Management and Big Sur Security Updates

jschank
Contributor

Does ANYONE have a process to push out Big Sur Security Updates through Jamf?

I tried using Files and Processes within a Policy to no avail. Using Execute Command "softwareupdate -i -a -R" set to Recurring Check-In and then going to client device and running sudo jamf policy. I see the command run but it hangs like it needs authentication.

I am task to enforce the Security Updates due to the latest vulnerabilities.

https://support.apple.com/en-us/HT212335

If anyone has a process please provide info. I would greatly appreciate it.

9 REPLIES 9

Ken_Bailey
New Contributor III

We are currently leveraging the command.
/usr/sbin/softwareupdate -i -a -R --force
It can take a bit as it then proceeds to download the software before actually kicking it off if it is not already downloaded.

nduplessis
New Contributor II

The UX of this is TERRIBLE.

There's absolutely no context for the user to understand what's happening. No matter how you slice this from an admin perspective, your user's Mac is either going to restart right from under them without any warning or you're displaying some shitty Jamf window with a message to defer, which quite frankly floods our support capacity with "Is this malware?!" requests.

Jamf really needs to up their game here

user-uVIrofrYAp
New Contributor

This mechanism also protects against failed system updates, whose Seal won't match the During early startup, macOS Big Sur checks the Seal on the system. by Apple, and their installation and control is managed by their companion app.

PrepaidCardStatus

thomas_moser
New Contributor III

We currently use the script from bp88: https://github.com/bp88/JSS-Scripts/blob/master/AppleSoftwareUpdate.sh

And it works fine for us, of course you may have to tell your users that there is some manual labor from their side too. Since Big Sur/M1 devices are available, to make it work.

Also he has written a nice blog about his new script for Updates over Jamf (a new one, not the above mentioned): https://babodee.wordpress.com/2021/03/30/handling-major-upgrades-and-minor-updates-for-macos-with-jamf/
Maybe this is something you can try

Matt_Ellis
Contributor II

@thomas.moser Do you use that script for only minor updates. I'm trying to find something I can use that will nag my users to run the updates that only care's about minor updates, not whole macOS upgrades. That works on Catalina, Big Sur, and M1s I will have all my users just use software updates.

mschroder
Valued Contributor

@thomas.moser I tried that script and it appears to work for minor updates of pre-Big Sur Macs, but on Big Sur if the user does nothingin the end it will just download the installer, do a reboot - but does not install the update :(

How did you get it to work?

k3vmo
Contributor

Dying to know the above as well ... I'm having the most challenging time getting any method to start the install ...

tcandela
Valued Contributor II

has anyone tried a configuration profile with just the 'software update' payload configured?

if so, if the 'software update server' is left blank does it default to Apple?

also, what happens if a user is logged in and an update kicks off? does the user get interrupted with a possible 'restart' out of nowhere?

tcandela
Valued Contributor II

anyone get a policy to successfully install the Big Sur updates when they come out? 

11.6 is now the new update for Big Sur - has anyone gotten a policy that installs this?