Making sense of ManagedUpdates via API

Nate1
New Contributor III

Hello all,

We're working on forcing updates on our fleet and it seems the best way to do this reliably or at least with some feedback is via the managed-software-updates API (

POST .../api/v1/managed-software-updates/plans

. This at least provides us with variable options, including groups via single machines (which we use to test), as well as feedback as to what's happening to the machines

GET .../api/v1/managed-software-updates/plans?page=0&page-size=20&sort=planUuid%3Aasc'

 

However I have a few questions:

 

  1. Using:
    "updateAction": "DOWNLOAD_INSTALL"
    and
    "versionType": "LATEST_MAJOR"
    my test machine has been stuck at 
    "state" : "SchedulingOSUpdate"

    What can I expect as a next step, either for me the Jamf admin or on the user side? Why is it stuck at "Scheduling"?

  2. For a few machines I have:
    "state" : "PlanFailed"
    "errorReasons" : [ "APPLE_SILICON_NO_ESCROW_KEY" ]

    Is this solvable? 

  3. I also have:
    "state" : "PlanFailed"
    "errorReasons" : [ "EXISTING_PLAN_FOR_DEVICE_IN_PROGRESS" ]

    This makes sense because I tried to slap another plan on one in progress, but is there any way to 'clear' previous plans? Separately, do they fall off after everything is complete or after a certain amount of time? I can see this log becoming quite long if not.

Thanks for any help! We are at the point in our fleet that a lot of users just flat out refuse to acknowledge our requests for them to update so we're looking for the best way to "force" it without necessarily having to force immediate reboots (but we've been given clearance from security and c-suite to do so if a security threat becomes big enough). Efforts taken via other Jamf methods either don't seem to go through, or don't give us reasoning if not. I'm sure the new SoftwareUpdates section will be amazing in the future, but right now the commands just seem to float off into the void.

 

Nate

1 REPLY 1

foobarfoo
Contributor

You need a bootstrap token escrowed. This is possible to do when the computer is enrolled via DEP/ADE. For user initiated enrollment, this is usually not the case (search Google, JAMF docs etc for more info). Personally, I'd look at DDM configured updates and set a specific deadline which is available in macOS 14 combined with JAMF Pro 11 as my best bet going forward. If you haven't seen that in other threads already, enforcing macOS and iOS updates is a flaky and unreliable task/process since almost forever. This is mainly an Apple and not a JAMF problem though, at least these days as JAMF has improved the software update handling code.