Jamf Nation Community

I have seen this on my policies too. If I am understanding it correctly Apple is more or less handling macOS updates but I don't know how that might correlate to logout triggers overall.

Apple announce a while back that login and logout triggers were being deprecated..

Jamf Documented here..

https://docs.jamf.com/10.24.1/jamf-pro/release-notes/Deprecations_and_Removals.html

I had Mac OS updates install on logout but now it looks like I have to change that trigger I'm trying to see how others are installing these Mac OS updates.

Jamfs recommended guide is here: https://docs.jamf.com/best-practice-workflows/jamf-pro/managing-macos-updates/Introduction.html
But i cant get the stuff to work in my environment. I need all the productions machines to all have a deffereal of 90day (incase it breaks third part software), and only for our test machines to update when new minor updates are released. Once all the testing is complete we need to send a mass update command to overide the defferal so users can download and install the update. with the deferals on the machines dont seem to get a update it just says no updates avaliable. Scipts ive found online dont get around it either. Iam not sure if your using anything like the above in your workflow?

The "Logout" policy trigger will be removed in a future release. 2. Starting with any newer macOS (10.14+) with PPPC/TCC requirements MyAccountAccess they do not allow for these processes to be ran while NOT in the background if they are doing anything that interact with these newly protected areas.

i'm probably going to have the updates available via Self Service instead of logout. Just remove the logout trigger and enable it for self service with notification to notify user.

If they have any macOS updates then install them via Self Service or use the system preferences --> software updates interface.

One suggestion...https://derflounder.wordpress.com/2019/02/05/providing-access-to-macos-software-updates-via-jamf-pro...

I have not tested this without administration privileges though. It's not perfect because the user must do it. I have users that cancel the updates if they see that it requires a restart. That might be changing soon though.

I handle macOS updates a little differently, and dont rely on users logging out. They are in patch management: I have two policies, one for the most recent combo update, and one for the most recent security update. I have smart groups that are based on if the device has the combo update or not. Then the policies are scoped to the appropriate patch policy.

I have a policy that is schedule for after hours, which calls script that goes through all of the id numbers for macOS patch policies, referencing the patch id number. The patch id doesn't run if it doesn't have the appropriate combo update or security update. I've reference my script below.

That being said, Big Sur screws that completely up, which is a pain point as we prefer controlling via packages on our distribution point. So we shall see.

#!/bin/sh

########################################################################
#########################   macOS 10.15   ##############################
########################################################################

jamf patch -id 180
#macOS 10.15 - Shore Combo

jamf patch -id 182
#macOS 10.15 - Shore Security

jamf patch -id 181
#macOS 10.15 - Fleet Combo

jamf patch -id 183
#macOS 10.15 - Fleet Security



########################################################################
#########################   macOS 10.14   ##############################
########################################################################

jamf patch -id 170
#macOS 10.14 - Shore Combo

jamf patch -id 184
#macOS 10.14 - Shore Security

jamf patch -id 171
#macOS 10.14 - Fleet Combo

jamf patch -id 185
#macOS 10.14 - Fleet Security

exit 0