /Users/$loggedInUser/Library/Preferences/com.microsoft.autoupdate2 HowToCheck AutomaticDownload

monaronyc
Contributor

@StoneMagnet SWEET MARY JESUS! That worked! THANK YOU! THANK YOU! As you can see i'm still a bit of a novice with this stuff, but getting better thanks to folks like you and the JAMF community! One thing though, we're still not seeing that global prefs file in /Library/Preferences yet. Are we supposed to place that manually some way?

StoneMagnet
Contributor III

@monaronyc As near as I can tell any com.microsoft.autoupdate2 prefs file in /Library/Preferences is ignored, and only the one in ~/Library/Preferences matters

jvanderveen
New Contributor

MAU 4.0 was released.

https://www.jamf.com/jamf-nation/third-party-products/384/microsoft-autoupdate?view=info

rkovelman
New Contributor III

Has anyone disabled the automatic functions and set it to manual? If so, care to share?

sdagley
Honored Contributor III

@rkovelman Check out (https://github.com/pbowden-msft/msupdatehelper) for @pbowden's Jamf Pro helper script for controlling Office and Skype updates. There's a link on that page for a video tutorial on msupdate which shows how to disable the automatic updates by deploying a configuration profile.

jameson
Contributor II

Juser wondering - are all admins always downloaded the latest office version ?. For years we have always been running 1-2 versions behind and updating 3-4 times a year, but never to the newest, as there always is a risk that the newest tuff is buggy and not fully tested ?` - but maybe this is not the way to think?

KyleEricson
Valued Contributor

I update mine about once a month and I use the auto update script from mac.admins site.


Hire me as an independent contractor.

jameson
Contributor II

@kericson Thanks for input. So you are using the msupdate script to update ? -

KyleEricson
Valued Contributor

Yes the one from Mac.admins site.


Hire me as an independent contractor.

taugust04
Valued Contributor

@jameson , biggest issue with not updating monthly is that for the Mac version of Office, Microsoft doesn't have a separate channel for security/critical updates. So each month's updates on the Office 365/2019 are feature, security, and critical patches all in the same update. For Office 2016, they are now security only.

I wish Microsoft would bring their Mac development cycle in sync with Windows, where there are semi-annual channels that are supported for 18 months with security updates, in addition to the monthly update channel. In fact, on Windows the default channel for Office 365 Pro Plus is semi-annual.

Personally, I run about 1 month behind what is current. Usually a show-stopping bug will get publicized during that time-frame.

jameson
Contributor II

@taugust04 Thanks for the input. We are on office365 and did not know that that that microsoft did handle Mac this way. For windows I knew the way as been in contact with our Microsoft guys in Company, so actually did think more of a manual way of upgrading semi annual way. But if security updates also are part of it, it should be quite often. So think the way you do it with once a month and not right away push new out could be a way to go.

PCSysops
New Contributor II

If automatic download and install are checked in MAU. Will this eventually install? Or does the user have to click update?

tlarkin
Honored Contributor

@PCSysops the user will still have to click install but you will get NC notifications to do so. It will auto download in the background and prep the app for updates though. So, it should only appear when the download is completed. Been using this method via Config Profile for the past year at my current job. The most difficult part is convincing people to 1) click the update button or 2) quit their apps so they will auto update next launch

szultzie
Contributor II

Hi All, Has anybody figured out a way to update the apps automatically even if an end users doesn't use them?
i have the configuration profile set up to download and install.
-Peter

szultzie
Contributor II

I found this, has anybody tried setting this key as well?

https://github.com/pbowden-msft/Payloads/blob/master/MAU_AppArray.plist

Application Key for the Configuration Profile

Register applications that MAU should update. If this is not managed MAU might have issues finding updates for applications that a user has never opened.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Applications</key>
    <dict>
        <key>/Applications/Microsoft Excel.app</key>
        <dict>
            <key>Application ID</key>
            <string>XCEL15</string>
            <key>LCID</key>
            <integer>1033</integer>
        </dict>
        <key>/Applications/Microsoft OneNote.app</key>
        <dict>
            <key>Application ID</key>
            <string>ONMC15</string>
            <key>LCID</key>
            <string>1033</string>
        </dict>
        <key>/Applications/Microsoft Outlook.app</key>
        <dict>
            <key>Application ID</key>
            <string>OPIM15</string>
            <key>LCID</key>
            <integer>1033</integer>
        </dict>
        <key>/Applications/Microsoft PowerPoint.app</key>
        <dict>
            <key>Application ID</key>
            <string>PPT315</string>
            <key>LCID</key>
            <integer>1033</integer>
        </dict>
        <key>/Applications/Microsoft Word.app</key>
        <dict>
            <key>Application ID</key>
            <string>MSWD15</string>
            <key>LCID</key>
            <integer>1033</integer>
        </dict>
        <key>/Applications/Skype for Business.app</key>
        <dict>
            <key>Application ID</key>
            <string>MSFB16</string>
            <key>LCID</key>
            <integer>1033</integer>
        </dict>
        <key>/Applications/Microsoft Remote Desktop.app</key>
        <dict>
            <key>Application ID</key>
            <string>MSRD10</string>
            <key>LCID</key>
            <integer>1033</integer>
        </dict>
        <key>/Applications/Company Portal.app</key>
        <dict>
            <key>Application ID</key>
            <string>IMCP01</string>
            <key>LCID</key>
            <integer>1033</integer>
        </dict>
        <key>/Library/Application Support/Microsoft/MAU2.0/Microsoft AutoUpdate.app</key>
        <dict>
            <key>Application ID</key>
            <string>MSau04</string>
            <key>LCID</key>
            <integer>1033</integer>
        </dict>
    </dict>
</dict>
</plist>

-Peter