Managed Software Updates - using deferrals via a mass action
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-25-2021 01:23 PM
Hi all,
Wanted to share that we are actively developing to implement deferrals in an upcoming beta release of Jamf Pro, targeting between Q4 of 2021 and Q1 of 2022 to solve for the below use case.
As a Jamf Admin, I want to issue a remote command for my macOS devices to update their OS, while also giving them the option to defer the OS update so that their critical workflows aren’t interrupted (ex. during a presentation), while also ensuring they stay up to date
Example mass action/remote command workflows moving forward:
- (Existing) Admins can issue a remote command to a set of devices to download and install to an upgraded version of macOS ASAP, restarting end-user machines as necessary
- (Existing) Admins can issue a remote command to a set of devices to download to an upgraded version of macOS and notify the end user
- (Upcoming, net new) Admins can issue a remote command to a set of devices to download to an upgraded version of macOS and notify the end user, and input a MaxUserDeferrals integer between 1-90, which will allow the end users to snooze a software between 1-90 days
- Potential future functionality:
- Ability to issue these commands via API
- Ability to schedule these commands
- Ability to issue these commands via policy
We are actively developing this and will be able to communicate a timeline once we are able to determine which Beta release it is planned for.
Please feel free to offer up and questions, comments, or feedback here, thanks!
Eric Skinner
Jamf Pro Product Owner
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-25-2021 01:32 PM
Definitely like the sound of issuing these via a policy! Looking forward to this!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-25-2021 01:55 PM
The ability to schedule MDM commands would be extremely useful. Not only for the new software deferral MDM commands but also the existing remote lock/wipe commands. https://ideas.jamf.com/ideas/JN-I-15577
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-26-2021 04:41 AM
Yup, agree with the others. Really looking forward to this!!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-29-2021 05:26 AM
Where yes deferrals are important I am mainly concerned about actually being able to force OS updates. installASAP is great an all when nothing suppresses reboots. MaxUserDeferrals automatically switches to InstallForceRestart once the deferrals are exceeded if I understand this correctly. So if MaxUserDeferrals works as expected we may finally have a way to force OS updates. ReallyInstallForceRestart should have been added when macOS added support for it and let us admins decide if the data lost risk was worth it to use, JAMF should not have made this decision for us.
Either way this is good news to be sure. Not being able to manage OS updates is now really the only remaining issue preventing us from deploying Apple Silicon macs. At least we have a roadmap for this now.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-29-2021 07:57 AM
Hey @AJPinto,
Depending on what you're looking for, there is some level of functionality around the installForceRestart today (see `Download and Install the update, and restart computers after installation').
You might already be aware of this, and I recognize it's totally possible there are nuances or limitations that do not work with your workflows that I'd love to hear about: though I'll err on the side of over-communication:
If you have additional questions or clarifications, reach out to Jamf support https://www.jamf.com/support/jamf-pro
Thanks,
Eric
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-29-2021 05:53 AM
Eric, we are really looking forward to this! 👍
We are still missing a convenient and working way to force macOS updates. With macOS 10.11 (!) Apple introduced InstallLater and InstallForceRestart which we are waiting for so long now. We hope these two options get implemented in one of the next Jamf Pro releases.
About 80 % to 90 % of our users do updates / upgrades but some don't and forcing it makes it way easier.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-29-2021 07:58 AM
Hey @j_meister,
Echoing what I shared with a different reply:
Depending on what you're looking for, there is some level of functionality around the installForceRestart today (see `Download and Install the update, and restart computers after installation').
You might already be aware of this, and I recognize it's totally possible there are nuances or limitations that do not work with your workflows that I'd love to hear about: though I'll err on the side of over-communication:
If you have additional questions or clarifications, reach out to Jamf support https://www.jamf.com/support/jamf-pro
Thanks,
Eric
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-29-2021 08:52 AM
Unfortunately even this work flow is not very reliable. Macs wont download the updates if they dont have enough disk space, you get no confirmation on this one way or the other.
I am not sure if external reboots will cause OS updates to install if they are downloaded. I think the function of downloading updates is to allow the users to install, or to use the installASAP command down the road. With installASAP if anything prevents a reboot (like terminal pinging something) the command just fails. There is no way to use installASAP to FORCE updates, if the Mac cannot gracefully shutdown installASAP simply will not install updates. Again you get no notification or logging.
JAMF is not using the MDM command that lets you see the status of OS updates. For example there is a MDM command that returns if updates are downloading, cached, pending install, ext. I forget the MDM commands key at the moment and I am on my ipad right now :(.
I suppose to be simple. We should not be having to dance around JAMFs limited support of Apple MDM commands to manage updates. Which are between 1-5 years old at this point depending on the command.
We certainly appear to be on the right path now thankfully.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-29-2021 08:38 AM
Hey @eric_skinner ,
thanks for your reply. The "Download and install the update, and restart computers after installation" feature works in most cases, that's right. I would just wish to have a feature to enforce the updates on the rest of the machines and hope/think InstallForceRestart should achieve this.
Thanks again,
Johann
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-09-2021 12:31 PM
Will the MaxUserDeferrals option only be available on MacOS Monterey? Or is this something that can be implemented with Big Sur as well?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-10-2021 07:46 AM
Hey @Daemonomicon,
MaxUserDeferrals is a parameter that Apple has for Monterey and forward, so it is not available for Big Sur.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-15-2021 08:10 AM
Hi All,
Trying to be transparent as we can: Apple has informed us that this might not actually be deferral days as much as it will be deferral instances. A deferral instance being defined as a user clicking out of the update (e.g. install later, not now, etc.)
We'll still be able to send the command with a deferral integer (e.g. end users can defer 7 times). That said, after the command is issued and the deferral set, Apple manages all of those communications and notifications to the end user. We're seeking some clarification, though it appears that it may rely on the end user clicking to defer, rather than days.
Eric Skinner
Jamf Pro Product Owner
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-15-2021 08:20 AM
Hi Eric,
thank you for this information.
Johann
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-17-2021 08:12 AM
@eric_skinner thanks for sharing this update with us! It sounds like it is certainly a step in the right directions for us to admin our Mac machines and keep them patched.
My main priority in my job is Windows machines, and for that we use SCCM currently. I'm not sure if you have any experience or knowledge, but it would be helpful to have some controls like it offers on the Macs through Jamf as well. For example, It would be great to say "start installing this OS upgrade at 11:00pm tonight (after classes end) and if the machines needs to restart, do the restart automatically between now and 6:00am." However, if the update gets to the point of needing a restart after 6:00am, notifiy the user that a restart is required in the next x numbers of hours. We normally allow our users to defer it through the next work day and then require it to happen after.
Also, the ability to schedule updates to happen at a certain time would be very helpful. For example, I want to configure the updates during my normal 8-5 type day, but not have them run until overnight in our "maintenance window" as SCCM refers to it. Will these changes only effect some/newer OS versions? We currently have many different OS instances and I am starting from the ground up with how to address updates for them.
Hopefully future updates on this will be posted soon. Looking forward to it!
Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-17-2021 04:13 PM
@eric_skinner While we're at it, can we get an "Update OS" Management command buttos (for a single device, obviously) in the Management tab for both iOS and macOS?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-18-2021 03:23 AM
That would be awesome, I miss such a button often.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-18-2021 03:51 AM
Looking forward to seeing this added soon!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-18-2021 09:13 AM
Very interested in this. I'm excited about the possibility of the max deferrals being a reality on Mass Action, API, and policies. Having lots of headaches with our updates here.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-25-2022 06:43 AM
We finally got user deferral with 10.35 via mass action. Is there any word on when we can get a policy to wrap this in?
Is there any discussion in adding these newer keys to the inventory record? It seems kinda strange that i have to do mass action if I need to update a one off device. Logging is also horrible for these MDM commands right now.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-25-2022 11:37 AM - edited 01-25-2022 11:53 AM
@eric_skinner I have a simple API command that will run the download and install management command, but it seems to take the computer anywhere between 20 minutes to an hour to actually update. Do you have any suggestions to improve this workflow? Would the "installForceRestart" action work better. I'm using this with a user interaction policy to deploy updates.
apiUsername="apiaccount"
apiPassword="apipassword"
jamfProURL="https://yourorg.jamfcloud.com"
macSerial=$(system_profiler SPHardwareDataType | awk '/Serial Number/{print $4}')
jamfProCompID=$(curl -s -u $apiUsername:$apiPassword -H "Accept: text/xml" "$jamfProURL"/JSSResource/computers/serialnumber/"$macSerial" | xmllint --xpath '/computer/general/id/text()' -)
/usr/bin/curl -s -X POST -H "Content-Type: text/xml" -u ${apiUsername}:${apiPassword} ${jamfProURL}/JSSResource/computercommands/command/ScheduleOSUpdate/action/install/id/${jamfProCompID}
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-22-2022 12:52 PM
Hi @bwoods,
Nothing jumps out on the script or Jamf side of things you could do differently. That does seem in the acceptable range of time we experienced with testing as well.
For additional context, Jamf issues the command to begin the update process, though after issuing the command and it as been received, Apple handles the update, installation, and updating process -- so we're fairly removed from that point on.
Certainly if an updated command failed for some reason, you could re-issue it, though that's the extent to what Jamf can help with.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-22-2022 03:06 PM - edited 03-22-2022 03:07 PM
No problem. Thanks for the info.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-18-2022 05:06 PM
Does it help if this is upvoted here https://ideas.jamf.com/ideas/JN-I-15577 ?
We're going on almost an entire year since InstallLater and MaxUserDeferrals key was announced at WWDC21.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-22-2022 11:18 AM
Do we have a timeline on this? Q1 of 2022 is about to end and this thread has been fairly quiet.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-22-2022 12:54 PM
Hi @Daemonomicon, @Mountain20, and others,
Absolutely; we were able to deliver deferral functionality in 10.35.0
(see release notes section titled, "User Deferrals for macOS Software Updates")
https://docs.jamf.com/10.35.0/jamf-pro/release-notes/New_Features_and_Enhancements.html
We also addeed some endpoints in 10.36.0
(See release notes section titled, "Jamf Pro API Changes and Enhancements")
https://docs.jamf.com/10.36.0/jamf-pro/release-notes/New_Features_and_Enhancements.html
Further, we've added additional API enhancements in 10.37.
(See release notes sections titled "Manage macOS Software Updates via the Jamf Pro API" and "Jamf Pro API Changes and Enhancements")
https://docs.jamf.com/10.37.0/jamf-pro/release-notes/New_Features_and_Enhancements.html
To the questions around scheduling remote commands, yes this idea link is a good place to include votes, commentary, and feedback around scheduling managed software commands.
https://ideas.jamf.com/ideas/JN-I-15577
Thanks,
Eric Skinner
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-03-2023 07:34 PM
Just coming back here a year later to say this was helpful and thank you! Happy new year.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-25-2022 11:24 AM - edited 03-25-2022 11:27 AM
How will this new feature fix the popup window a user sees that requires them to enter an administrator username/password to reboot the machine when this remote command is used? If that isn't resolved not sure how useful policy integration with remote commands to upgrade machines is going to be.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-25-2022 11:42 AM
Hi @stutz,
If a bootstrap token is properly escrowed for devices requesting an upgrade, the command should succeed without the need for username/password.
Here's some more information on BSTs. If you're still encountering the issue, it may be worth opening up a support ticket to dig deeper.
https://docs.jamf.com/technical-articles/Manually_Leveraging_Apples_Bootstrap_Token_Functionality.ht...
Eric Skinner
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-28-2022 03:33 AM - edited 03-28-2022 03:58 AM
Yes the bootstrap token is properly escrowed and still get prompted for each of the 3 update options:
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-17-2022 08:55 AM - edited 05-17-2022 08:57 AM
I'm testing some API workflows at the moment and i have one for triggering the EraseDevice MDM command to rebuild a Mac quickly:
#!/bin/bash
########################################################################################################
# SET SCRIPT VARIABLES
#Set the JamfURL variable to your Jamf server URL
JamfURL=$(echo "mycompany.jamfcloud.com")
# Decode the base64 hash of the API username stored in $4 in the Jamf script
$APIusername=$(echo "$4" | base64 -D)
# Decode the base64 hash of the $APIusername password stored in $5 in the Jamf script
$PASSWORD=$(echo "$5" | base64 -D)
# Get computer serial number.
SerialNumber=$(system_profiler SPHardwareDataType | awk '/Serial/ {print $4}')
echo "Serial Number = $SerialNumber"
#Get Computer ID from Jamf.
ComputerID=$(curl -u $APIusername:$PASSWORD https://$JamfURL/JSSResource/computers/serialnumber/$SerialNumber/subset/general -sk -H "accept: text/xml" | xmllint --xpath "/computer/general/id/text()" -)
echo "Computer ID = $ComputerID"
########################################################################################################
# USE THE JAMF API TO SEND MDM COMMANDS to $ComputerID
# Push EraseDevice command to Computer ID with passcode 123456
/usr/bin/curl --silent --show-error --connect-timeout 30 --request POST --user $APIusername:$PASSWORD "https://$JamfURL/JSSResource/computercommands/command/EraseDevice/passcode/123456/id/$ComputerID"
Does anyone know if there is an MDM command that will perform a major software update like Big Sur to Monterey? Or do all of the software update MDM commands listed here (https://support.apple.com/en-gb/guide/deployment/depc4c80847a/web) only apply to minor software and security updates?
I haven't come across a Jamf API / MDM command way to do OS Upgrades yet but if anyone has any ideas that'd be great. The only possible scenario i can think of is using the API to do the following:
- Grab the computer name
- Create a static group with the computer name
- Do a mass action on the static group to upgrade the OS
- Delete the static group
I'll try and get this working in the mean time. Surely it should be simpler than this though. :)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-17-2022 08:58 AM - edited 05-17-2022 09:01 AM
My script should be able to upgrade a machine from BS to Monterey.
Force a Computer Restart to Install macOS Updates - Jamf Nation Community - 265982
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-24-2022 07:13 AM
Thanks for that, that was really helpful. It turns out my Apple Silicon device doesn't actually support Big Sur so i can't test the major version upgrade but when the next version of macOS comes out in Apple Seed i'll be able to confirm that it works. At the moment i have it working with interim updates/security patches so it should work in exactly that same way with the new OS. :)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-22-2022 09:37 AM - edited 08-22-2022 09:38 AM
FYI...
Earlier in the thread it was said:
Trying to be transparent as we can: Apple has informed us that this might not actually be deferral days as much as it will be deferral instances. A deferral instance being defined as a user clicking out of the update (e.g. install later, not now, etc.)
Well amazingly Apple documented this here (and it is for macOS 12 only)
MaxUserDeferrals - integerThe maximum number of times the system allows the user to postpone an update before it’s installed. The system prompts the user once a day.
I was wondering about the "devil in the details" on this one too! 👹
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-05-2023 09:41 AM - edited 01-05-2023 09:47 AM
Hello, I am using the remote command (Update OS version and built-in apps) with the deferral option of 1 day, but unfortunately it's been several days and my test computer still will not update from macOS 13.0.1 to 13.1 as expected.
Every day, the system update notification does appear and I just click the X at the top left to dismiss it (as a typical user would do) hoping that eventually the update would install anyway. Meanwhile, it's been about 3-4 days and still nothing. I only sent the remote command once.
I do have a number of apps open and I did see one message saying that Microsoft Excel prevented the system from restarting (or something similar), but that was yesterday and today nothing at all.
I'm wondering what is the best and most reliable way to get these minor macOS updates installed.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-14-2023 01:49 PM
I had been getting 7109 errors indicating a duplicate command (even after clearing out all pending and failed commands beforehand). I was told by an Apple engineer that this was a known issue that was fixed in 13.3. I didn't see any reference to it in the release notes, but when attempting to update with three deferrals from 13.3 to 13.3.1, I’m seeing this strange entry which seems to indicate that the device considers 13.3 to be a newer version of macOS than 13.3.1:
2023-04-13 10:56:09-07 523QV045 SoftwareUpdateNotificationManager[1492]: Controller: Ignoring the latest MajorOSProduct:032-66588 because it's major/minor version:13.3.1 is not newer than your current major/minor version:13.3
On this device, OSUpdateStatus completes, ScheduleOSUpdate completes, AvailableOSUpdates completes, ScheduleOSUpdateScan completes, but OSUpdateStatus – Scheduled will permanently remain in pending without ever executing.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-14-2023 02:31 PM
Got an explanation of the above: the Mac discovered a full installer for a major upgrade, but because the major version matches the existing major version installed, there is no need to automatically download a Full Installer for the macOS major version it already has.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-17-2023 07:59 AM
Just necroing a dead thread. We are on JAMF 10.45 now, and still no word on being able to schedule macOS updates or issue them with a policy.
- Potential future functionality:
- Ability to issue these commands via API
- Ability to schedule these commands
- Ability to issue these commands via policy
There have been lots of changes, and additions to JAMFs abilities, and still a few glaring gaps in the past 1.5 years. JAMF really needs to issue a new community post as to where they are with managing OS updates on macOS.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-26-2023 10:26 AM
bump.. can OP update please