How to do OS patches in 2018

mrben
New Contributor III

Hi,

Not to beat a dead horse here but I'm curious what the best practice is for handling OS and security updates in 2018. In the past I've used the following:

  1. Munki
  2. JAMF policy w/ software update
  3. Fancy scripts which parse the output of the softwareupdate command and allow users to defer X number of times before a mandatory install + reboot
  4. Custom configuration profiles to enforce automatic checking & installation of App Store updates
  5. JAMF 10 patch management

All approaches have pros and cons. I'm curious how other organizations are approaching this problem.

2 REPLIES 2

CasperSally
Valued Contributor II

When Apple gets the install times down on patches, we'll be happy to push them out. It doesn't work in a K12 environment with laptops in carts to take machines offline a few times a year for 15-40 minutes while updates install (even cached). Our scale doesn't warrant techs or teachers intervening a few times a year, either.

For now we're doing annual wipes and reimages. This summer we'll switch from reimages to reprovisioning which takes more than twice as long as imaging (because of startosinstall).

Jamf really should be supporting some sort of startosinstall workflow ala imagr IMO.

Taylor_Armstron
Valued Contributor

Considering we actually have regulatory requirements for security patches...

We test, then we push via policy. We have a weekly scheduled reboot window, so normally we just set client-side window of a few hours before<>after that reboot and catch most machines. Users with laptops know that if they take their laptops offline, they potentially face a reboot the next morning.