- Jamf Nation Community
- Products
- Jamf Pro
- Firmware updating
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Firmware updating
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-24-2010 10:34 PM
Thought I'd throw it out there and see if I'm doing this right, or even on the right mindset.
So it's up to users to install the actual firmware patch to their machines right?If I force their machines to download apple patches every week, the updates are not considered complete until the firmware is installed.
So here's what I'm using to force users to install the firmware.
We'll use the SuperDrive Update that came out a while ago.
Smart group that has clients with the SuperDrive Update.app installed but do not have the package receipt com.apple.pkg.SuperDriveFWU present. I get a list of users who have yet to patch firmware and get a receipt in their system?
I then create a once a day policy that executes open -a "/Applications/ Utilities/SuperDrive Update.app" on that smart group. The end result is users will get te dialog everyday saying they need to install the firmware. Once they do, they get the receipt installed and they fall out of the smartgroup.
Is this what some of you are doing?
I'd be curious if there are easier ways to accomplish this.
Thanks.
8 REPLIES 8
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-25-2010 05:24 AM
How are you getting around the issue that you need admin credentials to
actually run the firmware update?
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-25-2010 06:32 AM
All users are admins.
David Marcantonio
--------
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-25-2010 07:02 AM
I wonder if you could have self service do it, since self service should use the ssh account that is on the machine to execute policies locally, which would need admin rights
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-25-2010 08:05 AM
I tested self service with software update before and it worked great, just can’t remember if I did firmware updates in that too. I think it should work. I am getting set to do a regular patch management here, and will be facing the same thing.
Sea
On 2/25/10 10:02 AM, "Thomas Larkin" <tlarki at kckps.org> wrote:
I wonder if you could have self service do it, since self service should use the ssh account that is on the machine to execute policies locally, which would need admin rights
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-25-2010 08:11 AM
We had originally tried pushing all software updates.
The software update install went ok, but when the users restarted they had
3-4 prompts on their screen...bluetooth firmware, EFI firmware, keyboard
firmware, etc. All of them were prompting for administrator rights...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-25-2010 09:04 AM
Hey all,
The major issue here is not necessarily admin rights, but having someone touch the Mac. When I'm asked what the Casper Suite does, my response is often "it does anything you'd want to do to a Mac short of physically touching it". Firmware updates are one of those things that require physically touching the Mac.
The way I've dealt with this in the past is to use dummy receipts, and this would transfer well to the upcoming extension attributes. The script I'd use to identify Macs with firmware updates available is:
## script
# identify if there are more than zero firmware updates available
fwupdcount=softwareupdate -l | grep -c -e Firmware -e EFI -e SMC
if [ $fwupdcount -gt 0 ] ; then
INSERT COMMAND TO WRITE DUMMY RECEIPT OR EXTENSION ATTRIBUTE INDICATING FIRMWARE UPDATES ARE AVAILABLE HERE
else
INSERT COMMAND TO WRITE DUMMY RECEIPT OR EXTENSION ATTRIBUTE INDICATING FIRMWARE UPDATES ARE NOT AVAILABLE HERE
fi
With an extension attribute, my recommendation would be to have the value be either a "Y" or an "N".
With either a dummy receipt or an extension attribute, you could then create a smart group based on whether a Mac has firmware updates available or not. The membership list for this group can become a work list for a technician to go around applying the firmware updates.
I would have my automatic software updates policy scoped to a smart group with the following criteria...
OS Configuration Information
Number of Available Updates more than 0
AND
Receipts Information
Packages installed by Casper has "dummy receipt in question"
...or if extension attributes are used, I'd replace the dummy receipt criteria with the item below.
Extension Attributes Information
Firmware Updates Available is N
Doing this would have the following results:
If a Mac has software updates available but no firmware updates available, a policy will run the software updates.
We'll have a list of Macs requiring firmware updates and therefore need to be physically touched.
I hope this is helpful, and be sure to test thoroughly if you decide to implement this method.
--
Miles Leacy
Technical Training Manager
Mobile (347) 277-7321
miles at jamfsoftware.com<mailto:miles at jamfsoftware.com>
....................................................................
JAMF Software
1011 Washington Ave. S
Suite 350
Minneapolis, MN 55415
....................................................................
Office: (612) 605-6625
Facsimile: (612) 332-9054
....................................................................
US Support: (612) 216-1296
UK Support +44.(0)20.3002.3907
AU Support +61.(0)2.8014.7469
....................................................................
http://www.jamfsoftware.com<http://www.jamfsoftware.com/>
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-25-2010 09:28 AM
I am not yet quite an AppleScripting wizard, and am still just an apprentice. However, in my dealings with applescript you can fully control the GUI with it. You can tell the finder to activate windows, click OK, you can tell system events to do other tasks. So, what you may want to end up doing, and if I get some free time to dive into my Applescript 123 book soon I will definitely try it out, is that you write a script that detects if any firmware updates are available, or pack it all up in self service. Then, if one is detected it can run a post boot (by flagging for run at next log in) an Applescript that automates the process.
Heck you can even use apple script to automate an admin account logging in, doing the task and then log out. Shell scripts can invoke applescript and vice versa, so yes, Miles is right -- you can make Casper do whatever it is you want it to do, granted you know how to use the right tools along side with Casper.
-Tom
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-25-2010 09:34 AM
Yeah, but Miles is right, you have to be physically at the machine to do
firmware updates, at least most of them.
Take the recent MacPro update. You had to hold down the power button to get
the update to install. Same is true of some other FW updates.
Now, if Apple moves to finally only require the machine to shutdown to
finish installation, we might be on to something.
Scope a Smart Group to catch all machines that require FW update.
Use Casper VNC or ARD to punch the buttons, or an AppleScript as Tom
suggested, and shutdown said machines.Reboot machines at a set time using PM scripts, or just wait for the
user to power on in the morning.
Could work....
Steve Wood
Director of IT
swood at integer.com
The Integer Group | 1999 Bryan St. | Ste. 1700 | Dallas, TX 75201
T 214.758.6813 | F 214.758.6901 | C 940.312.2475
