Jamf Nation Community

Grue · ‎09-25-2023

Hello all!

This is my first post on Jamf Nation - I'm a newcomer to Jamf and Apple in general, having taken over for my organization's previous Jamf admin.

Some backstory:

Currently, we install macOS updates by downloading the OS .app, packaging it in Composer as a .dmg, staging the update package on our endpoints via policy, and then using a second policy to initiate the installation with the following command:

echo '<localAdminPassword>' | '/Applications/Install macOS Ventura.app/Contents/Resources/startosinstall' --agreetolicense --forcequitapps --nointeraction --user <localAdminUsername> --stdinpass

This works great for initiating after-hours installs. However, my leadership has indicated they'd like an option for users to kick off updates from Self Service. While I can make this available in Self Service as-is, the problem is that this doesn't allow the user to control when the endpoint reboots; it doesn't even notify them a reboot is incoming. 15-20 minutes after they click "Install", they're just suddenly kicked out of their user session and watching the progress bar while the computer reboots. That's not the experience we want our users to have.

Ideally, here's what it would look like:

User is notified there is a macOS update available
User clicks 'Install' within Self Service
The OS update installs in the background
When the OS is ready to complete installation, the user is notified and they can choose to reboot now or schedule a reboot for tonight, kind of like how updates work when initiated from System Settings

The limitation here is I can't let the endpoints download the updates directly from Apple - anything we download needs to be scanned by our Security team before I can deploy it. So, the workflow I outlined above where we download/package the OS manually seems to be the only way I can approach OS updates, at least for now.

If anyone has any ideas, I would be very grateful! Like I said, I'm new to Jamf and Apple, so there may be something completely obvious I'm missing. I did search the forums, but my combination of keywords brings up a lot of tangentially related threads. Thanks y'all!

--
AGE QVOD AGIS

AJPinto · ‎09-25-2023

Apple has really moved on from using the install macOS {version}.app for anything. Apple really wants OS updates to work in one of two ways.

Issued by MDM Command
Users process the OS update using System Setting > General > Software Update

Anything outside of those two work flows really wont end well. JAMF SelfService Cannot issue MDM Commands, but can run scripts. You could trigger the OS update (on an Intel Mac) using SelfService, but there is no way to advise the user when the device is ready to reboot, its just going to reboot without notification once ready. On Apple Silicon Macs you cannot use scripts to install OS updates at all.

I also work in a very restrictive and heavily monitored environment. We only recently got away from needing security to inspect everything due to the amount of issues it causes. What your security team is wanting to do is frankly not possible on macOS. I strongly recommend reaching out to your Apple SE and get them on a call with your Security team.

Apple Platform Security - Apple Support

View solution in original post

AJPinto · ‎09-25-2023

Apple has really moved on from using the install macOS {version}.app for anything. Apple really wants OS updates to work in one of two ways.

Issued by MDM Command
Users process the OS update using System Setting > General > Software Update

Anything outside of those two work flows really wont end well. JAMF SelfService Cannot issue MDM Commands, but can run scripts. You could trigger the OS update (on an Intel Mac) using SelfService, but there is no way to advise the user when the device is ready to reboot, its just going to reboot without notification once ready. On Apple Silicon Macs you cannot use scripts to install OS updates at all.

I also work in a very restrictive and heavily monitored environment. We only recently got away from needing security to inspect everything due to the amount of issues it causes. What your security team is wanting to do is frankly not possible on macOS. I strongly recommend reaching out to your Apple SE and get them on a call with your Security team.

Apple Platform Security - Apple Support

Grue · ‎09-25-2023

Yeeeeah, that's the conclusion I'd come to as well, I just figured I'd throw it out there to see if I was missing anything. I think you're right and we'll probably begin those conversations soon, and we'll just grit our teeth this cycle and deploy Ventura 13.6 the way we've historically done it, even though it's not ideal. Thank you!

--
AGE QVOD AGIS

AJPinto · ‎09-26-2023

Any time good sir and/or madam. You know where to find us if you need more venting, I for one love to banter about outdate security practices :D.

With Sonoma coming out later today, it may be a good idea to just skip to Sonoma.

daniel_behan · ‎09-26-2023

I second getting Apple to meet with your security team. Direct downloads from Apple is the safest method of receiving the updates. Also may security and ssl inspection tools can damage the checksum of the update and made the OS not trust the update. Once your security team can trust the vendor to update themselves, much of the automation and even self service tools can be used with this: https://github.com/Macjutsu/super

bcrockett · ‎09-26-2023

Check out Nudge - Erase Install - the current tools for Automating macOS updates.

Send the security team Graham Pughs talk from the MacADUK conference if they need to brush up on the current workflows for macOS updates in enterprise environments.

I will make a new film for Sonoma once I have 100 clients on the new OS. I have 10 as of today but they released it 7 hours ago.

Hope that helps!

Jamf Nation Community

macOS Updates - Automatic Install, but User-Initiated Restart