Jamf AppInstaller vs Patch Management

Flaurian
Contributor

Hello everyone, 

I'm starting this thread because I'm not happy with the app patch management situation for my company. 
Would love to read any recommendations or other input to learn how to do it. (I don't know if I'm the only person who has this problem but many users avoid updates, upgrades, or restarts - macOS is running all the time.) 

Just my thoughts about this topic:
In case u handle it via Jamf AppInstaller... if I add for example Google Chrome the application will be updated after the user has manually closed the application. So, in the worst-case situation, the user will not close Google Chrome or other applications because of any reason. To sum up, the application is not updated and if the application has high-risk backdoors I can do what? -> 

  1. notification to employees via Slack to re-open the app 
  2. kill the process via Jamf (I never would like to do it)
  3. handle it via Jamf Patch Management to use notifications and deadlines?

If I do it via Jamf Patch Management I don't know when the force trigger will pop up for the user. Currently, I'm trying to do it and counting the days to do the force update at the weekend but of course, the user could log in to his machine on Monday but actually, the update will not update prompt ASAP. In this situation, it could happen for example if the user has a meeting.

A solution for it would be to set-up also a time when Jamf Pro can force it (General lunchtime, before 8 am, after 7 pm) 

9 REPLIES 9

KretZoR
New Contributor III

I am also not very happy with how it works after testing it out today. I was hoping for at least a list on what Macs in the Smart Group has it successfully installed. It is still in preview so I hope that more functions will come soon!
For the moment I would recommend you to use the project Installomator instead.
GitHub - Installomator/Installomator: Installation script to deploy standard software on Macs

It can be configured almost as you desire and has more apps that can be deployed.

Flaurian
Contributor

Hey @KretZoR , 
I tested it a few minutes ago, that's really nice. Thanks for ur recommendation. 

kavila
New Contributor III

+1 to Installomator. It really is spectacular at deploying software, and in conjunction with self-service, it's great for updating as well. 

As far as patch management goes - when it is an essential update I like to send a notice to the community giving them X amount of time (x being dependent on how critical of an update it is) to update. 

kay-_-
New Contributor III

I Agree with what @KretZoR said Installomator is the a great tool to automate the deployment and patching. You can read this article by Armin Briegel on scriptingosx.com (he's one of the developer of Installomator)

Another tool you can take a look at is PatchBot a bit more complicated than Installomator

 

For notification just make sure the Display Notifications" is checked and the "Self Service and Notification Center" is selected. You can also look at Yo for notification.

Ke_ReM
New Contributor III

I can confirm Installomator is great for pushing out updates and I also use it in conjunction with DEPNotify so that when the baseline apps are deployed to a new DEP device they are the latest version of that app.

SMR1
Contributor III

Hey Everyone,

New to Jamf here, just starting the setup and testing phase. One of the concerns is getting software updated. I did come across the article by Armin. Do you just go through that process with creating 2 smart groups and and a policy for each application? We're not to concerned about deferring updates. Thanks in advance

Flaurian
Contributor

Hey @SMR1 

yes, u have to create two smart groups because if u do it without the "member of" smart group u will get an error "Policy scope cannot be based on a smart computer group that uses the "latest version" criteria."  


Since I started with this topic I already configured a few policies with Installmator and I'm very happy with this process because of different deployment ways like silent/success with notification or without notification. Because we working with Google Workspace I decided to handle Chrome a little bit differently for patch management. So, I added a token between Jamf & Google Workspace to handle Plist attributes and another launch agent to trigger the update process. 

SMR1
Contributor III

Got it. Just tested it with Chrome and Edge, but didn't use the latest version criteria and installed on the next check in with no issues, Thanks!!. Is there a way to force the install, so you don't have to wait for the reoccurring check-in time?

Flaurian
Contributor

It’s possible to use sudo jamf policy id „number“ or custom trigger to force the policy via terminal.