macOS Update Workflow for Headless Clients

tryckman
New Contributor II

We maintain 32 macOS caching servers across our school district and we are looking for a way to apply macOS updates to them without having to VNC into them, login, and then start the update. Unless we're wrong (which is a distinct possibility), it appears a user needs to be logged into the GUI in order to begin an update. Does anyone have a better workflow?

5 REPLIES 5

gabester
Contributor III

Um use SSH and run softwareupdate with the proper switches to reboot - see other discussions here. Are you managing your caching servers with JAMF or letting them run "wild"? I'd also expect that "automatic" updates would do the trick, at the risk of some poorly QA'd update from Apple impacting your caching services... Are you using a parent-child caching server relationship or 32 separate sites or load balancing, or some of each?

nstrauss
Contributor II

Heh, this should be easier than it is. Yes, enabling automatic updates is a good start. I've seen updates prepare to run and then never actually go through. That's the "Software updates will be installed tonight" (or similar) notification. Using softwareupdate is becoming more precarious as well, especially on T2 and later models. The updates will often fail using CLI or cause the machine to boot to recovery for further triage. At that point you're not saving any time as someone would need to be on site with physical access to fix. The most straightforward, and more time intensive way, is to schedule someone to run the updates on a schedule. I check all our Mac mini here running in "server" roles once a quarter to make sure they're up to date. Even with automatic updates enabled I often don't see them applied as expected. For example, I use a MDM profile to enforce Software Update settings...

ebc5da9a7278411185d8e8533dc39c0b

Yet there are still available updates.

8a765d516e4c47438cacc7cefb2e3f24

Granted these were only released a few days ago. Perhaps there's a window before new updates are auto-installed. That has not been my experience however. You could also try sending a "Download and Install Updates" command from Jamf. I believe this could be scheduled through the API or sent as a mass action to a computer group on a regular basis. Again my experience with MDM triggered updates has been spotty at best. The command often goes through and doesn't run updates. I think there's lots of room for improvement here. Feedback which I'd file with Apple.

Edit: I did try to send an update MDM command to this Mac mini caching server with available updates. The updates which didn't require a restart (Safari) did in fact install. For the updates requiring a restart only a notification banner appears prompting the user. Clicking the notification takes you to Software Update to complete the update process.

7124088eb23d486b832f42224d436498

I also remembered Apple did in fact introduce new keys in Big Sur to the ScheduleOSUpdate command to help with this scenario.

https://developer.apple.com/documentation/devicemanagement/scheduleosupdatecommand/command/updatesit...

There's now a InstallForceRestart option which could be helpful for headless machines where it doesn't particularly matter when a restart occurs. You could then schedule the command be run on these caching servers every so often to ensure they're kept up to date. I don't think Jamf has implemented the new feature yet so be sure to upvote this feature request to add the new keys.

https://www.jamf.com/jamf-nation/feature-requests/10095/support-the-entire-range-scheduleosupdate-md...

tryckman
New Contributor II

Thanks @nstrauss. We are seeing the same behavior you described when we use the CLI. Thanks for the suggestions, we will try them. Confirming, updates cannot be started and completed unless a user is logged in?

tryckman
New Contributor II

@gabester We use a combination of parent and peers. Our parent severs are deployed to serve child servers at school sites that are geographically in close proximity. Our larger sites have multiple caching servers that are setup as children but also as peers of each other for load balancing purposes.

nstrauss
Contributor II

Not sure what the behavior would be at the login window and/or with no users logged in. Good question for Apple what to expect there.