requirements: OS X updates for "shared" machines in an Educational environment will be deployed during a scheduled maintenance window when labs are closed.
At no point shall a student or teacher ever be prompted for any action re: updates. The SLA for shared/public workstations is that machines are patched by IT--this process must be fully automated so that IT staff doesn't have to run around logging into machines to patch them.
What is the current thinking on how best to accomplish this? The environment is full JAMF Pro with an established team to support it. Most of the Macs in the overall environment are 1to1 deployed, and assigned users are encouraged to respond to prompts to update --it's part of their responsibility. But there are still plenty of computer labs/teaching stations where asking end users to participate in keeping the machines updated is not practical.
Our current scripted solutions don't seem to work reliably in Big Sur and above, due to changes in softwareupdate command.