Delay Apple updates for up to 90 days... coming soon

AVmcclint
Honored Contributor
1 ACCEPTED SOLUTION

Rhio
New Contributor III

d4df35774c0b4a45afb2fd680147b859
Bottom line on Jamf Pro 10.3

View solution in original post

19 REPLIES 19

Taylor_Armstron
Valued Contributor

Don't we already have the option in JAMF?

Discussion here: https://www.jamf.com/jamf-nation/feature-requests/6627/move-defer-software-updates-for-90-days-to-software-update-payload

gachowski
Valued Contributor II

Even more interesting looks like there are about 20 or so more new Profile Keys for 10.13.4.... most with software update caching...

https://developer.apple.com/library/content/featuredarticles/iPhoneConfigurationProfileRef/Introduction/Introduction.html#//apple_ref/doc/uid/TP40010206-CH1-SW4

C

donmontalvo
Esteemed Contributor III

Apple actually stated to us:

MacOS 10.13 provides support for deferred software updates.

Where did we see that deferring updates will only be 10.13.4 or later?

The article seems to show "defer" info for FileVault 2 and Content Caching Payload.

But yea, if we use Configuration Profile > Restrictions > Functionality > [x] Defer software updates for 90 days the other keys will be set or unset...so really should be a separate payload or key that we can set (digging around now).

--
https://donmontalvo.com

Rhio
New Contributor III

d4df35774c0b4a45afb2fd680147b859
Bottom line on Jamf Pro 10.3

harsha
New Contributor III

Hi Rhio,

This means if apple releases software update today, then after 30 days the user will get update? or it will automatically update after 30 days?.

 

donmontalvo
Esteemed Contributor III

@harsha wrote:

Hi Rhio,

This means if apple releases software update today, then after 30 days the user will get update? or it will automatically update after 30 days?.

 


Its a deferral, meaning macOS won't be aware of the updates for N days.

--
https://donmontalvo.com

harsha
New Contributor III

Hi Rhio,

May I know what is the use of it ?

FutureFacinLuke
Contributor II

The iOS settings are in roughly the same place.

rusty_adams
New Contributor III

First one I tested today sailed right on through to iOS12 despite the config profile being set to defer for 90 days.

damienbarrett
Valued Contributor

I actually need more than 90 days, which I've told to my Apple SE and others many many times. I work at a school, where we update our iOS once per year, in the summer. Period, end of story. Zero flexibility on this as the staff members that maintain iOS devices (myself) don't have time to dick around with iOS upgrades at any time other than the summer. Nor do I want a kindergartner to accidentally upgrade an iPad from iOS 10 to 11, or 11 to 12, etc.

I don't give a flying f-bomb if this makes my iOS devices "less secure". They are all heavily managed, supervised, and monitored. They do not leave our campuses. Why can't I have the option to manage my iOS devices on my own schedule. Why must we be beholden to some arbitrary upgrade schedule determined by Apple? Everyone talks about Apple becoming more friendly to Enterprise. Nonsense. They need to start listening to those of us in the trenches and not giving us half or partial solutions that don't actually work with our schedule.

Currently, I block the mesu.apple.com URLs at our firewall, but I'm not confident this will be a working solution forever.

harsha
New Contributor III

Hi damienbarrett,

May I know to forcely update the software update into users system, if the user is not installing the latest version? Is there any option like that if jamf pro? If yes, Can you tell me how to deploy or configure it in jamf pro?

ferriterj1
New Contributor III

Rusty - are you scoped correctly with that config profile? Also, are the devices at least 11.3? If a device has an iOS version earlier than 11.3 then they will be able to update even if scoped correctly. Our 11.3+ devices are being deferred.

a_stonham
Contributor II

Seeing the same on MacOS. Safari 12 just got deployed to 3000 macs at my organization. Okta integration is broken.
Config profile is definitely installed and scoped.

Ash

FritzsCorner
Contributor III

@donmontalvo

But yea, if we use Configuration Profile > Restrictions > Functionality > [x] Defer software updates for 90 days the other keys will be set or unset...so really should be a separate payload or key that we can set (digging around now).

I have been looking into this as well and I haven't found a good way of independently managing the software update settings apart from our other Restrictions payload. Did you ever find anything from your digging?

donmontalvo
Esteemed Contributor III

7035f03cb0524afc99acc35f94d5cdfb

--
https://donmontalvo.com

darthmaverick
New Contributor III

Wait so this defers ALL updates, even say iTunes or what have you for 90 days? Even if you manually run a script or the Software Update payload?

talkingmoose
Moderator
Moderator

The behavior should be that each update is "invisible" from the day it's released until the number of days you've specified has passed. I don't believe the softwareupdate command will see these until then.

jtrant
Valued Contributor

I've applied a custom PLIST as described by @donmontalvo above and can't seem to get it to work. Creating a new profile with the Restrictions payload does work but I'd rather not duplicate settings and run into a possible conflict down the line.

Has anyone been able to get the custom PLIST setting to work? I do see the entries show up in /Library/Managed Preferences/com.apple.applicationaccess, but they just don't seem to do anything.

Verified by scoping the PLIST config profile to one machine on 10.14.6, the restrictions payload on another. PLIST machine showed the new supplemental update, the restrictions payload machine did not.

Another option is to unsign the restrictions configuration profile, strip out the parts I don't need, sign it and upload to Jamf. However, the last time I did this the signing certificate downloaded from Jamf expired after a year, resulting in my profile showing 'Unverified' which is less than ideal.

Thanks in advance,
Justin.

FritzsCorner
Contributor III

Here is what we are doing that works just fine. One to scope the # of days to delay and the other to configure the behavior.

dd3e276fc1254d2ba8e8808312d70816