MacOS Security Patch Policy created but not working

hfletes22
New Contributor

hfletes22_0-1660939821207.png

I have created this policy but it looks like it's not pushing the update thru jamf pro. Can anybody advise me on this?

1 ACCEPTED SOLUTION

dennisnardi
Contributor

I just posted this info in this thread but it is essentially the same here:

That specific softwareupdate command doesn't work the same with ARM based Mac computers (or apparently Monterey, I guess, I'm not 100% sure on that). Apple depreciated the -iar part of the softwareupdate binary. As a result Jamf policies running that command no longer work, nor do policies with the software update payload either. Apple recommends using MDM commands. However that is extremely flaky, and you lack a real good way to schedule or notify users. It seems like something that in a few years might be good, but it's just not good or reliable currently. 

You really have 2 options. Option 1 is to use a 3rd party tool to help gain compliance. Nudge works great, is widely used, and is extremely well documented. Another option is utilizing SUPER which is also pretty well documented. Both essentially bug users to install updates themselves. Home users are the demographic Apple has primarily developed their product for, while the enterprise Mac environments are a languishing thought in the back of their heads often times. Thus modern versions of macOS/Mac hardware essentially require user interaction to complete, until MDM commands improve/are fixed. 

Option 2 is to download the full macOS Monterey 12.5.1 installer (which you can do with the link here), and then make a policy that just installs that over top of the OS. This is non-destructive, it will just take longer. There are multiple methods for that. I believe these two are the most popular ways to do so: 1 2. This generally also require some level of user interaction on modern macOS's/Mac hardware. If you can script an known user password on the machine you can fully automate it though. 

 

On top of all of that, in general there's been issues on Big Sur & Monterey with timely fetching software updates, even with the "keep my mac up to date" button checked. It's an issue with the softwareupdate binary again. Many people haven't seen the 12.5 or 12.5.1 updates available to them yet because of this. The general fix is to manually check for updates a few times, reboot, or run the "sudo launchctl kickstart -k system/com.apple.softwareupdated" command and then check for updates again.

View solution in original post

6 REPLIES 6

sdagley
Honored Contributor III

@hfletes22 What exactly are you pushing as a security patch? If a Mac is forced to restart when installing a .pkg (which Apple's Security Update packages do) then your policy will never report as completed.

I want to make sure that all my securities patches are getting installed as they should via Jamf Pro and not thru Apple. Just like the security patch for August 17, 2022. I don't know if I'm making myself clear. 

sdagley
Honored Contributor III

@hfletes22 Please provide details on what your policy does as the picture you posted shows nothing but the policy name and what events should trigger it. If it's a command like 'softwareupdate -iaR' that is not a reliable way of installing updates, and as I mentioned initially if you policy will cause the Mac to restart before the policy completes and reports that completion to your Jamf Pro server then it will appear as if the policy never ran.

dennisnardi
Contributor

I just posted this info in this thread but it is essentially the same here:

That specific softwareupdate command doesn't work the same with ARM based Mac computers (or apparently Monterey, I guess, I'm not 100% sure on that). Apple depreciated the -iar part of the softwareupdate binary. As a result Jamf policies running that command no longer work, nor do policies with the software update payload either. Apple recommends using MDM commands. However that is extremely flaky, and you lack a real good way to schedule or notify users. It seems like something that in a few years might be good, but it's just not good or reliable currently. 

You really have 2 options. Option 1 is to use a 3rd party tool to help gain compliance. Nudge works great, is widely used, and is extremely well documented. Another option is utilizing SUPER which is also pretty well documented. Both essentially bug users to install updates themselves. Home users are the demographic Apple has primarily developed their product for, while the enterprise Mac environments are a languishing thought in the back of their heads often times. Thus modern versions of macOS/Mac hardware essentially require user interaction to complete, until MDM commands improve/are fixed. 

Option 2 is to download the full macOS Monterey 12.5.1 installer (which you can do with the link here), and then make a policy that just installs that over top of the OS. This is non-destructive, it will just take longer. There are multiple methods for that. I believe these two are the most popular ways to do so: 1 2. This generally also require some level of user interaction on modern macOS's/Mac hardware. If you can script an known user password on the machine you can fully automate it though. 

 

On top of all of that, in general there's been issues on Big Sur & Monterey with timely fetching software updates, even with the "keep my mac up to date" button checked. It's an issue with the softwareupdate binary again. Many people haven't seen the 12.5 or 12.5.1 updates available to them yet because of this. The general fix is to manually check for updates a few times, reboot, or run the "sudo launchctl kickstart -k system/com.apple.softwareupdated" command and then check for updates again.

that was great. Thank you

NOVELLUS
Contributor III

@dennisnardi Thanks a lot for your explanation about the possibilities for doing an update to macOS12.5.1 (or otherversions). I am at the same point to deploy the update to 12.5.1 and used your "second option". At this option it is important to know, that the installer will have about 12.3 GB.
I did a package (pkg) File, that "installs" the update .APP to the users /Programms directory and then starts the installer. I took the MegaPKG script of  William Smith to create the pkg file, because composer will not create packages bigger than 8 GB.
It works very well.