Help

best practices for software updates in computer labs: updates must not involve any logged in user

teodle
Contributor

‎07-29-2021 07:46 AM - edited ‎07-29-2021 07:52 AM

requirements: OS X updates for "shared" machines in an Educational  environment will be deployed during a scheduled  maintenance window when labs are closed. 

At no point shall a student or teacher ever be prompted for any action re: updates. The  SLA for shared/public workstations  is that machines are patched by IT--this process must be fully automated so that IT staff doesn't have to run around logging into machines to patch them. 

What is the current thinking on how best to accomplish this? The environment is full JAMF Pro with an established team to support it. Most of the Macs in the overall environment are 1to1 deployed, and assigned users are encouraged to respond to prompts to update --it's part of their responsibility. But there are still plenty of computer labs/teaching stations where asking end users to participate in keeping the machines updated is not practical. 

Our current scripted solutions don't seem to work reliably in Big Sur and above, due to changes in softwareupdate command. 

 

 

4 REPLIES 4

sdagley
Honored Contributor II

Posted on ‎07-29-2021 10:18 AM

@teodle Once you get Big Sur 11.5 or later installed you _should_ be able to initiate an update without requiring user approval via Jamf Pro as long as it has a Bootstrap Token

teodle
Contributor
In response to sdagley

‎07-29-2021 10:40 AM - edited ‎07-29-2021 10:40 AM

Thanks @sdagley 

Would  explain why a computer I had manually updated to 11.5 got the 11.5.1 update whilst all the ones we haven't visited are stuck on 11.4?

BTW kudos for the quick reply!! Do you have any documentation for this? Was it supposed to "just work" in Big Sur but the Apple kept breaking/patching things? We have our Bootstrap Token Escrow all working properly. I've verified that by sending the profiles command out to a group of lab computers and they show both support and escrow, so just need all hands on deck to get out into the field and get everyone up to 11.5

 

Also--does this support updates that require reboot?

0 Kudos

sdagley
Honored Contributor II
In response to teodle

Posted on ‎07-29-2021 10:56 AM

@teodle I _thought_ this was mentioned in one of the Big Sur 11.5 Beta release notes, but I can't find a reference to it right now. It _might_ have been a change attributed to macOS Monterey and happens to have been implemented in 11.5 if you've seen a non-user approved scripted update work (I haven't tried it yet myself)

0 Kudos

PaulHazelden
Contributor III
In response to teodle

Posted on ‎07-30-2021 12:41 AM

I have been trying to do this via mass action command. It works. But, I have found that some do update and reboot as you expect, and others were told to update a week ago and are still not done. Managing the timing of it is my biggest headache. Jamf simply reports the command as a fail.

There is another post here on a similar topic, and one of the posters has suggested pushing the full OSX installer out to the Macs and then running an install in place command, not an erase and install. Bit of a sledgehammer to crack a nut, but if that is the only way to ensure the timing of an update then so be it. I have only a Saturday morning of free time in the labs where I can update them, and also have the network available totally to myself for this purpose, so getting them done exactly when I want is very important.

0 Kudos
Jamf helps organizations succeed with Apple. By enabling IT to empower end users, we bring the legendary Apple experience to businesses, education and government organizations. Learn about Jamf.