Mass Update Operating System Not Working

New Contributor

Hi All,


 Apologies here I am new to JAMF Pro so forgive me if I have missed something obvious:

I have followed this guide here:

This is about doing a mass update of the OS. I have followed all the guides and document under Remote Commands - Update OS version and built in apps - Target version - latest version based on device eligibility - download and install the update, and restart computers after installation.

Is this not supposed to then update the computer automatically? Without the users interaction?

Looked into this as well and followed this but still nothing.



Honored Contributor

What are the MDM responses your devices are giving? Have you checked the install.log on any of the Macs to see what it may be reporting?

  • JAMF must have a bootstrap token escrowed to be able to update Apple Silicon devices.
  • Devices need to be enrolled with PreStage for mass action (MDM OS Update) commands to work.
  • Differed OS updates will still be deferred with MDM update commands. 


On a side note, JAMF really needs to update that training video. That is 5 years out of date now. Any information for using the softwareupdate binary, or any policies for OS updates is no longer relevant. The SoftwareUpdate Binary wont work on Apple Silicon Macs, you also cant use custom OS update servers anymore. 


I prefer to specify the update I want devices to install. 


If you need or want to use the update to Latest version based on device eligibility make sure to check the box Include major updates, if available.



New Contributor III

I've just recently went down a Rabbit Hole on this very issue. If your on M1 computers and they haven't had the MDM boot strap escrowed to them, the MDM command to silently install updates flat out won't work. 

You can check a machines bootstrap token status with the following command:

sudo profiles status -type bootstraptoken

To fix this going forward, I have my very first policy that runs at enrollment create a new local admin account, delete the admin account that was created by the pre-stage enrollment, and then run a script to escrow the bootstrap token. For better or worse, this assures that every account that logs into the machine gets the secure token on login (hopefully this doesn't bite me in the ass later). I am not finding an easy way to fix the 500 or so m1 machines in my org that don't have a boot strap token because I'm not sure who has the secure token unless I research on a case-by-case basis. 

I'm still pretty new to this whole thing (9 months) and I am the most senior level JAMF person in my org because everyone else got fired or quit. 

Honored Contributor

Welcome to the world of raging at macOS Updates. Oh did I say raging at, I meant to say managing. 

New Contributor III

hahah yes! It doesn't help that my predecessors used the JAMF management account for everything, which apparently really messes with how Boot Strap Tokens and Secure Tokens are assigned. 


Sometimes Mac computers make me the saddest boy...

Contributor II

If you are new to mas macOS updates my recommendation is to use the following tools:

 Nudge, Erase Install, and Jamf Pro.

Nudge Post-install



This is a link to a film that shows how I have automated this process using the tools above. 


The mass action update workflow is not reliable IMO.  The workflow above is. 


Hope that helps.