jamfhelper software update trigger

That is awesome, that was the next step my bosses wanted me to do (the countdown to forced install).

This does look great indeed. I was in the middle of crafting a very similar solution so i think I'll give this a try.

To me, it gives the user a greater sense of control even if only perceived.

That just made my day! :-)

Nice improvements to the script too!

great! it was on my to do list.... thanks!

Because it might help people..
I originally posted an extract of the script.. this is the whole original script with extra logic to prevent the disappearing jamf helper. I like the extra modifications you have done and may add to mine.

#!/bin/sh

########
# This script checks to see if there is a logged in user, if no user is logged in software update will run and install all udpates.
# If a user is logged in the script checks if the updates need a restart - if so the user is prompted whether this is ok before proceeding.
# Where no restart is required software update will run without interrupting the user.

#see if user logged in
USER=`/usr/bin/who | /usr/bin/grep console | /usr/bin/cut -d " " -f 1`;
echo "logged in user is $USER...";

#check if user logged in

if [ -n "$USER" ]; then

   #Check if restarts required
   AVAILABLEUPDATES=`/usr/sbin/softwareupdate --list`;
   NOUPDATES=`echo $AVAILABLEUPDATES | wc -l | cut -d " " -f 8`;
   RESTARTREQUIRED=`echo $AVAILABLEUPDATES | /usr/bin/grep restart | /usr/bin/cut -d "," -f 1`;

   if [ -n "$RESTARTREQUIRED" ]; then
      echo "$RESTARTREQUIRED needs a restart";

      #ask user whether ok to restart

      OKTORESTART=`/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType utility -icon /Library/Application Support/JAMF/bin/jamfHelper.app/Contents/Resources/Message.png -heading "Software Updates are Available" -description "Your computer will need to restart, would you like to install the udpates now?" -button1 "Yes" -button2 "Cancel" -cancelButton "2"`

      echo "ok to restart was $OKTORESTART";

      if [ "$OKTORESTART" == "0" ]; then
         /usr/sbin/jamf policy -trigger runsoftwareupdate
         exit 0
      else
         echo "User said NO to updates";   
     exit 1
      fi
   else
      echo "No restart is needed";

      if [ "$NOUPDATES" != "1" ]; then
         echo "So running Software Update"; 
         /usr/sbin/jamf policy -trigger runsoftwareupdate
         exit 0
      else
         echo "because there were no updates";
         exit 0
      fi
   fi

else
   #No logged in user
   /usr/sbin/jamf policy -trigger runsoftwareupdate
fi

exit 0

For some reason when I throw it on a test box, the script ends before JAMFHelper even appears, so when I click on Yes to install they don't do anything. I have the script set to run "before"

Running script softwareupdate_jamf_helper.sh...
Script exit code: 1
Script result: logged in user is jwojda...
Software Update Tool Copyright 2002-2010 Apple Software Update found the following new or updated software: Desktop Documents Library Movies Music Pictures Public OSXUpd10.8.2-10.8.2 OS X Update (10.8.2) needs a restart
ok to restart was 
User said NO to updates

    Unmounting file server...

Lisa/ACDesign,

Is it possible to incorporate the countdown timer from the other script into this?

Hey John, I was getting the same output when capturing softwareupdate -l into a variable. For some reason it wants to list the contents of your home folder. Weird, but I also noticed that all updates are [recommended]. If i do a softwareupdate -l | grep recommended and stuff that into a variable, it gives me the right output:

updates=`softwareupdate -l | grep recommended`
ag2025:~ acaldwell$ echo $updates
Remote Desktop Admin Update (3.5.3), 25748K [recommended] Digital Camera Raw Compatibility Update (3.14), 8012K [recommended] Digital Camera Raw Compatibility Update (3.12), 7740K [recommended] Security Update 2012-004 (1.0), 263587K [recommended] [restart] Digital Camera Raw Compatibility Update (3.13), 7979K [recommended] Remote Desktop Admin Update (3.5.2), 25738K [recommended] HP Printer Software Update (2.9), 8740K [recommended]

Unfortunately, you won't be able to grep out the [restart] without running softwareupdate -l again since this method throws it all into a single line.

That awkward moment when you look back at a script you wrote some time ago, and decide you don't like the logic/style that you thought was a great idea at the time.. A revised version which I'm testing.. removes some duplicate checks, and less noise.

#!/usr/bin/perl -w

use strict;

my $AVAILABLEUPDATES="";

$AVAILABLEUPDATES=`/usr/sbin/softwareupdate --list`;
chomp $AVAILABLEUPDATES;

printf "available updates is %s 

", "$AVAILABLEUPDATES";

# If available updates contains * there are updates available

if ($AVAILABLEUPDATES=~/*/){

    printf "there are updates available
";

    if ($AVAILABLEUPDATES=~/restart/){

        printf "updates need a restart
";

        my $LOGGEDINUSER='';

        $LOGGEDINUSER=`/usr/bin/who | /usr/bin/grep console | /usr/bin/cut -d " " -f 1`;
        chomp $LOGGEDINUSER;

        printf "value of logged in user is $LOGGEDINUSER..
";

        if ($LOGGEDINUSER=~/[a-zA-Z]/) {

            printf "as there is a logged in user checking whether ok to restart
";

            my $RESPONSE = "";

            $RESPONSE=`'/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper' -windowType utility -icon '/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/Resources/Message.png' -heading "Software Updates are available" -description "Your computer will need to restart, would you like to install the updates now?" -button1 "Yes" -button2 "Cancel" -cancelButton "2"`;

            printf "response was $RESPONSE
";

            if ($RESPONSE == "0") {
                printf "User said YES to Updates
";
                system "/usr/sbin/jamf policy -trigger runsoftwareupdate";
                exit 0;
            } else {
                printf "User said NO to Updates
";
                exit 0;
            }
        }
        else {
            printf "no logged in user so ok to run updates
";
            system "/usr/sbin/jamf policy -trigger runsoftwareupdate";
            exit 0;
        }
    }
    else {
        printf "no restart required
";
        system "/usr/sbin/jamf policy -trigger runsoftwareupdate";
        exit 0;
    }
}
else {
    printf "there are no updates available
";
    exit 0;
}
exit 0;

@jwojda

logic to incorporate the timer would be added after the line:
printf "User said NO to Updates ";

I am not sure whether I want to force the installation of updates requiring a restart as I don't know what the users might be doing at the time.

Chatted with the support guys during lunch at JNUC, as I was seeing the script continue before waiting for the return value from jamfhelper.

Adding this to the line which calls jamfhelper is supposed to fix this!

-startlaunchd

The forcing updates is because the users had X amount of days to install them. I understand that sometimes people are busy and can't do them immediately, but I still have to adhere to our corporate patching standards, and I actually like to be ahead of the curve for anything I can be. The mac's are the black sheep of the company, yet all the executives have/want them, so they also have a spotlight on it if something doesn't go as smooth.

I've got the 10.8.x systems running through the MAS currently, and I submitted a request via our Apple Service Agreement to add the countdown timer to force install as well.

Thank you for your continued tweaks and support of the script! I will try it out when i'm back in the office tomorrow.

@lisacherie

Thanks a bunch for making this script! I've been looking all over the place for a solution like this.

It works flawlessly for most users. However, I am encountering instances where I am seeing this in the log:

there are updates available
updates need a restart
value of logged in user is HDConsole..
as there is a logged in user checking whether ok to restart
Argument "" isn't numeric in numeric eq (==) at /private/tmp/softwareupdate_jamf_helper_2.sh line 39.
response was User said YES to Updates
Checking for policies triggered by "runsoftwareupdate"...

The user does not end up seeing a message asking if they want to install, it assumes a Yes response was given.

I'm not an expert in scripting yet, but can the script be changed so that if a user presses "Yes" then a numeric is produced as the trigger to run "jamf policy -trigger runsoftwareupdate" instead of using "Cancel"?

@UESCDurandal

I've literally just got back to work after the conference.

In the post above there is an extra argument that can be added, which I think will sort that out. I need to add in and test.. I will update this discussion probably early next week, once I've done some testing, and will fix the issues with the script then. (Posting an updated version).

Really glad this is helpful for others :)

Made the quick changes to the comparison check, and added the startlaunchd.. seems to be running well. Still doing some testing.. But here it is:

#!/usr/bin/perl -w

use strict;

my $AVAILABLEUPDATES="";

$AVAILABLEUPDATES=`/usr/sbin/softwareupdate --list`;
chomp $AVAILABLEUPDATES;

printf "available updates is %s 

", "$AVAILABLEUPDATES";

# If available updates contains * there are updates available

if ($AVAILABLEUPDATES=~/*/){

        printf "there are updates available
";

        if ($AVAILABLEUPDATES=~/restart/){

                printf "updates need a restart
";

                my $LOGGEDINUSER='';

                $LOGGEDINUSER=`/usr/bin/who | /usr/bin/grep console | /usr/bin/cut -d " " -f 1`;
                chomp $LOGGEDINUSER;

                printf "value of logged in user is $LOGGEDINUSER..
";

                if ($LOGGEDINUSER=~/[a-zA-Z]/) {

                        printf "as there is a logged in user checking whether ok to restart
";

                        my $RESPONSE = "";

                        $RESPONSE=system ''/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper' -startlaunchd -windowType utility -icon '/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/Resources/Message.png' -heading "Software Updates are available" -description "Your computer will need to restart, would you like to install the updates now?" -button1 "Yes" -button2 "Cancel" -cancelButton "2"';

                        if ($RESPONSE eq "0") {
                                printf "
User said YES to Updates
";
                                system "/usr/sbin/jamf policy -trigger runsoftwareupdate";
                                exit 0;
                        } else {
                                printf "
User said NO to Updates
";
                                exit 0;
                        }
                }
                else {
                        printf "no logged in user so ok to run updates
";
                        system "/usr/sbin/jamf policy -trigger runsoftwareupdate";
                        exit 0;
                }
        }
        else {
                printf "no restart required
";
                system "/usr/sbin/jamf policy -trigger runsoftwareupdate";
                exit 0;
        }
}
else {
        printf "there are no updates available
";
        exit 0;
}
exit 0;

Lisa, I've been testing the latest version of your script for a few days now. So far no issues. Thanks again!

The last version I pasted seems to be going well so far in my testing.
Just some clients dropping off before finishing the download for the larger updates.
Happy for feedback if you see any problems.
Thank you.

I've made a few tweaks because I couldn't get the jamf trigger softwareupdates to work reliably, I could get the script to run when I did a manual jamf policy -id on it, but not when I ran it on the every 15 trigger.

So I submitted a ticket to Jamf and this is what they came back with.

I did some testing on this and found the following.

If I run this script by any of the following it will work:

- Self Service
- Manually call the script
- Manually call the policy via terminal

What will not work

- Running script on the every15 trigger
- In terminal logging in as the root user and then running the script

I talked with a co-worker about this we think that this has to do with the root user running this script that is trying to open the MAS from another user.

So the root user can not open the MAS for say the user admin.

I am in no way familiar with Pearl here so what I might suggest is that we find a way to run the command that opens the MAS as the currently logged in user and that might fix our issue here.

@jwojda

So far in testing I have not seen the issues you have described.
I made a second policy with a custom trigger of runsoftwareupdate, with payload to install all available software updates. this policy is set to ongoing to allow repeated calls.

The first policy which displays the popup is triggered on everyHour, with a frequency of once a day. Most days exiting silently as there are no new updates enabled on SUS.

I will try to reproduce what you have described later in the week. With the previous version I was seeing the popup ignore user input and always taking the cancel option regardless of what was selected. Adding the "-startlaunchd" sorted that out - doublecheck you have that argument in the line which invokes the jamf helper popup.

I think the jamf trigger command was not working for the same reason, i thought maybe because it was trying to call a 2nd policy, so thats why I changed to just launch the mac app store directly.

#!/usr/bin/perl -w

use strict;

my $AVAILABLEUPDATES="";

$AVAILABLEUPDATES=`/usr/sbin/softwareupdate --list`;
chomp $AVAILABLEUPDATES;

printf "available updates is %s 

", "$AVAILABLEUPDATES";

# If available updates contains * there are updates available

if ($AVAILABLEUPDATES=~/*/){

        printf "there are updates available
";

        if ($AVAILABLEUPDATES=~/restart/){

                printf "updates need a restart
";

                my $LOGGEDINUSER='';

                $LOGGEDINUSER=`/usr/bin/who | /usr/bin/grep console | /usr/bin/cut -d " " -f 1`;
                chomp $LOGGEDINUSER;

                printf "value of logged in user is $LOGGEDINUSER..
";

                if ($LOGGEDINUSER=~/[a-zA-Z]/) {

                        printf "as there is a logged in user checking whether ok to restart
";

                        my $RESPONSE = "";

                        $RESPONSE=system ''/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper' -startlaunchd -windowType utility -icon '/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/Resources/Message.png' -heading "Software Updates are available" -description "Your computer will need to restart, would you like to install the updates now?" -button1 "Yes" -button2 "Cancel" -cancelButton "2"';

                        if ($RESPONSE eq "0") {
                                printf "
User said YES to Updates
";
                                system '/System/Library/CoreServices/Software Update.app/Contents/MacOS/Software Update';
                                exit 0;
                        } else {
                                printf "
User said NO to Updates
";
                                exit 0;
                        }
                }
                else {
                        printf "no logged in user so ok to run updates
";
                        system '/System/Library/CoreServices/Software Update.app/Contents/MacOS/Software Update';
                        exit 0;
                }
        }
        else {
                printf "no restart required
";
                system '/System/Library/CoreServices/Software Update.app/Contents/MacOS/Software Update';
                exit 0;
        }
}
else {
        printf "there are no updates available
";
        exit 0;
}
exit 0;

Lisa - I just discovered that when the restart required check looks at the Mac Pro EFI Update 1.5 item it returns the response "shut down" instead of "restart"... Hence my user was prompted to restart his Mac in 5 minutes while he's in the middle of editing in FCP. :(

Is it possible to add "shut down" as a response that will trigger the pop-up box?

available updates is Software Update Tool
Copyright 2002-2009 Apple

Software Update found the following new or updated software:
* MacProEFIUpdate1.5-1.5
Mac Pro EFI Firmware Update (1.5), 2059K [recommended] [shut down]

there are updates available
no restart required
Checking for policies triggered by "runsoftwareupdate"...

...

Writing files…
Optimizing system for installed software…
Writing package receipts…
Installed Mac Pro EFI Firmware Update
Done.

You have installed one or more updates that requires that you restart your
computer. Please restart immediately.

A reboot was required with one or more of the installed updates.
Blessing i386 OS X System on /...
Creating Reboot Script...

@UESCDurandal

Good catch! Not many MPs where I am.

Try changing this line:

if ($AVAILABLEUPDATES=~/restart/){

To:

if ($AVAILABLEUPDATES=~/(restart)|(shutsdown)/){

Let me know if that works for you, I'm not seeing any computers that need that update to test it myself :(

Thanks Lisa!

I'll give that a try. Sadly I already reached out to all my MPs that needed that update and pushed it through manually so they're not interrupted. But it's good to know that the line is there in case Apple wants to do that again.

ok, not a perl guy by a long shot. How would I get the PID of the last executed command in a perl script, and then force the script to continue while that one command ran?

ex: ```
/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType fs -heading 'American Greetings ISD is updating software on your computer' -description 'We are now updating your Mac System software. This update should not take longer than 30 to 45 minutes, depending on how many updates your Mac needs. If you see this screen for more than 45 minutes, please call our helpdesk at X4949. Please do not turn off this computer. This message will go away when updates are complete.' -icon /Library/Application Support/JAMF/EndUserSupport/AGRose.icns > /dev/null 2>&1 &

## In case we need the process ID for the jamfHelper JHPID=echo "$!"
```

Thanks everyone for these. Since I do most of my scripting in Python, I thought I'd take a stab at rewriting it. Hopefully someone will find it useful. Let me know if you have any questions about what it's doing. I've tested it on several systems and haven't run across any showstoppers, but if you find something, please pass it on.

#!/usr/bin/python

# import required modules
import os
import re
import shutil
from datetime import datetime
from sys import exit

# set log filename/location
curDate = datetime.now().date()
logFile = 'swupd-%s-%s.log' % (curDate.year,curDate.month)
logLocation = '/your/preferred/log/directory'
curLog = '%s/%s' % (logLocation,logFile)

# create functions for installing updates, logging postponements, and exiting
def installUpdates():
    os.popen('/usr/sbin/jamf policy -trigger runswupd')
    attempts = 6
    logData(attempts)
    exit(0)

def postponeUpdates(attempts):
    print "User chose to postpone the updates."
    attempts = attempts + 1
    logData(attempts)
    exit(0)

def forceUpdates():
    response = os.popen('"{filename}" -startlaunchd -windowType utility -icon "{icon}" -title "{title}" -heading "{heading}" -description "{description}" -button1 "Ok"'.format(
        description='Your computer has updates availble that may require a reboot.  You've postponed the updates 5 times.  As such, the installation is being forced now.  Please save your work immediately.',
        filename='/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper',
        heading='Software Updates are installing!',
        icon='/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/Resources/Message.png',
        title='Company Software Updates'
    )).read()
    if response == 0:
        installUpdates()
    else:
        print "Something went wrong with the jamfHelper.  Fix it."
        attempts = 7
        logData(attempts)
        exit(1)

def logData(content): # writes 'content' to the log, overwriting any previous contents.  There should never be anything other than a single number in there anyway. 1 - 5 indicates the number of times it has been postponed.  6 indicates complete for the month.  7 indicates the forced attempt at updates failed.
    logContent = open(curLog, 'w')
    logContent.write(str(content))
    logContent.close()


# create log path if it doesn't exist
if not os.path.isdir(logLocation):
    os.makedirs(logLocation)

# create monthly log file if it doesn't exist and read file contents if it does
if not os.path.isdir(curLog) and not os.path.exists(curLog):
    logNew = open(curLog, 'w')
    attempts = 0
    logNew.write(str(attempts))
    logNew.close()
elif os.path.isdir(curLog):
    print "The path for the current log file was a directory.  How this happened, the world may never know.  The path %s, and everything under it is now toast, and will be recreated as a file." % curLog
    shutil.rmtree(curLog)
    logNew = open(curLog, 'w')
    attempts = 0
    logNew.write(str(attempts))
    logNew.close()
elif os.path.isfile(curLog): # read the number of attempts that have been postponed
    logIn = open(curLog, 'r+')
    try:
        attempts = int(logIn.read())
    except ValueError:
        attempts = 0
        logIn.write(str(attempts))
    logIn.close()


# check for updates
updatesAvail = os.popen('/usr/sbin/softwareupdate --list').read().rstrip()
print "Available updates: %s" % updatesAvail
if "*" in updatesAvail:
    print "There are updates available"
    os.popen('/usr/sbin/jamf recon') # running recon to make sure the JSS knows the system has updates available.  In theory, it should always know.
    avail = 1
else:
    avail = 0

if avail == 0:
    print "No updates were available"
    os.popen('/usr/sbin/jamf recon') # running recon to make sure the JSS knows that there really aren't updates available.
    logData('complete')
    exit(0)

# check if available updates require a restart    
if 'restart' in updatesAvail or 'shut down' in updatesAvail:
    print "These updates require a restart"
    restart = 1
else:
    restart = 0

# find currently logged in console user
curUser = os.popen('/usr/bin/who | grep console | cut -d " " -f 1').read().rstrip()
print "Current user is: %s" % curUser

# if there is a logged in user, we must ask for permission to restart, otherwise we go forward!
if avail == 1:
    if attempts < 5:
        if restart == 1:
            if re.match(r'[a-zA-Z]', curUser):
                response = int(os.popen('"{filename}" -startlaunchd -windowType utility -icon "{icon}" -title "{title}" -heading "{heading}" -description "{description}" -button1 "Yes" -button2 "No" -cancelButton "2"'.format(
                    description='Your computer has updates availble that will require a reboot.  Would you like to install these updates now?  After clicking yes, please wait until you receive an indication that the computer is ready to reboot.',
                    filename='/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper',
                    heading='Software Updates are available!',
                    icon='/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/Resources/Message.png',
                    title='Company Software Updates'
                )).read())
            else:
                installUpdates()
            if response == 0:
                installUpdates()
            elif response == 2:
                postponeUpdates(attempts)
            elif response == 1:
                print "There was a problem spawning the dialog box.  You need to make sure the system is properly enrolled in Casper."
                exit(1)
            else:
                print "Something that should be impossible happened. Your return code was %s.  Please check the code against the jamfHelper return values by running jamfHelper with the -help flag." % response
                exit(1)
        else:
            installUpdates()
    elif attempts == 5:
            forceUpdates()
    else:
        print "Something unknown is wrong with this machine.  Exiting with an error status code."
        exit(1)