Posted on 11-02-2021 12:02 PM
My company is using Jamf Cloud and we were upgraded to 10.33 over the weekend. Since then, when using the MDM command to install updates, Macs keep reinstalling 11.6.1 even if it's already installed. The situation is as such:
I am using a modified version of this - https://github.com/kdrwygvh/Sunstein_macOSUpdates. The softwareupdate
command runs and shows these two updates
* Label: Device Support Update-
Title: Device Support Update, Version: , Size: 191029K, Recommended: YES,
* Label: Safari15.1BigSurAuto-15.1
Title: Safari, Version: 15.1, Size: 118254K, Recommended: YES,
So the MDM command runs, but it finds that 11.6.1 is available, despite it already being installed, and reinstalls it.
This has happened once a day starting early on the 31st and my instance was updated on the 30th. The first entry is when the update was originally installed, via the same script (less a few tweaks).
I suspect the issue is that Jamf isn't properly evaluating what updates a Mac does and does not have installed. I don't really know of a way to test this, though, since Jamf has implemented only a handful of MDM commands around updating. I don't see a way to run a "naked" AvailableOSUpdates check to see what it returns. This is happening on all Macs as far as I can tell (have only released to my test group so far) and only started with Jamf Pro 10.33. Macs are reconning after installing the 11.6.1 update. I have only tested on Intel Macs so far.
Is anyone else having this issue, know of anything to try to confirm or deny my hypothesis, or opened a ticket with Jamf already?
Solved! Go to Solution.
Posted on 11-19-2021 01:41 PM
I called support and they suggested using softwareupdate with the -i option to install a specific update. This does work, and does not trigger a password prompt on Apple Silicon as I assumed it would. So, I was able to get this to work by
- restricting my policy that runs the MDM command to Macs that are on Big Sur and still need 11.6.1
- making a script that takes the argument of the update to install
- making two new policies, one for installing Safari 15.1 and one for installing the device support update, using the script from the point above.
I'm marking this as the resolution as it does work, but I still suspect a but on Jamf's end. The good news is if that's the case, revering to my original setup after it's fixed will be easy.
Posted on 11-02-2021 12:06 PM
I should also note that it does not install the two updates that it identifies as needed. I suspect this is because it prioritizes the OS update. That's not really an issue, as if I can get the reinstall issue fixed those updates will install, as that was all working prior to upgrading to 10.33
Posted on 11-02-2021 12:16 PM
I'm going to assume that the machines actually installed the update? Do you have a Smart Group established to group these 11.6.1 machines into once they've done an inventory run?
Posted on 11-02-2021 12:23 PM
The 11.6.1 update is installing. I do have a smart group set up just to track Macs that have got the update; I'm not using it to exclude those Macs from running this policy.. As the goal of doing the MDM update is to install all updates, not just the OS-level security updates, I do have a group that identifies if a Mac has any software updates available. As the other two updates are not getting installed, they never leave that group. I certainly can group those that are on 11.6.1
Posted on 11-03-2021 07:32 AM
@imy How often do you run an inventory on your Macs? If your policy that runs this upgrade script is set to be ongoing, and triggered for a Mac that hasn't done a recon since the OS upgrade it'll run again. You can avoid that by deploying a LaunchDaemon that runs once on restart to see if the macOS Build version has changed since the last restart and does a 'jamf recon' if so, or the more brute force approach of having a Policy triggered on login that does an inventory.
Posted on 11-03-2021 07:37 AM
I don't have an explicit recon in there, but I know for a fact on my machine it has reconned and I have confirmed that the JSS shows it on 11.6.1. My standard recon schedule is once a day.
Posted on 11-03-2021 07:55 AM
It still repeats even after the recon show 11.6.1 is installed?
Posted on 11-03-2021 08:00 AM
Yes, This is what happens:
- 11.6.1 installed via MDM command in the script
- now outside of the timeframe for policy to run, so Safari, Device Support Update not installed
- recon
- JSS shows that Mac is on 11.6.1
- script with MDM command to run updates runs
- 11.6.1 gets installed again
Posted on 11-03-2021 08:17 AM
Keep in mind that when the 11.6.1 update installs it's going to force an immediate restart and your policy that runs the update script never completes in that case, so you may be running into a race condition if the policy is re-triggered before the inventory updates. That's why I have a LaunchDaemon that checks at restart to see if the macOS Build has changed and forces a recon if it has (I'd post but it does a few other org specific things and I don't have time to sanitize at the moment)
Posted on 11-03-2021 08:27 AM
The policy is completing, as I'm backgrouding the curl command to run the MDM update and the script exits before that is done. Even if that weren't the case, the call to the MDM command should not be triggering the same update (11.6.1() repeatedly. As the order is:
- run MDM command
- recon
- run MDM command
even if the policy did not show as complete, as long as the MDM command actually got it up to 11.6.1 the first time, the second time it ran it should not reinstall 11.6.1
11-03-2021 11:24 AM - edited 11-05-2021 06:50 AM
So today I'm getting completely different behavior. Now, nothing is updating. It's like it's not seeing any updates as available. I'm going to be filing a ticket.
I am still having the original issue, I just wasn't waiting long enough for the update to kick in.
Posted on 11-19-2021 01:41 PM
I called support and they suggested using softwareupdate with the -i option to install a specific update. This does work, and does not trigger a password prompt on Apple Silicon as I assumed it would. So, I was able to get this to work by
- restricting my policy that runs the MDM command to Macs that are on Big Sur and still need 11.6.1
- making a script that takes the argument of the update to install
- making two new policies, one for installing Safari 15.1 and one for installing the device support update, using the script from the point above.
I'm marking this as the resolution as it does work, but I still suspect a but on Jamf's end. The good news is if that's the case, revering to my original setup after it's fixed will be easy.
Posted on 12-03-2021 08:59 AM
@imy , can you provide more information on how you're curling your recon?
Posted on 12-03-2021 09:24 AM
Are you asking how I'm calling recon? As I said I'm not doing explicitly for this policy, I am just relying on my existing recon policy that runs once a day against all Macs.
If you're wondering if the issue is that the recon doesn't get enough time to run before the next policy run, that's not the issue, as when I noticed the issue I verified it had reconned and ran a manual recon as well. Note that the Mac reports that it has the right OS version in the recon, it just keeps reinstalling that same version.
Posted on 12-06-2021 10:57 AM
I see, thank you. I usually have to use a launch daemon to complete policies that require a reboot.