How are you patching OS updates/patches?

Over9000
New Contributor III

I'm curious how the community patches their MacOS versions (such as going from 10.12.1 to 10.12.6). Do you cache the installer and deploy or use the software update command? Do you allow your users to defer, is it forced on a logout or another method?

I was thinking of using a policy but without this feature, i worry everyone would get hit on the same day if i didn't constantly update the policy deferral date https://www.jamf.com/jamf-nation/feature-requests/1418/deferral-limit-as-net-days-or-n-times

Eager to see any responses!

23 REPLIES 23

seanhansell
Contributor

Personally I find it most effective to just trust Apple. We push a configuration file to enable automatic updates and let Apple's infrastructure handle it the way the operating system intended.

Wherever we have large numbers of client computers, we deploy a Caching Server to deploy these updates locally.

The keys for the configuration profiles are as follows

com.apple.commerce

{AutoUpdate=true, AutoUpdateRestartRequired=true}

com.apple.SoftwareUpdate

{ConfigDataInstall=true, CriticalUpdateInstall=true, AutomaticCheckEnabled=true, AutomaticDownload=true}
- Sean

easyedc
Valued Contributor II

So I'm in a sinking ship, I know, but I still leverage an Apple Software Update Server. Apple has told me several times that I should not rely on it, and that it'd been deprecated, but for now it still works. my OS X 10.11.6 running Mac mini handles everything I need with SUS turned on.

Over9000
New Contributor III

@seanhansell That does honestly seem like the best way. I am concerned that it would automatically update and reboot without the user having control, especially if they are in the middle of working. Does that method allow them to defer at all?

seanhansell
Contributor

That's the fun of it. The user has as much control as a user in a home environment. By default, the OS will try to install updates, especially updates that require a reboot, overnight. When it can't the system sends a notification, and asks the user when they would next like to run. Options are usually in an hour, tonight, or remind me tomorrow.

If you're connected to a display via Airplay, DND kicks in an the user won't get prompted for updates say while they're presenting in a meeting or something.

It's all pretty streamlined and I try not to overthink it much, because it means more work for me.

The goal, as always, is to automate myself out of a job ;)

- Sean

sparky627
New Contributor II

Has anyone tried using the Patch Management system for this? I'm in an environment where we have to get approval for each major AND minor versions of software before we can deploy, so we are very strict about not letting users just do updates when they come out/when they want.

In the past, I've created policies that cache the installer, then some days later ran the cached policy, but I would love to use Patch Management instead. (Lots of reasons for this)

Thoughts?

josh_burleson
New Contributor

I like the idea but how to you force them to update if they keep ignoring the apple notifications? I think the only way to force it is with a patch policy defined which requires a package definition.

ryan_ball
Valued Contributor

If you need more control over OS updates, you might consider a script/toolset to automate them and/or allow delaying installation.

There are several posted around here you can use as examples, or you can check out nice-updater.

Dylan_YYC
Contributor III

@seanhansell Stupid question, but how are you doing that in the config profile window?

CorpIT_eB
Contributor II

@rayn.ball That's a nice tool man, do you happen to have a workflow if I wanted to solely wanted to rely on JAMFS configurations and pushes.

Queen
New Contributor

Any one here knows how I can Bypass the Activation lock of a second hand iPhone device with an ICloud Account. Please help

beeboo
Contributor

im wondering the same thing too.

since High Sierra and caching server has been removed from serverOS we are at the mercy of Apple to update software.

even critical ones that we need to have patched are at the mercy of the user.

ideally we would have a solution like MSFT and push the patches on say, the 2nd tuesday of the month (save security or critical patches).

whats everyone else using?

acaveny
New Contributor III

I would prefer to use the built in Patch Management as well - but the nice-updater is one of the cleaner looking utilities that I've seen. We've been doing the "let apple manage the updates" method, but users will not update unless they are forced to. It's amazing how many people will continue to click "remind me tomorrow" ad naseum....

seraphina
Contributor II

@Queen

If the device is institutionally owned, you can call Apple and provide your PO or proof of purchase and they will remove the activation lock.
If the device is personally owned, well you'll need to contact the person/reseller you bought it from, which may or may not be helpful.

ryan_ball
Valued Contributor

@CorpIT_eB I don't find that something based on Jamf Pro policies is as reliable, consistent, and configurable as a LaunchDaemon/script for macOS Updates. Like @acaveny said, either there is not enough logic, not enough warning for users, or users can indefinitely delay updates. But every organization's requirements are different and forced updates may not work for everyone.

CorpIT_eB
Contributor II

@ryan.ball I 100% Agree with you my man, In my case we just got JAMF less then six months ago 15+ years here as a Windows System Administrator and was given JAMF to rule over macs. So what ever I decide to do would ultimately set the path for the future Admins.

Updates is one of those things you always want control over. In this case I don'w want users installing any OS updates without testing it first. And after testing it roll it out as a forced install to avoid any employee from delaying them.

But I am noticing that JAMF does not make the patching very intuitive whats so ever for the macOS side of things.

ryan_ball
Valued Contributor

@CorpIT_eB You might look into NetSUS and enable the SUS module. You could then point your clients to that SUS defaults write /Library/Preferences com.apple.SoftwareUpdate CatalogURL <Branch URL>, and then either enable automatic updates on your clients or a different update workflow, but then your clients would update from that SUS and only the updates that you've enabled. This is more like what WSUS used to be.

sdagley
Esteemed Contributor II

@CorpIT_eB I'll 2nd @ryan.ball's NetSUS recommendation with a few additional comments:

1) If you're planning on caching the actual Apple updates (by default NetSUS only caches the definitions and the updates themselves will still be pulled from Apple's servers) you'll want to allocate about 1TB of disk space as the 500GB in the docs won't hold the complete catalog contents these days
2) Keep in mind that if you re-direct the softwareupdate tool to your NetSUS none of the "critical" Apple updates will install if you don't enable them
3) Unless your Macs are always connected to your corporate network you might consider hosting your NetSUS in AWS so it's accessible to machines on or off your corporate network (you would definitely not want to cache the update packages in this scenario)

CorpIT_eB
Contributor II

@ryan.ball && @sdagley I will look into this as an option for sure, I have a question for you though let's say I wanted to rely on JAMF for the updates what is the intended usage of the Management console. I am having a real problem understading how to control Application pushes and macOS pushes in relation to updates.

I have read the Administrative Guide but it does not go into detail on how to manage what updates get pushed out it just seems to push out all of them, and even if I select the option to: "Download and install the update, and restart computers after installation" after testing this with the 10.14.5 patch on a machine it never worked.

beeboo
Contributor

@sdagley we have jamf cloud so everything should be accessible barring any issues.

putting the netSUS into AWS sounds interesting - do you have any documentation?

however, the more pressing issue is that even if it the SUS is in the cloud, adding the caching server doesnt necessarily make the deployment of updates any easier.

eg: is it possible to deploy test patches to particular uses only before deploying to the rest of the company?
how do we NOT allow user to go to software update and install the update at their leisure?
assume we can do the former, how do we stop the user from deferring the reboot until god knows when?

i guess ultimately, do institutions just say whatever and go by apple's SUS distro plan?

sdagley
Esteemed Contributor II

@CorpIT_eB & @jcheLC A NetSUS will allow you to control what updates are visible to your Macs. The softwareupdate tool doesn't have a fallback mode, so if you set the CatalogURL for it to point to your NetSUS those are the only OS updates the Mac will see. You can have multiple branches created on the NetSUS, so you would likely have a test branch for a select group of users to verify updates before you made them available to the general population.

While this doesn't directly making installing the updates easier/prettier, it does give you better control. There are several projects for the former task that have been posted on Jamf Nation.

@jcheLC I don't have any docs specific to NetSUS in AWS, but the installer runs on both Ubuntu and RHEL flavors of Linux which are among the OS options for an EC2 instance.

beeboo
Contributor

@sdagley

thank you!

for sake of continuity would you mind sharing those projects so that those in the thread can check it out too?

please and thanks!

sdagley
Esteemed Contributor II

@jcheLC I'll list a couple, but I don't have personal experience with either, so don't consider this an endorsement. You should do your own search here on Jamf Nation for threads discussing these, as well as other similar tools, to see what people think of them.

macPatch-It

A Kinder macOS Update

acaveny
New Contributor III

I still don't like the fact that neither Apple nor JAMF have given a good way to manage updates without heavily scripting the process. There are some ugly ways to do it, but often the result is untimely reboots and bad UI's resulting in a very bad experience.