We have a policy that uses the Software Updates payload to force users to install macOS updates. By default it's set to run once a month, so users get prompted to install updates, but sometimes there aren't any updates to install. So it pesters users for no reason.
Ideally, I'd prefer that the policy check for available macOS updates, and only prompt the user if updates are available. Is anyone already doing this? If so, how?
If there isn't an existing solution, I'll try and create my own. I've been thinking about how to best accomplish this.
Perhaps using two policies, like so:
Policy #1 would run daily and check for updates using whatever method works (perhaps this):
If Policy #1 finds an update, it would use a custom trigger to run policy #2, which would force an update using the Software Updates payload. (I would allow users to defer it for x days, (where x is a number chosen by our security team).
Advice (and constructive criticism) welcome and appreciated.
If you're going to run a softwareupdate -l command daily on your Macs, then you might as well combine policy 1 and 2 into one policy. Check for updates, if any are found, prompt the user to install them. If none are found, exit silently. There's no real reason to split those up, but you can do it that way as well if you'd like.
Or you can look at one of the tools out there designed for nagging users to install available updates, like Nudge for example.
@stevenjklein In theory that's a good approach, but there's a failure mode in sofwtareupdate where it may never return from a request to list updates, and on Apple Silicon machines installing updates requires providing the name and password for an account with volume owner permissions and that can be a problem.
MDM commands to drive macOS updates are currently best described as unreliable, and it remains to be seen if macOS Ventura improves that. Even if that's the case there remains the issue that Jamf doesn't seem to recognize the ability to schedule those MDM commands as if they were a Policy would be a Very Good Thing™, and suggests using the Jamf API to trigger MDM update commands. That unfortunately doesn't help those of us where security policies prevent the use of the Jamf API from individual endpoints.
Here's a Q&D script I use to look for the availability of a specific update that tries to work around the case of a "stuck" sofwtareupdate process:
#!/bin/sh SoftwareUpdatePList="/Library/Preferences/com.apple.SoftwareUpdate.plist" UpdateLookingFor="macOS Monterey 12.6" UpdateIsAvailable=$(/usr/bin/defaults read "$SoftwareUpdatePList" RecommendedUpdates | grep "$UpdateLookingFor") if [ -n "$UpdateIsAvailable" ]; then echo "$UpdateLookingFor is available" else echo "Update was not found - resetting softwareupdate" /bin/rm "$SoftwareUpdatePList" /bin/launchctl kickstart -k system/com.apple.softwareupdated sleep 15 /usr/sbin/softwareupdate --list & sleep 120 UpdateIsAvailable=$(/usr/bin/defaults read "$SoftwareUpdatePList" RecommendedUpdates | grep "$UpdateLookingFor") if [ -n "$UpdateIsAvailable" ]; then echo "Reset successful - $UpdateLookingFor now is available" else echo "Reset unsuccessful - Update still not found" exit 1 fi fi exit 0
@sdagley Your script would require manual updates every time Apple releases an update.
After I posted my question yesterday, I came up with a better method, but I'm still not where I want to be.
We allow users to run the current and previous major releases of macOS. So I've created a Smart Group called Macs needing macOS updates with these criteria:
Operating System Version is Like 12. and Operating System Version is Not 12.6 OR Operating System Version is Like 11. and Operating System Version is Not 11.7
Then I scoped my "force update" policy to that smart group. Now only Macs needing updates nag users to update.
Of course, like your script, this Smart Group would require frequent manual maintenance.
My real goal is to avoid having to manually do anything: Users who are out of date would get prompted (read: Forced) to update, but nobody else will. Given the bugs in sofwtareupdate that you describe, my goal may be unobtainable.
With @sdagley 's script, the
variable can be a script parameter instead of hardcoded, which would make it a little easier to manage going forward, but would still require some hand holding as new updates appear. But at least the script itself would not need to be modified.
@stevenjklein Every time Apple releases a macOS update it has to be qualified for my environment so the amount of time required to manually modify the script for the new version is insignificant. I think the game Jenga must have been invented by an IT engineer to represent the process of qualifying an OS upgrade with all of the various 3rd party tools Enterprise orgs are likely to require.