Jamf Nation Community

Monterey, and others, are out...have fun!

@twall Apple configurator 2? Buzz your girlfriend, WOOF! THATS DISGUSTING! I’ll give it a try thanks 🙂

---

@dmichels wrote:

The only issue is that this kills my network during the day and you can not schedule it. 

---

Sounds like a good use case for a caching server?

I am absolutely with you on that one for sure, cause who wants to be there after hours to hit the button. We are all just trying to keep our weekends right!?!? Limiting the traffic from the app store and other apple servers might be a good route to explore.

Depending what your needs are (ios and macOS, like if one is more heavy than others) the answers are likely here, to get over to the network team, or if you are the network team, if you wanted to do things like limit how much total bandwidth macOS updates take etc:

https://support.apple.com/en-us/HT210060

Question. If you hit Try tonight, do you know what time it'll run?

It should try to run the updates between 12a-4a. They mentioned this somewhere in WWDC2021 if I remember correctly. "Uses machine learning to determine the best time to install update between 12a and 4a blah blah blah"

Was there anything you had to do to get the "Required Managed Update" prompt? I tested it on an intel Mac yesterday while I was remoted it, but I didn't get any prompts. The user locked his Mac and the update did run successfully, but never seen the initial prompt.

Do you know, if you select either try tonight or remind me tomorrow, is it possible to bring this back up on a machine without waiting until the option you selected?  For example, if a user tells it to remind me tomorrow, but then decided that afternoon that they would like to install the upgrade because they decide it is a good time, is there a way to accommodate that?  Perhaps something that could be made available in self service that would force it to re-display?

This looks very promising, but I was wondering what kind of rights do you need to give the API user account and is there any concern about it passing that username and password in plaintext?

https://docs.jamf.com/education-services/resources/20210729/Resources_300_Lesson11.html

This is a good looking script, I really hate how people are having to resort to API commands to shore up JAMFs inability or lack of desire to do anything with software update MDM commands in any reasonable amount of time.

This will still have problems if the Mac is having issues with OS updates via MDM commands. Which is unfortunately fairly common. As far as I can tell JAMF is still not using the StatusUpdate MDM command, so JAMF has no idea what is going on with updates once the MDM command goes out.

Agreed this script looks like a winner for us.  As we need something that works sometimes with Catalina, Big Sur, Monterey and then M1/Intel.

Has this been tested on all of the above in your environments?  We've looked at Nudge but it has some issues sometimes were not a fan of.

@daniel_ross This was mainly used for patching Catalina and Big sur as it basically just triggers the softwareupdate command. It was only when we got some M1 devices in that we noticed the issue that no reboots and installations were happening. So it should be all good for Catalina, big sur and monterey.

Feel free to reach out if you have trouble with it or find things to tweak I'm open to improvements. We all need to work together on this as patch management is a burden we all have to carry!😂🙈

@perryd84 Thanks for sharing this script! Can I ask what has your experience been running this on M1 Macs? I have just tested this on an M1 MacBook but keeps sticking at the prompt to 'Free up Disk Space' requiring 15gb of space but the MacBook has about 400GB free currently.

Hi @jamfjosh21 I've changed the logic for the disk space now so it should work ok. The logic I had in the script was reliant on the main OS disk being disk1s1 but I have seen a few instances where it isn't. I've updated the script on git hub so it should work around this now. Let me know how you get on.

My experience on M1 machines is that the only way to get the software updates to install is using the mass action or management commands in Jamf.  I had no luck at all trying to use policies, scripts, etc and it sounds like that is by design.  Jamf has improved the MDM mass action commands by allowing you to select a version of the OS that you want to patch to.  The problem currently is that there is no scheduling capability.  This is a big issue for us in an education setup where we cannot tell it to update the OS overnight when machines are not in use.  I'm hoping to see some scheduling options soon, but won't hold my breath so far!

@bbarciz you can schedule them with a combination of running the MDM mass action command via API and a user interaction or jamf helper policy. Take a look at @perryd84 's script above. Using the following API command will allow you to do this.

user=APIUSER
	passwd=APIPASSWORD
	serial=$(system_profiler SPHardwareDataType | awk '/Serial Number/{print $4}')
	ID=$(curl -u $user:$passwd -X GET "https://YOUR.JAMFSERVER.COM/JSSResource/computers/serialnumber/$serial" | tr '<' '\n' | grep -m 1 id | tr -d 'id>')
	curl -u $user:$passwd -X POST "https://YOUR.JAMFSERVER.COM/JSSResource/computercommands/command/ScheduleOSUpdate/action/InstallForceRestart/id/$ID"
}

Thanks for sharing.  Is the scheduling component done with the Jamf policy triggers than?

If you use user interaction or the jamf helper (in a policy), the user can defer the update until you want it to force install. @perryd84 's script has a max deferral limit of 4 days. 

FYI if @perryd84 's command doesn't work for you try using the one below.

apiUsername="apiaccount"
apiPassword="apipassword"
jamfProURL="https://yourorg.jamfcloud.com"
macSerial=$(system_profiler SPHardwareDataType | awk '/Serial Number/{print $4}')
jamfProCompID=$(curl -s -u $apiUsername:$apiPassword -H "Accept: text/xml" "$jamfProURL"/JSSResource/computers/serialnumber/"$macSerial" | xmllint --xpath '/computer/general/id/text()' -)


/usr/bin/curl -s -X POST -H "Content-Type: text/xml" -u ${apiUsername}:${apiPassword} ${jamfProURL}/JSSResource/computercommands/command/ScheduleOSUpdate/action/install/id/${jamfProCompID}

@bwoods and @perryd84 thank you for those commands/scripts. With a bit of work I've gotten them to pretty reliably trigger updates on Intel machines.
However I still can't get our M1 machines to actually install any system updates. While the MDM command is issued and received by the client, in the end the install fails to initiate.

What I keep seeing in /var/log/install.log are entries like this:

2022-02-09 14:40:47+01 TestMBA softwareupdated[575]: SoftwareUpdate: request for status for unknown product MSU_UPDATE_20G415_patch_11.6.3

2022-02-09 14:40:47+01 TestMBA SoftwareUpdateNotificationManager[983]: (null)：softwareupdated: Service connection invalidated!

@emilh That error looks like it's not finding the 11.6.3 patch for some reason. I've seen this error on intel macs in the past going from Catalina to Big Sur, the MDM command gave that error and we had to upgrade them a different way by pushing the pkg to upgrade them.

For some reason I was getting "Battery level is too low" when tested in a Mac Pro and iMac. It works fine if I click continue but I modified the battery level part to show the warning if a laptop is not connected to power source instead below 60% (No battery warning in the Mac Pro and iMac after)

# Check Battery level

if [[ "$(/usr/bin/pmset -g ps | /usr/bin/grep "Battery Power")" = "Now drawing from 'Battery Power'" ]]; then
echo "Computer is not currently connected to a power source."

"$Notify" \
-windowType hud \
-lockHUD \
-title "MacOS Updates" \
-heading "Plug in Power" \
-description "Computer is not currently connected to a power source.
Please connect to a power supply before continuing." \
-icon /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/AlertStopIcon.icns \
-button1 "Continue"
fi