macOS Updates via Mass Action - Try Tonight not working

llitz123
Contributor III

Testing using Mass Action for updates for our clients with 7 deferrals.

Staff I've tested with click "Try Tonight" and nothing happens.  Pop-up returns later/next day-ish asking them to update, yet I don't think it subtracts a deferral from the 7.

Anyone else seen this issue and have a solution?

Also anyone know when the pop-up shows or is it random?

Thanks for any assistance. 

13 REPLIES 13

sdagley
Esteemed Contributor II

@llitz123 The only Mass Action that's close to working properly seems to be the update immediately option, and even that's far from reliable. Supposedly Apple has improved the deferred update reliability in macOS Ventura, but that's no help to anyone running Monterey or older.

Wonderful.  This update mess is ridiculous.

Thanks for the heads up.

sdagley
Esteemed Contributor II

@llitz123 If you're not dealing with Apple Silicon Macs then the erase-install script (https://github.com/grahampugh/erase-install ignore the name, it also does updates) is a very popular tool for pushing macOS updates/upgrades. Be sure to look at the Wiki section on using Jamf Pro (https://github.com/grahampugh/erase-install/wiki/8.-Use-in-Jamf-Pro) and I would highly recommend using the "--pkg" option mentioned in Section 3 of the Wiki.

You can use erase-install for Apple Silicon Macs as well, but there will be a prompt for the user to enteric their password which is a requirement for updates on those machines.

AJPinto
Honored Contributor II

Unfortunately all of this is extremely hard to troubleshoot. JAMF refuses to let us see the MDM responses from Macs which tell JAMF what the Mac is doing with the MDM command. For example JAMF knows how many deferrals have been used. Going beyond JAMFs nonsense with managing OS updates, Apples MDM command work flow for OS updates is garbage. You will have about a 70% success rate with OS updates via MDM command in the best of situations.

 

The logs are stored in install.log, that is where I would start. MacOS does note how many deferrals are left and the what nots in there along with any errors. That is where I would start as JAMF does not report anything useful with OS updates.

Thanks.  What a nightmare.  I'll give it a shot.

Thanks.

AJPinto
Honored Contributor II

For Intel Macs you can use “sudo softwareupdate -aiR” (the R needs to be capitalized), this calls the binary to run updates and usually works well. Logging still sucks. For Apple Silicon Macs this cant be used, it will give a pop up to the user to enter creds.

I recommend coming up with an enforcement work flow. Many people use Nag to pester users to update, I have never found it to be worth the effort to keep up. I use JAMF smart groups and software restrictions to sent notifications (using JAMF helper) and force compliance. If you are not complaint with OS updates I start blocking applications from launching and give you pop up’s to run OS updates. Its not nice but it works, if apple gave us better tools I would not need to be so heavy handed.

I tried using third parties yet I just don't have time to customize and test fully.  I'll get it figured out.  Thanks for your help.

70% is pretty much spot on for our success rate. Very frustrating. We've been in talks with Jamf and Apple and the only solutions provided are to suggest 3rd party project like Nudge and SUPERMAN (which is awesome btw). Basically keep throwing stuff at the wall and see what sticks.

We took a huge step back in our ability to manage our Mac clients when we moved to Apple Silicon. We're 60/40 Mac/PC at this point, but time spent on issues is more like 90/10 Mac vs PC, which is a complete reversal of what it used to be. It blows my mind that our only option is relying on open source projects other Mac admins put on github out of the goodness of their hearts...

AJPinto
Honored Contributor II

The problem with Nudge and Superman is this is pushing "managing" updates on to the user. You are really just managing notifications.Apple wonders why they cannot grow in enterprise, this one of the many reasons. JAMF can do a lot of this with smart groups and software restrictions.

 

Those open source projects are those of us (not me, Im not that smart) who are desperate for a solution and sharing what we create. We are not managing OS updates, we are politely asking OS updates.

 

For example. A Software Restriction for devices not running 12.6.1 to block Safari, Mail, Teams, and so on. When they open the app force quit it and present a notification to run OS updates. This is a lot more heavy handed than Nudge can get.

 

You're pretty much saying word for word what I've been complaining to Apple about 😂

Our users are not self-sufficient to the point that many of them have to call our helpdesk for simple things like "how do I add an icon to the Dock?". This has lead to them becoming frustrated, and that comes onto us not Apple. The side effect is it's driving PC adoption where users have a choice between the two.

AJPinto
Honored Contributor II

Same in our environment. We are about 99% Windows and 1% Mac, and that wont be changing anytime soon. Even as far as most Mac environments go, ours is extremely configured.  All of our security clients are on Mac, our Macs are fully integrated to the environment, no need to use citrix or anything just open share drives and connect to websites directly. SSO is configured for most sites and so on.

 

There are tons of down sides. Even with SSO enabled on macOS, users need to enter credentials far more frequently. Just extra opportunities to enter credentials wrong and lock your account. FileVault is so consumer focused it is insane. If you use a recovery key it resets the users password. If you need to pass a FileVault token, you need a token holders password and the new persons password. MacOS is just extremely high touch.

 

The world is about automation, and less clicking, and apple does not seem to understand that. Even if apple offered competing solutions I could accept it, but they simply dont in most cases. The few situations where there is a competing solution from Apple it is usually garbage or some framework that no one supports because Apple refuses to follow exiting standards like Platform SSO (still a bit early to call Platform SSO DOA, but my hopes are not high).

My belief with Ventura is that the success rate will be higher, the question is how much. The fact that Ventura responds to and processes the MDM update commands now even if it's locked is a huge step forward. Then we need to hope that all the other bugs and quriks have been improved as well, such as deferrals, device not actually doing what it was told, dropping state if the user reboots manually before the update has been installed etc.

 

Perhaps a bit off-topic for this forum, but MS has now released an update feature in Intune for macOS (like 5 years after it was needed) - if it's not there already in your tenant it will be soon. The design of that is quite interesting. It's esssentially an update tracker that continously and automatically sends ScheduleOSUpdate to those devices that aren't running the latest macOS version. It also reports on the satate of the install which JAMF doesn't do. In essence, crude but efficient. I think it would be good for JAMF if something similar was built, perhaps using the patch management engine that's already there (design question for the devs really)..?

crainey
New Contributor

I am now seeing that 12.6.1 update requires admin password!