How are you monitoring 13.3.1 (a) Rapid Security Response?

obi-k
Valued Contributor II

Updated to 13.3.1 (a). Wanted to monitor via Smart Group but it doesn't look the fields populated after inventory check ins.

How are you monitoring?

The fields do populate for iOS.

 

Screenshot 2023-05-02 at 8.01.22 AM.png

 

Screenshot 2023-05-02 at 8.19.46 AM.png

 

Screenshot_2023-05-02_at_7_51_20_AM.png

   

30 REPLIES 30

dhausman
Contributor

What version of the Jamf server are you running?  I think they just added the collection of those for macOS via declarative management in version 10.46.0. 

obi-k
Valued Contributor II

Ah ok. I'm on 10.45 and it gets updated this weekend.

Yep, so when you are on 10.46 those should get populated.

Noonan
New Contributor III

Hijacking this thread to ask, how are you guys deploying this? Will it work with the existing mass action commands or software updates policy for intel devices? 

obi-k
Valued Contributor II

Curious too. Was reading this: https://support.apple.com/guide/deployment/manage-rapid-security-responses-dep93ff7ea78/web

We Turn on “Install Security Responses & System Files” with a config profile. So I guess if users are on 13.3.1 and we send another Mass action command, this will scoop up the 13.3.1 (a) update?

 

Will test but please share your experience @Noonan 

Noonan
New Contributor III

We had the config profile setting enabled for some time now. I sent out a mass action to a subset of devices, monitoring that right now, will keep you posted!

Noonan
New Contributor III
softwareupdate -l
Software Update Tool

Finding available software
Software Update found the following new or updated software:
* Label: macOS Security Response 13.3.1 (a)-22E772610a
	Title: macOS Security Response 13.3.1 (a), Version: 13.3.1 (a), Size: 302500KiB, Recommended: YES, Action: restart, 

 

Does look like this one requires a restart? "Action: restart," 

pete_c
Contributor III

Yes, applying this RSR does require restarting the device, but the time is minimal.

Noonan
New Contributor III

So I sent a mass action command for 13.3.1 with a deferral of 1 day and it behaved like a regular macOS update:

- Gave the normal prompt to install, try tonight, try later. 
- Prompted for a password (Apple Silicon)
- Restarted the device (same speed as a normal restart)

Also noticed in jamf under the Operating System menu it stated it was downloading the RSR "Update in progress: MSU_UPDATE_22E772610a_patch_13.3.1_rsr" 

I've got a separate Software Updates policy in jamf running for something else and it is installing the updates as well on our Intel devices. 

Result of Software Update: 2023-05-02 20:49:59.608 softwareupdate[9666:70568] XType: Using static font registry.
Software Update Tool

Finding available software
Downloading macOS Security Response 13.3.1 (a)

Downloading: 0.10%
Downloading: 1.00%
Downloading: 1.90%
Downloading: 3.00%
Downloading: 3.90%
Downloading: 4.00%
Downloading: 6.90%
Downloading: 7.00%
Downloading: 8.90%
Downloading: 9.00%
Downloading: 9.90%
Downloading: 10.00%
Downloading: 16.00%
Downloading: 53.90%
Downloading: 54.90%
Downloading: 55.00%
Downloading: 60.00%
Downloading: 99.90%
Downloading: 100.00%
Downloaded: macOS Security Response 13.3.1 (a)

jamf-42
Valued Contributor II

until JAMF updates..  use a smart group checking build version:

22E772610a

 

 

mhasman
Valued Contributor

"Operating System Build" - like - "22E772610a" ?

Not working

sdagley
Esteemed Contributor II

@mhasman Use the EA I posted in this thread - it looks like Jamf Pro 10.45 isn't always reportin the new build version properly

mhasman
Valued Contributor

Thank you! I'll try your EA

sdagley
Esteemed Contributor II

@obi-k For anyone not yet updated to 10.46 here is the EA I use to query the BuildVersion on the Mac (10.45 doesn't seem to properly report the build version after the RSR):

 

#!/bin/sh

# EA - Get macOS Build Numeric Portion
#
# Returns the numeric part of a macOS Build
# e.g. For Build 19H1030 returns 1030

result=""

rawBuildVersion=$(/usr/bin/sw_vers -buildVersion)

if [ -n "$rawBuildVersion" ]; then
	# Return the value of rawBuildVersion starting at position 3
	result=$(/bin/echo "${rawBuildVersion:3}")
fi

echo "<result>$result</result>"

exit 0

Ignore the reference to the "numeric portion" since it's no longer correct with Apple adding alpha characters to distinguish RSR updates.

 

dhausman
Contributor

I enabled the rapid security response for devices yesterday, but was not able to get Jamf to send a command to update the iPad.  I was able to got into settings and install it.  Normally I could send a remote command to start the update, but it did not work for the RSR for me.

obi-k
Valued Contributor II

Apple had issues rolling this out yesterday. Seemed to start working at night and today. 

Did you try sending a MDM command today?

No I have to roll it back and try again. Working on that now.

I got rolled back. I send the upgrade command from Jamf, and nothing happened on the iPad.  A normal software update would prompt me for my password to install.  This did nothing.

obi-k
Valued Contributor II

Which route did you try? 

Latest version based on device eligibility or Specific version?

Screenshot 2023-05-02 at 11.33.23 AM.png

 

Karl941
New Contributor III

I did through latest and worked well. However, that'd be great if Jamf would include the (X) build to target it. Is it something possible under 10.46?

mhasman
Valued Contributor

Agree, cuz "sw_vers -buildVersion" does show "a" at the end

dhausman
Contributor

Latest version based on device eligibility

obi-k
Valued Contributor II

Can you try the Specific version 16.4.1 and see if the result is different?

I am getting this error: Connection to Apple Services is not available. Try again later.

Screenshot 2023-05-02 at 11.42.12 AM.png

mdore
New Contributor

I am seeing this error now as well.  Running 10.46.1.  Were you able to resolve and if so how?  Thanks

Karl941
New Contributor III

RSR is part of the new Declarative Management so it better work without EA

sdagley
Esteemed Contributor II

@Karl941 It should with JSS 10.46, but for those of us still running JSS 10.45 the EA seems to be necessary

tegus232
Contributor

My question s to make sure I am following correctly, once version 10.46 releases, we can also send mass builtin commands to update the machines and apply rapid response?

 

mhasman
Valued Contributor

I believe it only works for Macs with Apple silicon 

tegus232
Contributor

Thanks!

 

Question - is there plan for mass action to be made available where i can select specific version?

 

if not, how can I leverage the following script for 13.3.1a# Server connection information
URL=
username=
password=

# Determine Serial Number
serialNumber=$(system_profiler SPHardwareDataType | awk '/Serial Number/{print $4}')

initializeSoftwareUpdate(){
# create base64-encoded credentials
encodedCredentials=$( printf "${username}:${password}" | /usr/bin/iconv -t ISO-8859-1 | /usr/bin/base64 -i - )

# Generate new auth token
authToken=$( curl -X POST "${URL}/api/v1/auth/token" -H "accept: application/json" -H "Authorization: Basic ${encodedCredentials}" )

# parse authToken for token, omit expiration
token=$(/usr/bin/awk -F \" 'NR==2{print $4}' <<< "$authToken" | /usr/bin/xargs)

echo ${token}

# Determine Jamf Pro device id
deviceID=$(curl -s -H "Accept: text/xml" -H "Authorization: Bearer ${token}" ${URL}/JSSResource/computers/serialnumber/"$serialNumber" | xmllint --xpath '/computer/general/id/text()' -)

echo ${deviceID}

# Execute software update
curl -X POST "${URL}/api/v1/macos-managed-software-updates/send-updates" -H "accept: application/json" -H "Authorization: Bearer ${token}" -H "Content-Type: application/json" -d "{\"deviceIds\":[\"${deviceID}\"],\"maxDeferrals\":0,\"version\":\"12.6.1\",\"skipVersionVerification\":true,\"applyMajorUpdate\":true,\"updateAction\":\"DOWNLOAD_AND_INSTALL\",\"forceRestart\":true}"

# Invalidate existing token and generate new token
curl -X POST "${URL}/api/v1/auth/keep-alive" -H "accept: application/json" -H "Authorization: Bearer ${token}"
}

initializeSoftwareUpdate