deploying 10.10.5 Combo update via JSS

jche
New Contributor

JSS: 9.8.1
Casper Admin: 9.8.1
Deploying: 10.10.5 combo update via JSS to 10.10.2

Problem: For security, my company needs everyone to be on 10.10.5 for the safari vulnerability patch.
El capitan doesnt work with trend for us yet so that isnt an option.

Steps: 1. imaged base 9.5.2, threw in a file on the desktop to confirm its being upgraded and not restore
2. enrolled to JSS with machine, cached and ran the Yosemite upgrade.
3. flawless upgrade to 10.10.2
4. but wait, theres more
5. need to be on 10.10.5 > no .app for it, only PKG. Save and index PKG to casper admin
6. run installer from SS
7. While running, it will always hang and destroy. 1/2 times i hard rebooted it and it automagically became 10.10.5. This time, its a black screen with the while scroll wheel but its frozen.

Question:
Who here has deployed via JSS 10.10.5 successfully and what were your steps?
is it that JSS doesnt like PKG because our office 2011 and 2016 is PKG and its also a flawless victory.

Thanks in advance all!

21 REPLIES 21

Aziz
Valued Contributor

Take a look at my post here:

https://jamfnation.jamfsoftware.com/discussion.html?id=15024

I might have confused this with a minor OS update, not a major update.

colincorbin
New Contributor II

Maybe you could use this to make a single step updater that goes straight to 10.10.5?

https://github.com/munki/createOSXinstallPkg

colincorbin
New Contributor II

Further info:

On a machine which already has 10.10.5.......

Sign in to the Apple App Store

Find the Yosemite installer in the Purchases tab and download it

Use the createOSXInstall.pkg app https://github.com/munki/createOSXinstallPkg and point it to the 10.10.5 installer which you just downloaded

The resulting pkg can be uploaded to the JSS and run from a self service policy on 10.8 or 10.9 machines

jche
New Contributor

o0o0o @colincorbin , so do i apply it to JSS the same way as the .app i get from the appstore?

rtrouton
Release Candidate Programs Tester

@jche,

Is this the method you're using for upgrading your Macs?

https://jamfnation.jamfsoftware.com/article.html?id=173

If you've already been deploying the 10.10.2 Install OS X.app for upgrades, you can download a 10.10.5 Install OS X.app from the App Store and deploy it using the same method that you have already been using.

Chris_Hafner
Valued Contributor II

Hrm... I'd like to see what you come back with. I haven't deployed the specific combo update (10.10.5) via self-service but I have done it with a number of combo updaters in the past (including 10.10.3, etc). The process sounds alright, except for the indexing of a .pkg. (Indexing is useful for .dmg's but not .pkg's even though there is a button that will offer to do so anyways.).

If you boot that unit into verbose mode (command + V on boot) where does it hang?

djwojo
Contributor

@jche When you say trend doesn't work with 10.11 yet, we have TMS running fine and reporting in to the server on 10.11.1. Version 2.0.3061 - Are you using a different product?

We use a cache method for upgrades to 10.10.5 (we have 802x issues with 10.11.) I used the full installer as @colincorbin said but did not modify it. I put it directly into Casper Admin and made 2 policies:
651ef9be36c843508cf7a80a9334d1a2

jche
New Contributor

@djwojo @rtrouton yes i am deploying it via this link: https://jamfnation.jamfsoftware.com/article.html?id=173
(the usual method)

how would i get the 10.10.5 app from the app store? when i get the .app its the .2 version whether i get it from my yosemite sus or my el cap admin machine.

the only way that i know how to get the .5 combo update or even a full .5 is from the combo update via the apple site: https://support.apple.com/kb/dl1832?locale=en_US

maybe im missing something?

@Chris_Hafner trend is currently on 2.0.3039 and while i can check for updates and it says its all good, i get the yellow exclamation mark on the icon.
when i try to scan i get the following error:
Unable to perform scanning

some services or files may be corrupted or are not compatible with the system. upgrade the agent or contact your support provider for more information.

clrlmiller
New Contributor III

Note quite sure I'm understanding the question but...
We've successfully deployed the 10.10.5 combo update by ->Caching<- the .pkg with Casper and using the option "Install Cached Packages" under policy's 'Maintenance' section. This makes sure the system has all it needs to complete the upgrade via a localized installer.

That said it's ONLY available to Yosemite client systems. If you've already gotten the systems running 10.10.2 this shouldn't be a problem.

jche
New Contributor

@clrlmiller unfortunately it is.

i havnet tried caching the pkg only installing it.
thatll be my next test.

so tried with both the DMG and the PKG in the DMG and i get errors.
currently testing with the latter option and i reboot to a "unapproved caller. security agent may only be invoked by apple software".

gah!

jhalvorson
Valued Contributor

@jche Trend Micro Security version 2.0.3061 is the first version to support El Capitan. Trend Micro Security 2 3061 release notes

Here's an oddity I discovered with the Office Scan Server. If you download and install the Single Endpoint installer, the client mac will have 2.0.3061.
If you download and install the mpg they offer for mass deploy using "ARD", the client mac will have 2.0.3037. With this version, it may or may not be able to update to the current version. I think both Yos and El Cap have problems with this version.

I've reported the issue to Trend. Hasn't been resolved in the last few updates.

For this reason, my install process via Casper Remote/Policy/Imaging consists of a script that uses curl to download the individual pkg and installs Trend Micro Security.

Chris_Hafner
Valued Contributor II

Ahh... OK. Sorry, I must have missed this yesterday and it's only after my mornings cup of coffee I am realizing that, it sounds like you're not using the combo updater but the full installer (via upgrade). i.e. you're downloading it from the MAS (Mac App Store), where you can't get the "combo" updater. If that really is the case go here:

https://support.apple.com/kb/dl1832?locale=en_US

download the .dmg from Apple and drag the .pkg within to Casper Admin. Simply deploy that .pkg as is and all should be well, Trend issues aside.

jche
New Contributor

@Chris_Hafner i tried using the whole DMG and the PKG in the DMG to moderate success.

the only problem is it freezes the entire system during the upgrade.

i have to force quit finder and hope it reloads, if not then i have to do a hard shutdown and hope its complete.
a few times it reboots successfully, but a few times it bricks the system and i have to netboot the image (cant even recover)

is there another way?
do i need to cache it first before i do the update?

i think my solution (granted this was a few days ago and im a little hazy on the details) was to use the .app 10.10.5 and push it out. so i treated the test users (10.8/10.9/10.10.4) as the same and cached and upgraded them.

so the 10.10.4 got the full 10.10.5.app upgrade and that seems to be okay so far.

htse
Contributor III

@jche what happens if you were to remove Casper from the equation? Install the OS X 10.10.5 Combo Update package interactively as a user, does it result in the same behaviour?

What was the occurring in the install log before it became unresponsive? You can watch install.log in Console as it's installing. You can also extract the and review logs after the OS X installation is no longer usable.

Also if you attempt to update OS X 10.10.4 to OS X 10.10.5 using the Mac App Store installer, if it even allows you, it would end up performing an Archive and Install, and you'll end up with a lot of broken applications installed after-the-fact.

jche
New Contributor

@htse

if i install 10.10.5 on any machine, it goes through the normal authentication process and works without a hitch.

ill have to check log, but i ran the policy only with JSS running. it starts to install via jss and eventually finder and the computer hangs

so 10.10.4 + 10.10.5.app (5.4gb) will break things?
interesting, ive only tried on test machines without lots of data/apps but it hasnt been the case so far.

maybe i just have to tell ppl to run and download manually, but then that defeats the purpose of JSS T_T

htse
Contributor III

@jche you may have noticed when you download a new update of the OS X Installer from the Mac App Store, from a current version, a dialogue pops up telling you to use Updates instead of continuing.

After thinking about it, I may have overstated the Archive and Install bit. It might probably let you, but it's not prescribed, and you'll extend a 15 minute task to a 45-90 minute task.

Have you also tried disabling the Trend Micro security software, before running the update? The OS X Update package would do a lot of things that would be considered malicious to security software, replace the kernel, system files, and processes.

A reinstall of OS X would perform steps similar to this
https://support.apple.com/en-ca/HT1710

jche
New Contributor

@htse is the OSX case because i have the latest OS and am downloading the latest OS as such its more of warning that i am wasting time/bandwidth?

i have not tried disabling trend, that is also something that ill try, but why would a combo update pose more of a threat than a full OS upgrade?

also, that test machine only MS office installed, nothing else, for testing purposes.

htse
Contributor III

I'm going to answer that question based on what the two different packages do. To be perfectly honest I've never used the "drag the OS X Installer.app " into Casper Admin approach before. Keep in mind this is fairly simplified.

An OS X Update pkg installer has a small collection of files to update and a small collection of scripts. Essentially what it does is, you already have these files, and these are the updated files, now replace those ones with these ones, and then clean yourself up.

An OS X Installer.app from the App Store on the other hand, is even more invasive. It will carve up a small "OS X Install" partition on the disk, then it'll make a small install partition for itself, put down the installer files. It will reboot into the installer partition (keep in mind this environment it has booted into is free of external influences like security software), and install the entire OS X.

jche
New Contributor

@htse so what is your proposed method of deployment? have them individually upgrade?

htse
Contributor III

While you certainly can just perform the update individually, It's not really a sustainable solution, at best, you're just putting a band-aid on it. You'll likely continue to have issues with future OS X updates, if you don't isolate the issue now.

Chris_Hafner
Valued Contributor II

Alright... it took me some time to finally come back around to this but I am deploying the .pkg downloaded from:

https://support.apple.com/kb/dl1832?locale=en_US

to some of my users machines (presently only verified that mid-2012 MBPro's and some pre 2015 iMacs function with this). The .pkg was simply dragged to Casper Admin and distributed via Self-Service policy. No funny configuration. I will finally make it around to testing on some newer retinas and MBAirs.

Just FYI.