General Software Update Workflow

dennisnardi
Contributor

I'm just curious how folks around here are generally handling their third party software updating? I have a decent workflow, with what is mandated for me, but I'm wondering if there's anything that could be done to be more automated/easier, and just generally curious what other folks do.

In my environment there's a mandate that after updates of third party apps are released they become available via Self Service until a set day and time, at which they become required and install automatically.

So I have two policies for each app that accomplish this. One which makes the software available and I tweak the date/time of when it becomes active/inactive, and then another which is set to be active at a specific date/time which installs the update on next checkin.

This works pretty well. However, it requires me to manually update smart groups frequently and adjust active/inactive times in policies, along with upload updated packages. If I don't notice an app gets updated, let's say Google Chrome, and it has an auto update feature, then it's very possible my Jamf will downgrade Chrome because I didn't adjust my policies/smart groups quick enough.

Because of the timing requirements, I can't use Jamf's Patch Management, and it doesn't contain all the titles that would be required.

Anyone have any ideas, or want to share what they do in their environment?

1 REPLY 1

tlarkin
Honored Contributor

In a previous life I was using the Community Patch Server with jamf where you could set your own definitions, to me, while this was fantastic and Bryson did an amazing job building it, I was more so trading problems. The amount of work/effort did not drastically change. Now, with how Patch is designed, the amount of resource overhead was way more distributed. This is due to how Patch does not calculate everything scope wise up front, but as devices submit inventory it calculates scope gradually as data is submitted, which is nice.

Fast forward to my current job, I am using AutoPKG JSS Importer AWS S3 + VirusTotal integration to a set of ongoing policies where I just update the pkg in that policy and it will auto patch the client system when it can. At my new gig I am under a SLA to patch and update everything, including macOS patches as well as third party app patches. To me this was the most efficient way to do this with the proper amount of engineering cost.

Now, I have also created this feature request, where I am kindly asking jamf to please look at an application state model for deployment and application patching. You can check it out here and upvote if you like it

In my environment there's a mandate that after updates of third party apps are released they become available via Self Service until a set day and time, at which they become required and install automatically.

This is very similar to my SLA. Security is taken pretty seriously, as it should since we are a data company, and so we just auto deploy and auto update everything. The good news is for things like browsers or MS Office, you can easily just deploy the current version you have and force auto updates on so they are always up to date.

Until Jamf makes a better way, for clean automation and fast moving process I think AutoPKG + JSS Importer are probably the best bet, and they seem to be the most flexible.