Jamf Policy for OS Updates not seeing reboot required

easyedc
Valued Contributor II

I know there's quite a few different ways people have tackled macOS Updates.  In the past I've general leaned into the "encourage" users camp vs trying to brute force them.  I've done a number of methods all to varying degrees.  This week our CSOC identified CVE's that needed patching by getting everyone to macOS 11.6.3 or 12.2. Instead of guiding users to update, I'm actively trying to force them at certain actions (login/logout is my goal).  That being said, I checked with Jamf about best practices and was pointed to this article -> https://docs.jamf.com/technical-papers/jamf-pro/deploying-macos-upgrades/9.96/Running_Software_Updat... (we don't have any M1's so the article applies).  I built my policy, applied it to some test boxes and, well, hit or miss.  Specifically I'm running into this running software update locally:

 

Last login: Thu Feb 3 11:22:11 on console
Ed@TestBox ~ % softwareupdate -la
Software Update Tool

Finding available software
Software Update found the following new or updated software:
* Label: macOS Big Sur 11.6.3-20G415
 Title: macOS Big Sur 11.6.3, Version: 11.6.3, Size: 2552748K, Recommended: YES, Action: restart, 
Ed@TestBox ~ %

 

Which most definitely indicates that it requires a reboot to complete the install. However the Jamf policy doesn't see it that way (note the last 2 lines):

 

Executing Policy Software Update - Install All Available - Test
Setting Software Update preferences to apple.com for all accounts...
Installing all available Software Updates...
Result of Software Update: Software Update Tool
 Finding available software Downloading macOS Big Sur 11.6.3 Downloaded: macOS Big Sur 11.6.3
Software update finished. Reboot is not required.
Software update will not require a shutdown.

 

and as a result, the macOS update doesn't ever happen.  I have a case open with Jamf Support, but wanted to reach out to the community to see if anyone else has encountered this and what your fix was.

TIA!

8 REPLIES 8

fimi
New Contributor III

Unfortunately this is not reliable for a while now.

Your best bet is to use 

sudo softwareupdate -i -a -R

Which in turn forces a restart after installing all available updates.

 

Though I am facing an issue where softwareupdate sometimes hangs as well and messes up recon and check-ins. 

easyedc
Valued Contributor II

So interestingly, that also seems to not be working for me either. When I run that as a logout policy, nothing seems to happen. When I use Jamf's workflow, at least some updates apply. 

I do find myself having to run the 

sudo launchctl kickstart -k system/com.apple.softwareupdated

command fairly frequently lately to get Software Updates to even show.  

fimi
New Contributor III

Login/Logout triggers have never been too successful for me. Sometimes they work and sometimes they don't.

Noonan
New Contributor II

We too are trying to patch the same CVE and have had varied results with this policy. Some devices will recognise that 11.6.4 is available, only install the device support update and Safari update and then fail to install 11.6.4 until we flush the policy and they try again but for some still it never installs unless the user manually runs it from Software Update. We are looking at Nudge right now to try and force users there. 

Also having even less success with the Mass Action option. 

Noonan
New Contributor II

Example:

Executing Policy macOS Software Update
Setting Software Update preferences to apple.com for all accounts...
Installing all available Software Updates...
Result of Software Update: Password: Software Update Tool

Finding available software
Downloading macOS Big Sur 11.6.4

Downloaded: macOS Big Sur 11.6.4
Software update finished. Reboot is not required.
Software update will not require a shutdown.

bk-hm
New Contributor

Any updates on this since your last post?

AlanSmith
Contributor

Hi easyedc

Yep, I'm experiencing the exact same issue - have been for a while now. Ever since we upgraded to Big Sur the issue seems to have started.

I think I have tried just about every suggestion on these forums and the end result is all the same, - the updates download, but then the:

Software update finished. Reboot is not required.
Software update will not require a shutdown.

message in the logs.

The absolute only way I have found to make the updates happen short of running it from the System Preferences pane, is to log on to the machine  after your update policy has run and select 'Restart...' from the apple menu. It should be noted simply clicking the restart button on the login screen does not work. There may well be other settings that are required to be in place, but so far that  long arduous, manual process is the only way to make them happen.
Seems a bit pointless having an MDM in that case!

szultzie
Contributor II

Yep running into the same issue, i always assumed mu softwareupdate -i -a would do what it is documented as doing.

 

So in doing some testing, i noticed if a user is logged in the updates take, testing with the 12.5.1 (from 12.5 on Intel machines) updated today.

But same exact build (lab of 17) logs says it found the 12.5.1 but no reboot ever happens, and a simple restart at the log in screen does nothing like someone pointed out above)

Loggin in and doing a restart does not work for me but going into Software Updates in preference panes works, but then what is the point of having a MDM/macOS cream of the crop management suite? I mean Jamf is not cheap and if i have to do it with ARD... :/

I understand for a 1 to 1 setup w can give direction with Self Service, but for the 350 or so lab machines we need a real management suite not this hockey pockey expensive solution that we end up writing our own scripts 95% of the time cause nothing built in ever works.