best practices for software updates in computer labs: updates must not involve any logged in user

Contributor II

requirements: OS X updates for "shared" machines in an Educational  environment will be deployed during a scheduled  maintenance window when labs are closed. 

At no point shall a student or teacher ever be prompted for any action re: updates. The  SLA for shared/public workstations  is that machines are patched by IT--this process must be fully automated so that IT staff doesn't have to run around logging into machines to patch them. 

What is the current thinking on how best to accomplish this? The environment is full JAMF Pro with an established team to support it. Most of the Macs in the overall environment are 1to1 deployed, and assigned users are encouraged to respond to prompts to update --it's part of their responsibility. But there are still plenty of computer labs/teaching stations where asking end users to participate in keeping the machines updated is not practical. 

Our current scripted solutions don't seem to work reliably in Big Sur and above, due to changes in softwareupdate command. 




Esteemed Contributor II

@teodle Once you get Big Sur 11.5 or later installed you _should_ be able to initiate an update without requiring user approval via Jamf Pro as long as it has a Bootstrap Token

Thanks @sdagley 

Would  explain why a computer I had manually updated to 11.5 got the 11.5.1 update whilst all the ones we haven't visited are stuck on 11.4?

BTW kudos for the quick reply!! Do you have any documentation for this? Was it supposed to "just work" in Big Sur but the Apple kept breaking/patching things? We have our Bootstrap Token Escrow all working properly. I've verified that by sending the profiles command out to a group of lab computers and they show both support and escrow, so just need all hands on deck to get out into the field and get everyone up to 11.5


Also--does this support updates that require reboot?

Esteemed Contributor II

@teodle I _thought_ this was mentioned in one of the Big Sur 11.5 Beta release notes, but I can't find a reference to it right now. It _might_ have been a change attributed to macOS Monterey and happens to have been implemented in 11.5 if you've seen a non-user approved scripted update work (I haven't tried it yet myself)

Valued Contributor

I have been trying to do this via mass action command. It works. But, I have found that some do update and reboot as you expect, and others were told to update a week ago and are still not done. Managing the timing of it is my biggest headache. Jamf simply reports the command as a fail.

There is another post here on a similar topic, and one of the posters has suggested pushing the full OSX installer out to the Macs and then running an install in place command, not an erase and install. Bit of a sledgehammer to crack a nut, but if that is the only way to ensure the timing of an update then so be it. I have only a Saturday morning of free time in the labs where I can update them, and also have the network available totally to myself for this purpose, so getting them done exactly when I want is very important.

Contributor II

For our area, we actually set up a maintenance window for our off hours and our computers only run patch policies during this period. This way we can continue to use the built in patch management system, but we have control over when those applications receive their updates.

It's a bit of a workaround to create a solution that does not yet exist in Jamf, but it works well enough for us. You can see our solution here: