Enforcing macOS security updates

hwjhartmann
New Contributor

I've seen a couple of old threads regarding ways of enforcing macOS security updates but not much for the recent version of Jamf Pro 10.x

We are exploring the use of Patch Management currently. Does anyone have any best practice recommendations on enforcing devices to update to the latest critical or security updates on macOS when they are released?

6 REPLIES 6

Stubakka
Contributor II

I use a Profile to enforce Apple updates with a deferral also so make it easier on the users incase its a bad time.

You can also use a config profile to do this. But I like having the deferral because it will show a message on screen etc. f043e7ec8163423fb4ba225c558f746d

2c8155c2905f4a21a4dbdc3faedc28f2

d48908d01aaf4530ad0a73f160e83949

richardedmond
New Contributor

Hello,
I know this is old but I have the same question as the original poster... How do we only address and enforce only the security updates? Not all major OS updates.

This is such a great resource ... thank you everyone who helps others.

shalas
New Contributor III

I would also like to know this. Updates seem to be a bit of a mess lately. There are some threads mentioning new things coming (no timeline though) and the general rule seems to be MDM commands, but, you can only update to specific OS versions (only very recent ones too) and nothing specific to security updates. 

donjakubczak
New Contributor III

Instead of using the Software Update configure process couldn't you instead configure the Files & Processes to use:

softwareupdate -i -r

which should just look for security updates.   
Then also configure Restart Options to restart if needed for both when a user is logged in or not and give them a certain time to save files prior to restarting? 

JoAnneB
New Contributor

For the Profile Software update policy, I know we can customize the user interaction message but can we be able to add any personal logo on that?

Cmolina001
New Contributor

this may be a dumb question but how do I get apple software update server to be an option. its not in our environment