Hi all,Wanted to share that we are actively developing to implement deferrals in an upcoming beta release of Jamf Pro, targeting between Q4 of 2021 and Q1 of 2022 to solve for the below use case.As a Jamf Admin, I want to issue a remote command for my macOS devices to update their OS, while also giving them the option to defer the OS update so that their critical workflows aren’t interrupted (ex. during a presentation), while also ensuring they stay up to dateExample mass action/remote command workflows moving forward:(Existing) Admins can issue a remote command to a set of devices to download and install to an upgraded version of macOS ASAP, restarting end-user machines as necessary(Existing) Admins can issue a remote command to a set of devices to download to an upgraded version of macOS and notify the end user(Upcoming, net new) Admins can issue a remote command to a set of devices to download to an upgraded version of macOS and notify the end user, and input a MaxUserDeferrals integer between 1-90, which will allow the end users to snooze a software between 1-90 daysPotential future functionality:Ability to issue these commands via APIAbility to schedule these commandsAbility to issue these commands via policyWe are actively developing this and will be able to communicate a timeline once we are able to determine which Beta release it is planned for.Please feel free to offer up and questions, comments, or feedback here, thanks!Eric SkinnerJamf Pro Product Owner

Question

Managed Software Updates - using deferrals via a mass action

Forum|Forum|4 years ago
October 25, 2021
38 replies
351 views

eric_skinner
Employee

Hi all,

Wanted to share that we are actively developing to implement deferrals in an upcoming beta release of Jamf Pro, targeting between Q4 of 2021 and Q1 of 2022 to solve for the below use case.

As a Jamf Admin, I want to issue a remote command for my macOS devices to update their OS, while also giving them the option to defer the OS update so that their critical workflows aren’t interrupted (ex. during a presentation), while also ensuring they stay up to date

Example mass action/remote command workflows moving forward:

(Existing) Admins can issue a remote command to a set of devices to download and install to an upgraded version of macOS ASAP, restarting end-user machines as necessary
(Existing) Admins can issue a remote command to a set of devices to download to an upgraded version of macOS and notify the end user
(Upcoming, net new) Admins can issue a remote command to a set of devices to download to an upgraded version of macOS and notify the end user, and input a MaxUserDeferrals integer between 1-90, which will allow the end users to snooze a software between 1-90 days
Potential future functionality:
- Ability to issue these commands via API
- Ability to schedule these commands
- Ability to issue these commands via policy

We are actively developing this and will be able to communicate a timeline once we are able to determine which Beta release it is planned for.

Please feel free to offer up and questions, comments, or feedback here, thanks!

Eric Skinner

Jamf Pro Product Owner

Show first post

Forum|pagination.label 2 / 2

stutz
Contributor
Forum|Forum|3 years ago
March 25, 2022

How will this new feature fix the popup window a user sees that requires them to enter an administrator username/password to reboot the machine when this remote command is used? If that isn't resolved not sure how useful policy integration with remote commands to upgrade machines is going to be.

eric_skinner
Author
Employee
Forum|Forum|3 years ago
March 25, 2022

Hi @stutz,

If a bootstrap token is properly escrowed for devices requesting an upgrade, the command should succeed without the need for username/password.

Here's some more information on BSTs. If you're still encountering the issue, it may be worth opening up a support ticket to dig deeper.
https://docs.jamf.com/technical-articles/Manually_Leveraging_Apples_Bootstrap_Token_Functionality.html

Eric Skinner

stutz
Contributor
Forum|Forum|3 years ago
March 28, 2022

Yes the bootstrap token is properly escrowed and still get prompted for each of the 3 update options:

Download the update for users to install

Download and allow macOS to install later

Download and install the update, and restart computers after installation

RobertPetrie
New Contributor
Forum|Forum|3 years ago
May 17, 2022

I'm testing some API workflows at the moment and i have one for triggering the EraseDevice MDM command to rebuild a Mac quickly:

#!/bin/bash

########################################################################################################
# SET SCRIPT VARIABLES

#Set the JamfURL variable to your Jamf server URL
JamfURL=$(echo "mycompany.jamfcloud.com")

# Decode the base64 hash of the API username stored in $4 in the Jamf script
$APIusername=$(echo "$4" | base64 -D)

# Decode the base64 hash of the $APIusername password stored in $5 in the Jamf script
$PASSWORD=$(echo "$5" | base64 -D)

# Get computer serial number.
SerialNumber=$(system_profiler SPHardwareDataType | awk '/Serial/ {print $4}')
echo "Serial Number = $SerialNumber"

#Get Computer ID from Jamf.
ComputerID=$(curl -u $APIusername:$PASSWORD https://$JamfURL/JSSResource/computers/serialnumber/$SerialNumber/subset/general -sk -H "accept: text/xml" | xmllint --xpath "/computer/general/id/text()" -)
echo "Computer ID = $ComputerID"

########################################################################################################
# USE THE JAMF API TO SEND MDM COMMANDS to $ComputerID 


# Push EraseDevice command to Computer ID with passcode 123456 
/usr/bin/curl --silent --show-error --connect-timeout 30 --request POST --user $APIusername:$PASSWORD "https://$JamfURL/JSSResource/computercommands/command/EraseDevice/passcode/123456/id/$ComputerID"

Does anyone know if there is an MDM command that will perform a major software update like Big Sur to Monterey? Or do all of the software update MDM commands listed here (https://support.apple.com/en-gb/guide/deployment/depc4c80847a/web) only apply to minor software and security updates?

I haven't come across a Jamf API / MDM command way to do OS Upgrades yet but if anyone has any ideas that'd be great. The only possible scenario i can think of is using the API to do the following:

- Grab the computer name

- Create a static group with the computer name

- Do a mass action on the static group to upgrade the OS

- Delete the static group

I'll try and get this working in the mean time. Surely it should be simpler than this though. :)

+14

bwoods
Honored Contributor
Forum|Forum|3 years ago
May 17, 2022

I'm testing some API workflows at the moment and i have one for triggering the EraseDevice MDM command to rebuild a Mac quickly:

#!/bin/bash

########################################################################################################
# SET SCRIPT VARIABLES

#Set the JamfURL variable to your Jamf server URL
JamfURL=$(echo "mycompany.jamfcloud.com")

# Decode the base64 hash of the API username stored in $4 in the Jamf script
$APIusername=$(echo "$4" | base64 -D)

# Decode the base64 hash of the $APIusername password stored in $5 in the Jamf script
$PASSWORD=$(echo "$5" | base64 -D)

# Get computer serial number.
SerialNumber=$(system_profiler SPHardwareDataType | awk '/Serial/ {print $4}')
echo "Serial Number = $SerialNumber"

#Get Computer ID from Jamf.
ComputerID=$(curl -u $APIusername:$PASSWORD https://$JamfURL/JSSResource/computers/serialnumber/$SerialNumber/subset/general -sk -H "accept: text/xml" | xmllint --xpath "/computer/general/id/text()" -)
echo "Computer ID = $ComputerID"

########################################################################################################
# USE THE JAMF API TO SEND MDM COMMANDS to $ComputerID 


# Push EraseDevice command to Computer ID with passcode 123456 
/usr/bin/curl --silent --show-error --connect-timeout 30 --request POST --user $APIusername:$PASSWORD "https://$JamfURL/JSSResource/computercommands/command/EraseDevice/passcode/123456/id/$ComputerID"

I haven't come across a Jamf API / MDM command way to do OS Upgrades yet but if anyone has any ideas that'd be great. The only possible scenario i can think of is using the API to do the following:

- Grab the computer name

- Create a static group with the computer name

- Do a mass action on the static group to upgrade the OS

- Delete the static group

I'll try and get this working in the mean time. Surely it should be simpler than this though. :)

My script should be able to upgrade a machine from BS to Monterey.

Force a Computer Restart to Install macOS Updates - Jamf Nation Community - 265982

RobertPetrie
New Contributor
Forum|Forum|3 years ago
May 24, 2022

Thanks for that, that was really helpful. It turns out my Apple Silicon device doesn't actually support Big Sur so i can't test the major version upgrade but when the next version of macOS comes out in Apple Seed i'll be able to confirm that it works. At the moment i have it working with interim updates/security patches so it should work in exactly that same way with the new OS. :)

+11

brunerd
New Contributor
Forum|Forum|3 years ago
August 22, 2022

FYI...

Earlier in the thread it was said:

Trying to be transparent as we can: Apple has informed us that this might not actually be deferral days as much as it will be deferral instances. A deferral instance being defined as a user clicking out of the update (e.g. install later, not now, etc.)

Well amazingly Apple documented this here (and it is for macOS 12 only)

MaxUserDeferrals - integer
The maximum number of times the system allows the user to postpone an update before it’s installed. The system prompts the user once a day.

I was wondering about the "devil in the details" on this one too! 👹

Mountain20
New Contributor
Forum|Forum|3 years ago
January 4, 2023

Hi @Daemonomicon, @Mountain20, and others,

Absolutely; we were able to deliver deferral functionality in 10.35.0
(see release notes section titled, "User Deferrals for macOS Software Updates")
https://docs.jamf.com/10.35.0/jamf-pro/release-notes/New_Features_and_Enhancements.html

We also addeed some endpoints in 10.36.0
(See release notes section titled, "Jamf Pro API Changes and Enhancements")
https://docs.jamf.com/10.36.0/jamf-pro/release-notes/New_Features_and_Enhancements.html

Further, we've added additional API enhancements in 10.37.
(See release notes sections titled "Manage macOS Software Updates via the Jamf Pro API" and "Jamf Pro API Changes and Enhancements")
https://docs.jamf.com/10.37.0/jamf-pro/release-notes/New_Features_and_Enhancements.html

To the questions around scheduling remote commands, yes this idea link is a good place to include votes, commentary, and feedback around scheduling managed software commands.
https://ideas.jamf.com/ideas/JN-I-15577

Thanks,

Eric Skinner

Just coming back here a year later to say this was helpful and thank you! Happy new year.

rweinstock
New Contributor
Forum|Forum|3 years ago
January 5, 2023

Hello, I am using the remote command (Update OS version and built-in apps) with the deferral option of 1 day, but unfortunately it's been several days and my test computer still will not update from macOS 13.0.1 to 13.1 as expected.

Every day, the system update notification does appear and I just click the X at the top left to dismiss it (as a typical user would do) hoping that eventually the update would install anyway. Meanwhile, it's been about 3-4 days and still nothing. I only sent the remote command once.

I do have a number of apps open and I did see one message saying that Microsoft Excel prevented the system from restarting (or something similar), but that was yesterday and today nothing at all.

I'm wondering what is the best and most reliable way to get these minor macOS updates installed.

xian
New Contributor
Forum|Forum|2 years ago
April 14, 2023

I had been getting 7109 errors indicating a duplicate command (even after clearing out all pending and failed commands beforehand). I was told by an Apple engineer that this was a known issue that was fixed in 13.3. I didn't see any reference to it in the release notes, but when attempting to update with three deferrals from 13.3 to 13.3.1, I’m seeing this strange entry which seems to indicate that the device considers 13.3 to be a newer version of macOS than 13.3.1:

2023-04-13 10:56:09-07 523QV045 SoftwareUpdateNotificationManager[1492]: Controller: Ignoring the latest MajorOSProduct:032-66588 because it's major/minor version:13.3.1 is not newer than your current major/minor version:13.3

On this device, OSUpdateStatus completes, ScheduleOSUpdate completes, AvailableOSUpdates completes, ScheduleOSUpdateScan completes, but OSUpdateStatus – Scheduled will permanently remain in pending without ever executing.

xian
New Contributor
Forum|Forum|2 years ago
April 14, 2023

Got an explanation of the above: the Mac discovered a full installer for a major upgrade, but because the major version matches the existing major version installed, there is no need to automatically download a Full Installer for the macOS major version it already has.

+26

AJPinto
Legendary Contributor
Forum|Forum|2 years ago
April 17, 2023

Just necroing a dead thread. We are on JAMF 10.45 now, and still no word on being able to schedule macOS updates or issue them with a policy.

Potential future functionality:
Ability to issue these commands via API
Ability to schedule these commands
Ability to issue these commands via policy

There have been lots of changes, and additions to JAMFs abilities, and still a few glaring gaps in the past 1.5 years. JAMF really needs to issue a new community post as to where they are with managing OS updates on macOS.

+17

jamf-42
Esteemed Contributor
Forum|Forum|2 years ago
April 26, 2023

Just necroing a dead thread. We are on JAMF 10.45 now, and still no word on being able to schedule macOS updates or issue them with a policy.

Potential future functionality:
Ability to issue these commands via API
Ability to schedule these commands
Ability to issue these commands via policy

bump.. can OP update please

Forum|pagination.label 2 / 2

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded