Jamf Nation Community

rtrouton · ‎08-02-2016

I've begun looking at the patch reporting included with Casper 9.9.3 and I've got some concerns because I'm seeing software update information that is either out of date or inaccurate:

Out of date:

Mozilla Firefox - listed as being 47.0.1

Mozilla Firefox 48.0 was released today on August 2nd.

Firefox ESR - listed as being 47.0.1

Mozilla Firefox 45.3.0 ESR was released today on August 2nd:
https://www.mozilla.org/en-US/firefox/45.3.0/releasenotes/

Inaccuracies:

Firefox ESR description - listed as Mozilla Firefox: Excludes Extended Support Release (ESR)

If I hadn't checked the EA for this Patch Reporting Software Title, I would have thought this meant that it was a confusingly duplicate listing for Mozilla Firefox's regular release. When I checked the included EA though, the script comments in the EA indicated it was looking for the ESR version.

Java SE Development Kit 8 - listed as being 1.8.102
Java SE Runtime Environment JRE 8 - listed as being 1.8.102

Oracle has been releasing two separate versions of Java 8 simultaneously, one of which is the CPU release and the other is the PSU release.The difference between CPU and PSU releases is as follows:

Critical Patch Update (CPU): contains both fixes to security vulnerabilities and critical bug fixes.

Patch Set Update (PSU): contains all the fixes in the corresponding CPU, plus additional fixes to non-critical problems.

As of August 2nd, 2016, these are the two released versions:

CPU: 1.8.101
PSU: 1.8.102

Why this is important is that Oracle recommends most folks update to the CPU release and only install the PSU release if they are specifically impacted by one of the bugs in the PSU version's release notes.

For more details on the differences between CPU and PSU updates, please see the link below:

http://www.oracle.com/technetwork/java/javase/cpu-psu-explained-2331472.html

donmontalvo · ‎08-02-2016

That some of the EAs use mdfind is one of the reasons we (enterprise) really need to be able to manage our own EAs. ;)

--
https://donmontalvo.com

hcodfrie · ‎08-02-2016

Thanks for the heads up Rich, think i will wait for 9.9.4 to come out before i start using this nice new feature

RobertHammen · ‎08-03-2016

The fact that the EA for Adobe AIR looks at one of the apps instead of the actual framework in /Library/Extensions... <facepalm>

The fact that the EA's don't use explicit paths (i.e. defaults read instead of /usr/bin/defaults read)...

Yes, the version info needs to be updated more frequently...

davidacland · ‎08-03-2016

So it looks like the EA just flags up whether Firefox ESR is installed. Is that then used as a form of scoping?

shawn_eberle · ‎08-03-2016

@rtrouton Thanks for comments about reporting. The FIrefox version 48 was recognized yesterday and is in the testing phases before we release that update. The ESR one is a little bit confusing, it was designed to ONLY update Firefox, not Firefox and Firefox ESR. The use case for the FIrefox Excludes ESR Software Definition would be an environment that has ESR installed and does not which to switch/update them to Firefox, thus only reporting on FIrefox.

As for the JAVA 8 CPU and PSU I will look into that this morning and see what we can do to match those reports with our reporting. I will post back once I have a solution. Also we will look into "adjusting" the FIrefox and FIrefox ESR definition to make more sense long term. Please keep the advice coming, so when Patch Management comes out we ready for anything!

RobertHammen · ‎08-03-2016

Feature requests to expand patch reporting:

Apple apps
Microsoft apps
Firefox ESR

georgecm12 · ‎08-04-2016

@donmontalvo What is the problem with using mdfind?

RobertHammen · ‎08-11-2016

Feature request to alter definitions for Oracle CPU, not PSU

donmontalvo · ‎09-07-2016

@georgecm12

@donmontalvo What is the problem with using mdfind?

Spotlight is unreliable/inconsistent, insofar is it provides version information on apps, but not using paths that we can/should manage.

So the app can be in /whatever/path/you/can/imagine/, which means, yea, it's there, but we can't do anything with that info.

Because...installers install to fixed paths. Installers don't look for the application. Installers expect the application to be where it was installed. ;)

And how do you accommodate software sold by clueless vendors who change the paths of their apps?

/Applications/Adobe Photoshop CC 2015/Adobe Photoshop CC 2015.app
vs
/Applications/Adobe Photoshop CC 2015.5/Adobe Photoshop CC 2015.5.app

Or even...

/Applications/Adobe Illustrator CC 2015/Adobe Illustrator.app
vs
/Applications/Adobe Illustrator CC 2015.3/Adobe Illustrator.app

¯_(ツ)_/¯

Don't even get me started on Adobe Reader DC versioning madness.

I love that JAMF Software are stepping up to the plate and working to give us patch management...its a dream come true for all of us.

I just hope JAMF Software doesn't make too much progress, without stopping to talk to those of us who manage large numbers of Macs in enterprise and K12, to make sure we're not veering off on a tangent.

Using mdfind for Patch Reporting is great if you manage Macs at shops that want/need to have the latest and greatest.

Unfortunately that's not the reality at large enterprise shops, where every update is requested/vetted/tested/approved before being deployed...where stuff is always a version or three behind.

So Patch Reporting does what it promises to do (is the app at the latest version or not), we just can't call it Patch Management because that's not an accurate description of the feature.

Don

--
https://donmontalvo.com

Jamf Nation Community

Casper 9.9.3 patch reporting - version issues

Out of date:

Inaccuracies: