Jamf Nation Community

Thanks, I'm working to deploy erase-install in our QA environment and also say the comment from @AJPinto with using mass updates.  The only thing there that I struggle with is the notification to end-users. 

Mass action does notify users, and will let users defer updates if you tell it to. 

Under install action

• Download the update for users to install - just downloads the update and does nothing more
• Download and allow macOS to install later - the update downloads, the user will get a prompt that there are updates required by the administrator. The user can click install now, later tonight, or remind me tomorrow. If the click remind me tomorrow or dismiss the message the deferral is decremented. Once the deferral hits 0 the MDM command changes to InstallForceRestart which will force the restart to install updates.
• Download and install the update, and restart computer after installation - does just that, as soon as the Mac is ready it reboots (in theory as this loves to fail a lot).

See this link for more information on software update MDM Commands and behavior.

ScheduleOSUpdateCommand.Command.UpdatesItem | Apple Developer Documentation

Though for a 0 day I would say its more important to install the update, than to make sure users are happy about it. We are here to manage an environment, and secure devices, not keep users happy. I tend to use JAMF Helper to notify people, and issue the MaxUserDeferrals command with 3 days to defer. If users ignore and don't install the updates they can deal with the InstallForceRestart command that comes after the deferrals have been used up.

is this reliable?  I'm currently reviewing the erase-install option however I would prefer a more 'native' (simplified) tactic especially if security comes back and says to push as quickly as possible.  Also how's the notification to users look?  I"ll go do testing in QA also. 

It is not reliable. It really should be, all indications is that it should be, but it will fail with no explanation at any time. 

As @piotrr pointed out, no its not what I would call reliable. At best, it will do exactly what you tell it to do. At worst macOS updates will fail and JAMF does not use the MDM Commands to check OS update status for some stupid reason. 

It wont hurt to push, and has about a 70% success rate. However things a simple a user having a document opened that needs to be saved will break the force install and reboot command (its more or less politely asking and not forcing anything).

I've briefly looked at this tool. The real puzzle is why does apple make this more difficult than it should be and how to choose the right tool/method for your deployment.  rabbit trailing a bit but..... OSupdatenotifier, Nudge,erase-install,super etc.... all aim to accomplish the same goal: upgrade your machines and notify your users of said update/upgrade.   

To be honest, because Apple does not care. Apples core philosophy is to empower the user. As years have gone by Apple has steadily removed more and more options to be able to manage the devices. Apples vision is for us to manage devices only with their tools. The problem is Apples tools are usually very poorly designed, like with the MDM workflow for software updates.

On a side note. Apples ideal is also for every device to be on the most current release of macOS, unless a USER wants to not upgrade for one reason or another. This would be great if Apple actually worked with vendors and business partners to make sure stuff was tested, and the new features actually worked. Where is platform SSO? A Major selling point for Ventura, 5 months later and still not in use. Rapid Security Response? and so on. The major features of the new macOS's usually take 6 months to release after the OS that would contain them. Then another 6-18 months for vendors to support them. JAMF just added support for Background services 2 weeks ago.

Apple wants to be very rapid adopt, but wants to put no effort in to making rapid adopt attractive for anyone.