Mass Update Operating System Not Working

OfficeReady23
New Contributor

Hi All,

 

 Apologies here I am new to JAMF Pro so forgive me if I have missed something obvious:

I have followed this guide here:

https://trainingcatalog.jamf.com/update-macos-1/372407

This is about doing a mass update of the OS. I have followed all the guides and document under Remote Commands - Update OS version and built in apps - Target version - latest version based on device eligibility - download and install the update, and restart computers after installation.

Is this not supposed to then update the computer automatically? Without the users interaction?

Looked into this as well and followed this but still nothing.

https://resources.jamf.com/documents/technical-papers/Deploying-macOS-Upgrades-with-Jamf-Pro.pdf

Thanks

9 REPLIES 9

AJPinto
Honored Contributor II

What are the MDM responses your devices are giving? Have you checked the install.log on any of the Macs to see what it may be reporting?

  • JAMF must have a bootstrap token escrowed to be able to update Apple Silicon devices.
  • Devices need to be enrolled with PreStage for mass action (MDM OS Update) commands to work.
  • Differed OS updates will still be deferred with MDM update commands. 

 

On a side note, JAMF really needs to update that training video. That is 5 years out of date now. Any information for using the softwareupdate binary, or any policies for OS updates is no longer relevant. The SoftwareUpdate Binary wont work on Apple Silicon Macs, you also cant use custom OS update servers anymore. 

 

I prefer to specify the update I want devices to install. 

AJPinto_0-1679593190145.png

If you need or want to use the update to Latest version based on device eligibility make sure to check the box Include major updates, if available.

AJPinto_1-1679593222433.png

 

jamf-42
Valued Contributor

has something changed here, cos the JAMF docs say remote update MDM commands override deferral settings? From my testing this is still the case? 

"Differed OS updates will still be deferred with MDM update commands"

kbreed27
Contributor

I've just recently went down a Rabbit Hole on this very issue. If your on M1 computers and they haven't had the MDM boot strap escrowed to them, the MDM command to silently install updates flat out won't work. 

You can check a machines bootstrap token status with the following command:

sudo profiles status -type bootstraptoken

To fix this going forward, I have my very first policy that runs at enrollment create a new local admin account, delete the admin account that was created by the pre-stage enrollment, and then run a script to escrow the bootstrap token. For better or worse, this assures that every account that logs into the machine gets the secure token on login (hopefully this doesn't bite me in the ass later). I am not finding an easy way to fix the 500 or so m1 machines in my org that don't have a boot strap token because I'm not sure who has the secure token unless I research on a case-by-case basis. 

I'm still pretty new to this whole thing (9 months) and I am the most senior level JAMF person in my org because everyone else got fired or quit. 

AJPinto
Honored Contributor II

Welcome to the world of raging at macOS Updates. Oh did I say raging at, I meant to say managing. 

hahah yes! It doesn't help that my predecessors used the JAMF management account for everything, which apparently really messes with how Boot Strap Tokens and Secure Tokens are assigned. 

 

Sometimes Mac computers make me the saddest boy...

MattF-TX
New Contributor II

I'm running into the same exact issue - but it's also affecting our Intel Macs.  After waiting a good 24 to 48 hours after having executed the remote update command from with Jamf, I manually log into the affected machines, and from within the Software Update interface it shows the download process as having stuck (usually pretty early like < 5%).  I click on the "X" to stop the download, manually tell it to check for updates again, select the update, it then prompts me with the EULA which I select "agree", and everything proceeds fine after that.  This behavior did not start for me until the Ventura 13.4 update back in mid-May.  Again these are all Intel Macs.

jamf-42
Valued Contributor

"Software Update interface it shows the download process as having stuck"   where are you seeing this info? 

MattF-TX
New Contributor II

System Settings-->General-->Software Update

Once I send the remote update command, I checked the computers the following day.  The update download progress bar in System Settings-->General-->Software Update was only at approximately 5% completed, where it remained.  At that point, I simply clicked on the little "X" to stop the download.  I then rechecked for updates, the 13.4.1 update reappeared as available, I selected download, was presented with the EULA pop-up which I accepted, and the downloaded started and completed fairly quickly, resulting the computer rebooting and successfully installing the update.

It's worth noting rebooting computers, and re-sending up update command via Jamf was fruitless, and resulted in the same stuck downloading state.

I was able to remotely update the remaining Intel Macs using my trusty ARD along with the softwareupdate command.

This of course does not work for our Apple silicon Macs.

bcrockett
Contributor III

If you are new to mas macOS updates my recommendation is to use the following tools:

 Nudge, Erase Install, and Jamf Pro.

Nudge Post-install https://github.com/dan-snelson/Nudge-Post-install/wiki

Erase-install https://github.com/grahampugh/erase-install/wiki/6.-Use-in-Jamf-Pro

 

This is a link to a film that shows how I have automated this process using the tools above. 

 

The mass action update workflow is not reliable IMO.  The workflow above is. 

 

Hope that helps.