Posted on 12-17-2015 11:46 AM
Just saw the email that 9.82 is now out. I took a look at the Release notes and it seems like several good fixes made it into this version. A couple that I noted-
[D-009724] When upgrading to a Casper Suite version that uses the new jamf binary location, launch services no longer fail to automatically use the new binary location if the computer loses its connection to the JSS during the upgrade. [D-009686] When upgrading the JSS to v9.8, the “Log out users after” option is no longer enabled by default in the Login Window payload of an OS X configuration profile.
There's also this one, under Deprecations:
• Policy status determined by checking script output for “error” and “fail”—The JSS no longer determines the status of a policy by checking script output for the words “error” and “fail”. As of v9. 82, the JSS now only uses error codes to determine the status of a policy.
Thank you JAMF for finally removing this functionality! I no longer have to worry about policy scripts causing false failures to be logged (once we upgrade that is)
Anything else in the notes that are important fixes for some of you out there?
Posted on 12-17-2015 12:03 PM
[D-009726] Fixed an issue that caused QuickAdd package installations to be delayed when a computer with OS X v10.11 is enrolled using a PreStage enrollment.
WOOWOO!
Posted on 12-17-2015 12:46 PM
I think we are going to jump on it. Have been having some issues this sounds like it will fix. Will let you know
Posted on 12-17-2015 12:49 PM
bump
Posted on 12-17-2015 12:50 PM
I donno about you, but the announcement I got had this text:
Please note: we've added a feature to automatically update App Store apps for iOS and OS X, however we've seen reports of unexpected behavior from some customers. We recommend waiting to use this feature until we post an update in JAMF Nation.
Just make sure you're aware.
Posted on 12-17-2015 12:52 PM
The "Log Out Users" bug was the main thing keeping me from updating my JSS. Between this, 10.11.2 and the upcoming fixed Office 2016 volume license installer, January is going to be a good month.
Posted on 12-17-2015 12:52 PM
We got email telling us to turn that "feature" off until we get an email from the friendly folks at JAMF telling us to turn it back on (because they are working on it)
Posted on 12-17-2015 12:56 PM
Does this include an update to the JDS installer so it will work with Server 5 without jumping through hoops editing files?
Edit: JDS installer doesn't appear to have fixed this issue yet, at least in my quick test. This makes my documentation nearly twice as long and open to more potential errors. :-(
Posted on 12-17-2015 12:56 PM
Apparently I glossed over the entire What's New in This Release section, which, if you use VPP managed apps, both iOS and Mac App Store, has some nice feature enhancements you should check out. They don't add much for us since we don't use VPP or need to force MAS app updates, but still nice additions.
We're also going to upgrade to this, but next year. We were getting ready to go to 9.8 originally, but once I saw some of the issues of upgraded Macs losing their JSS connection and never coming back into the fold without manual intervention, we put the brakes on it. We've had enough issues of Macs going randomly MIA on us that that was the last thing we needed. It looks like that issue was resolved here.
Edit: OK, looks like maybe one of the new features isn't fully operational yet based on some of the comments above mine? Ah, oh well. No biggie for us though since we wouldn't be using it.
Posted on 12-17-2015 01:10 PM
I'll be happy when the iOS app update bug is fixed. That left me scratching my head for a couple weeks when an app would mysteriously stop working en mass every time an update came out and my users would have to re-install the app.
Posted on 12-17-2015 01:12 PM
Everyone is failing to freak out about how we can mass update iOS now.
Important bug fixes:
DEP Mandatory enrollment works now on OS X
DEP QuickAdd delay fixed
Spotlight bug fixed in Casper imaging
Posted on 12-17-2015 01:22 PM
Mass deploy iOS updates is great improvement, thank you!
Wonder when we will see that available in Bushel :)
Posted on 12-17-2015 01:23 PM
Trying to determine if it's a new MDM command from Apple or not?
Posted on 12-17-2015 03:34 PM
A lot of the new features and bug fixes in this update seem useful, but these two in particular will help with some recent headaches I've experienced:
[D-008182] Fixed an issue that caused the JSS to fail to distribute an updated user-level OS X
configuration profile to users that have previously received the profile.
[D-009880] Fixed an issue that prevented the scope of an app from being respected if there are
multiple apps with the same bundle identifier in the scope of multiple sites and one instance of the
app is updated.
Of course, the launch services fix is huge but I have already crossed that bridge (and, of course, set it on fire).
Posted on 12-18-2015 07:33 AM
@thoule wrote:
Please note: we've added a feature to automatically update App Store apps for iOS and OS X, however we've seen reports of unexpected behavior from some customers. We recommend waiting to use this feature until we post an update in JAMF Nation.
Yep, this is where folks who did not properly package App Store apps are getting bitten in the bootie. ;)
Posted on 12-18-2015 07:57 AM
One bug I've already seen after updating is that our "update inventory" policy fails for every computer. Doing recon works fine though. Anyone else see this?
Posted on 12-18-2015 08:30 AM
Works fine for me. I just get this message during recon.
"2015-12-18 10:29:46.118 jamf[13968:1278352] CFNetwork SSLHandshake failed (-9807)"
Starting happening with OS X 10.11.2. I haven't done much research though, but it's probably unrelated.
Posted on 12-18-2015 08:48 AM
Example of what happens when you strip out _MASReceipt folder. App Store doesn't know the app is installed. So it can't update it.
Keynote.app 6.6.1 is installed, but no _MASReceipt folder. So App Store offers to install it.
Guessing this is why the new feature isn't working for some 9.82 folks.
Posted on 12-18-2015 09:00 AM
@donmontalvo If this is the case, and it may in fact be, then this isn't a bug in 9.82, so anyone not using the method of stripping the _MASReceipt folder should be OK. I guess it will be interesting to see what JAMF has to say. The email did specifically mention to wait on a "posting" from JAMF on the issue, so I suspect you're correct on your guess. I don't think they need to issue any kind of fix for this, since it may not be possible to even do so.
Posted on 12-21-2015 11:40 AM
Great timing...this gets released while I'm sitting here at my school updating 60 iPads by hand haha....oye.
Posted on 12-22-2015 10:34 AM
@donmontalvo Have you tested using a "dummy receipt" in the _MASReceipt Folder? I know that was a popular method to use for iWork/iLife. We still haven't updated to 9.82 so I can't test.
Posted on 12-22-2015 01:35 PM
@TJ.Edgerly I don't normally implement hacks that might break down the road. We haven't seen the problem.
Posted on 12-23-2015 10:54 AM
@donmontalvo Same here. Not a fan of a band-aid if a problem can be solved. I was just wondering if anyone had tested and if there were any results. I don't know if people are still using dummy receipts or not...but i just remember that is used to be very popular. Luckily i'm at an educational institution...so VPP is much cheaper (Also i have convinced departments to always purchase "a few extra")for us to implement than corporate environments. I am just curious to see what would happen if you had an app with a dummy receipt and then used the JSS to update.
Since school is out for the break...i may take a little time to set up a test environment and tinker. I need something else to do besides FallOut 4. ;)
Posted on 12-23-2015 09:43 PM
Posted on 12-30-2015 09:05 AM
I could have sworn I read somewhere that this update also allowed you to PREVENT iOS upgrades ... but after some looking I can't find anything to confirm this. Can anyone confirm or deny this functionality?
Posted on 12-30-2015 09:33 AM
9.82 allows you to force an iOS update, but not restrict one.
Posted on 12-30-2015 09:45 AM
Damn. Thanks @cbrewer
Posted on 12-30-2015 12:33 PM
I have to jump in regarding the MAS blank receipt 'hack' as @donmontalvo calls it. First, Don, I agree with you. However, this is a method I still use and for the following reason that I haven't yet thought of the best way around. We use the blank receipt method to capture, package and distribute iWork/iLife apps. Primarily because it allows the app to function from first boot and offers to update/authenticate the app based on the users own AppleID in the MAS. Once the user does this they are 100% golden. It also get's the user to enter their AppleID so I can skip the AppleID setup on firstboot. (our users computers are NOT bound to AD and are offline until they are booted and authenticated to our wireless network.
I get that this isn't a viable solution for most environments but we've got it working here. Mostly because we make a big deal of a campus wide "tech refresh" every 1st of the month. This is a monthly reminder that each user is supposed to run any available 'featured' Self-Service polices, check for Apple updates and restart their computers. So, at the moment I feel generally ethical AND successful. Heck, we're an educational institution so teaching people to do things is kind of in the job description.
The big issue I have with VPP (for free apps), from a BYOD standpoint, has to do with the fact that our student users already own these apps. If I were to use VPP versions of the apps after our initial imaging, I would need to remove our VPP licenses so as to replace said apps with the users properly authenticated versions of the iLife/iWork when the students leave at the end of the year. This takes far more time than having the properly authenticated version there in the first place. That' or leave them to figure it out on their own, which isn't very nice. That said, I'm sure that I'll have to stop doing that shortly and rethink around this particular box when I no longer have the option.
Posted on 12-30-2015 10:21 PM
@Chris_Hafner sorry for using the word "hack", maybe "workaround" would have been better. The point I was making is when doing stuff like that, there is some risk. In this case not only does/did it break a new JSS feature (I guess we should wait for JAMF to confirm), it is also illegal in some countries to tamper with stuff like that. If it works and is legal and no kittens are hurt, go for it. :)
Posted on 01-04-2016 07:21 AM
Has anyone found any showstoppers for 9.82? I haven't heard much, which is usually a good sign.
Posted on 01-04-2016 07:31 AM
Yeah, we haven't heard of anything negative really so far, which is good. I'm not sure if the timing of the release being so close to EOY had something to do with that though. A lot of organizations have end of year moratorium on changes, like upgrading Casper (I know ours does) so we may wait another week just to see if any more reports start to come in.
So far so good though. Unless something major surfaces, this is probably the 9.8x release we'll make the jump to.
Posted on 01-04-2016 09:03 AM
No showstoppers, but I've noticed issues with enforced screenlocks on screensaver and screensaver after X minutes of inactivity. On some computers screenlock works, on some it doesn't. On some computers the screensaver after inactivity works, but then doesn't prompt for a password even though password lock is enabled. I only started noticing it after 9.82. So yeah, not really a showstopper, but definitely annoying.
Posted on 01-04-2016 11:23 AM
@emilykausalik - are those screen lock/saver issues based upon Profiles delivered in the JSS or another means? I assume the former?
Posted on 01-04-2016 12:29 PM
"Require password immediately" doesn't seem to be working for us on 9.82
Posted on 01-04-2016 12:36 PM
@Abdiaziz Yep, looks like that's it. I wonder if it's a known issue in this version?
Posted on 01-04-2016 12:42 PM
Bummer... We definitely manage those settings via config profile, and its working well on 9.81...
Posted on 01-04-2016 12:43 PM
I just opened a case with my TAM. We'll see what happens.
Posted on 01-04-2016 01:02 PM
That is rather unfortunate, since we also manage that setting via Config Profile, and its a requirement to make sure its applying, per company security requirements. I'll have to poke around and see if we are using a locally created Config Profile uploaded into Casper or one created directly in the JSS UI. Can't seem to recall right now.
FWIW, I would consider not applying a security based setting properly to be a 'show stopper' for us, but I know not every environment has strict requirements around this stuff.
Posted on 01-04-2016 01:52 PM
Isn't this a known issue with prior versions as well?? I thought to "Require password immediately" you had to set a payload under the Passcode section.
Posted on 01-04-2016 02:11 PM
Isn't passcode an iOS setting? I didn't think OS X had passcode enforcement, but has password enforcement.