Managed Software Updates - using deferrals via a mass action

eric_skinner
New Contributor III

Hi all,

Wanted to share that we are actively developing to implement deferrals in an upcoming beta release of Jamf Pro, targeting between Q4 of 2021 and Q1 of 2022 to solve for the below use case.

As a Jamf Admin, I want to issue a remote command for my macOS devices to update their OS, while also giving them the option to defer the OS update so that their critical workflows aren’t interrupted (ex. during a presentation), while also ensuring they stay up to date

Example mass action/remote command workflows moving forward:

  • (Existing) Admins can issue a remote command to a set of devices to download and install to an upgraded version of macOS ASAP, restarting end-user machines as necessary
  • (Existing) Admins can issue a remote command to a set of devices to download to an upgraded version of macOS and notify the end user
  • (Upcoming, net new) Admins can issue a remote command to a set of devices to download to an upgraded version of macOS and notify the end user, and input a MaxUserDeferrals integer between 1-90, which will allow the end users to snooze a software between 1-90 days
  • Potential future functionality:
    • Ability to issue these commands via API
    • Ability to schedule these commands
    • Ability to issue these commands via policy

We are actively developing this and will be able to communicate a timeline once we are able to determine which Beta release it is planned for.

Please feel free to offer up and questions, comments, or feedback here, thanks!

Eric Skinner

Jamf Pro Product Owner

18 REPLIES 18

stephenb
New Contributor III

Definitely like the sound of issuing these via a policy! Looking forward to this!

dtommey
New Contributor III

The ability to schedule MDM commands would be extremely useful. Not only for the new software deferral MDM commands but also the existing remote lock/wipe commands. https://ideas.jamf.com/ideas/JN-I-15577

vinny83
New Contributor III

Yup, agree with the others. Really looking forward to this!!

AJPinto
Contributor III

Where yes deferrals are important I am mainly concerned about actually being able to force OS updates. installASAP is great an all when nothing suppresses reboots. MaxUserDeferrals automatically switches to InstallForceRestart once the deferrals are exceeded if I understand this correctly. So if MaxUserDeferrals works as expected we may finally have a way to force OS updates. ReallyInstallForceRestart should have been added when macOS added support for it and let us admins decide if the data lost risk was worth it to use, JAMF should not have made this decision for us.

 

Either way this is good news to be sure. Not being able to manage OS updates is now really the only remaining issue preventing us from deploying Apple Silicon macs. At least we have a roadmap for this now.

eric_skinner
New Contributor III

Hey @AJPinto,

Depending on what you're looking for, there is some level of functionality around the installForceRestart today (see `Download and Install the update, and restart computers after installation').

You might already be aware of this, and I recognize it's totally possible there are nuances or limitations that do not work with your workflows that I'd love to hear about: though I'll err on the side of over-communication:

https://docs.jamf.com/best-practice-workflows/jamf-pro/managing-macos-updates/Updating_macOS_Using_a...

If you have additional questions or clarifications, reach out to Jamf support https://www.jamf.com/support/jamf-pro

Thanks,
Eric

j_meister
Contributor

Eric, we are really looking forward to this! 👍

We are still missing a convenient and working way to force macOS updates. With macOS 10.11 (!) Apple introduced InstallLater and InstallForceRestart which we are waiting for so long now. We hope these two options get implemented in one of the next Jamf Pro releases.

About 80 % to 90 % of our users do updates / upgrades but some don't and forcing it makes it way easier.

Hey @j_meister,

Echoing what I shared with a different reply:

Depending on what you're looking for, there is some level of functionality around the installForceRestart today (see `Download and Install the update, and restart computers after installation').

You might already be aware of this, and I recognize it's totally possible there are nuances or limitations that do not work with your workflows that I'd love to hear about: though I'll err on the side of over-communication:

https://docs.jamf.com/best-practice-workflows/jamf-pro/managing-macos-updates/Updating_macOS_Using_a...

If you have additional questions or clarifications, reach out to Jamf support https://www.jamf.com/support/jamf-pro

Thanks,
Eric

Unfortunately even this work flow is not very reliable. Macs wont download the updates if they dont have enough disk space, you get no confirmation on this one way or the other. 

 

I am not sure if external reboots will cause OS updates to install if they are downloaded. I think the function of downloading updates is to allow the users to install, or to use the installASAP command down the road. With installASAP if anything prevents a reboot (like terminal pinging something) the command just fails. There is no way to use installASAP to FORCE updates, if the Mac cannot gracefully shutdown installASAP simply will not install updates. Again you get no notification or logging.

 

JAMF is not using the MDM command that lets you see the status of OS updates. For example there is a MDM command that returns if updates are downloading, cached, pending install, ext. I forget the MDM commands key at the moment and I am on my ipad right now :(.

 

I suppose to be simple. We should not be having to dance around JAMFs limited support of Apple MDM commands to manage updates. Which are between 1-5 years old at this point depending on the command.

 

We certainly appear to be on the right path now thankfully.

j_meister
Contributor

Hey @eric_skinner ,

thanks for your reply. The "Download and install the update, and restart computers after installation" feature works in most cases, that's right. I would just wish to have a feature to enforce the updates on the rest of the machines and hope/think InstallForceRestart should achieve this.

Thanks again,

Johann

Daemonomicon
New Contributor

Will the MaxUserDeferrals option only be available on MacOS Monterey? Or is this something that can be implemented with Big Sur as well?

Hey @Daemonomicon,

MaxUserDeferrals is a parameter that Apple has for Monterey and forward, so it is not available for Big Sur.

eric_skinner
New Contributor III

Hi All,

Trying to be transparent as we can: Apple has informed us that this might not actually be deferral days  as much as it will be deferral instances. A deferral instance being defined as a user clicking out of the update (e.g. install later, not now, etc.)

We'll still be able to send the command with a deferral integer (e.g. end users can defer 7 times). That said, after the command is issued and the deferral set, Apple manages all of those communications and notifications to the end user. We're seeking some clarification, though it appears that it may rely on the end user clicking to defer, rather than days.

Eric Skinner
Jamf Pro Product Owner

Hi Eric,

thank you for this information.

Johann

bbarciz
New Contributor II

@eric_skinner  thanks for sharing this update with us!  It sounds like it is certainly a step in the right directions for us to admin our Mac machines and keep them patched.

My main priority in my job is Windows machines, and for that we use SCCM currently.  I'm not sure if you have any experience or knowledge, but it would be helpful to have some controls like it offers on the Macs through Jamf as well.  For example, It would be great to say "start installing this OS upgrade at 11:00pm tonight (after classes end) and if the machines needs to restart, do the restart automatically between now and 6:00am."  However, if the update gets to the point of needing a restart after 6:00am, notifiy the user that a restart is required in the next x numbers of hours.  We normally allow our users to defer it through the next work day and then require it to happen after.

 

Also, the ability to schedule updates to happen at a certain time would be very helpful.  For example, I want to configure the updates during my normal 8-5 type day, but not have them run until overnight in our "maintenance window" as SCCM refers to it.  Will these changes only effect some/newer OS versions?  We currently have many different OS instances and I am starting from the ground up with how to address updates for them.

 

Hopefully future updates on this will be posted soon.  Looking forward to it!

Thanks!

RobertHammen
Valued Contributor II

@eric_skinner While we're at it, can we get an "Update OS" Management command buttos (for a single device, obviously) in the Management tab for both iOS and macOS? 

That would be awesome, I miss such a button often.

forrestbeck
New Contributor III

Looking forward to seeing this added soon!

cnelson
Contributor

Very interested in this. I'm excited about the possibility of the max deferrals being a reality on Mass Action, API, and policies. Having lots of headaches with our updates here.