Microsoft Office for Mac 2019 AutoUpdate JAMF Trigger

Gennaro
New Contributor III

Hello, fellow Mac Systems Administrators,

I imagine a lot of you are here to maybe see if this solution will work with possible issues you've been having on your AutoUpdating for Mac 2019, we've spent quite some time on it on and off, and I think we've come up with a solution that works well (at least in our environment).

First off I'd like to start by giving credit to the people who've contributed to this project:

  • @pbowden for creating resources and utilities and providing the tools and scripts to make this work - And the countless hours of endless support given to the community.

  • Duper51 a fellow co-worker of mine who helped immensely with the debugging and solution of this.

  • Carl Ashley for providing some useful documentation on viewing the MacOS TCC log to solve the PPPC violations that no one really knew were happening.

GitHub repo to our modified @pbowden script and MobileConfigs: https://github.com/GN/Microsoft-AutoUpdate-for-Mac-Jamf-Deployment

The problems:

  • With the release of macOS 10.14 (Mojave), there were a lot of security changes namely PPPC restrictions that caused the command-line MSUpdate tool to not be able to communicate with the Microsoft AutoUpdate Daemon, and JAMF not having the correct PPPC permissions to run and interact with everything that it needed to. @pbowden's MobileConfig seems to not be updated to the latest security settings that we've determined JAMF, and the AutoUpdate tools need. This is where we think most of the issues are occurring with people's deployments.

  • The old script MSUpdateHelper4JamfPro.sh provided by @pbowden (which is what we're currently using - we haven't tried the new one. We didn't realize there was a new one released but what we have now works) calls to update the Microsoft AutoUpdater. For whatever reason this function was not working as intended/expected for us, so we shimmed a function in called "downloadMAU()" this downloads and installs the latest release of MAU into its standard location. This mitigates the issue(s) of not having the latest version of MAU and applications not updating because of it.

Please note: Every time the script runs it will download and install the package. With a little bit of work its definitely possible to check the currently installed version and compare it to the one that will be downloaded.

Update: We've updated it with some logic that will check the current version installed v.s. the latest release from Microsoft and if they don't match it'll download and install the latest release(We got un-lazy and made it work)!

We've created an updated script and a new PPPC MobileConfig which provides JAMF and the Microsoft AutoUpdate tools the permissions it needs to run the AutoUpdate cycle. Everything we've made has been published in the provided GitHub repository, it should be a relatively simple plug-n-play solution, we've also added Microsoft ATP as a supported application for this script.

Installation Instructions:

  1. At a minimum, you will need the "PPPCPermissions.mobileconfig" imported to JAMF and scoped to your environment.

  2. To prevent users from updating and/or changing update settings the "MSUpdateFullyManaged.mobileconfig" disables and frontend users from interacting directly with the Microsoft AutoUpdater Application.

  3. The "MSUpdateHelper4JamfPro.sh" must be placed in a policy and scoped to the machines you wish to push automatic updates to.

  4. (Optional) - Change the "UPDATE_*" variables using "true" or "false" to determine which software(s) you'd like to update.

Note(s):

  • We've tested this on an outdated version of Microsoft Office back to 16.29
  • We've tested this on High Sierra, Mojave, and Catalina.

Lastly, I would like to say: Your mileage may vary, this is just a solution that we've come up with that works in our environment. Be sure to test any and everything in a non-production area to be sure nothing breaks.

I hope this helped someone or everyone!

39 REPLIES 39

supson
New Contributor III

Can this MSUpdateFullyManaged config profile replace the straight forward one I have been using below? 344153a3396c42dbaeae30f630767460

supson
New Contributor III

Answered my own question by picking apart the profile, looks like it has what I need to replace mine

SamuelHarvey
New Contributor

Will it be able to update while Office apps are currently open? Thanks

fredrik_virding
Contributor

Hi,

Has anyone had a problem with the policy not executing the script?

I have it scoped to a few test machines, and it just sits on pending. I can manually trigger it via the terminal on any of the Macs, but it just doesnt start.

Trigger is re-occuring checking and every day for the sake of testing.

UPDATE: Managed to resolve it. Looked most likely like a delay. All is well.

danlaw777
Contributor III

i have 2 questions. with all of the different names MS has for all of their products, does this work for O365 subscriptions? secondly, will the office packages still need to be available through the Jamf pro server, or will it grap the packages from the O365 portal?

robb1068
Contributor

@fredrik.virding same issue here. Seems to sit at "Pending" until the user logs out or restarts, then flips to Completed. When I ran a tail on the Jamf log, it looked like it was just sitting on the running the policy.

Might need to make this a startup policy instead of re-occuring.

shaquir
Contributor III

I'd like to make mention that in Jamf Pro version 10.18, Jamf added native support for Microsoft preferences:

a256af02a9e149c4897a18748bf1a8a4.

Some further documentation can be found here: Managing Microsoft Office Using Jamf Pro.

With Microsoft AutoUpdate, you can set a Deadline for your apps to be update: Set a deadline for updates from Microsoft AutoUpdate

You can configure Microsoft AutoUpdate so the apps will automatically be updated when they are closed. Users will be prompted to restart the app when it is downloaded and ready. If they exceeded the deadline, users will see a prompt similar to the below image.
c928f15ed3fa47e184a9975ab85e9fbc

sdagley
Esteemed Contributor II

@danlaw777 This script installs updates to Office 2019 apps, either perpetual or O365 licensed, and it downloads the updates from the Microsoft CDN or your local MAU cache if you have one set up. The initial app installer download would need to come from your Jamf Pro distribution point (you could write a script to download from the Microsoft CDN and then install, but not recommended).

danlaw777
Contributor III

the apps are already on the machine, so if it just the updates that are pulled from MS CDN i should be all set

sdagley
Esteemed Contributor II

@robb1068 More than likely you're running into the problem with the MAU daemon being perpetually busy so the script never finishes and hangs any policy calling it. This is why @pbowden wrote the MSUpdateTrigger.sh script which, among other things, will kill the MAU daemon before issuing a single msupdate command to update all Office 2019 apps at one shot.

robb1068
Contributor

@sdagley yes, I use the MSUpdateTrigger script for new enrollments and monthly updates, but set as a startup policy. Even with the line to kill the MAU daemon, the policy still hangs until restart if I have it set to re-occuring.

And I'm actually good with it being a startup process. I've never liked poking at Outlook, Word, etc. while the user was logged in and had them open. Our security group recently rolled out Defender ATP and wants that updated on an ongoing basis, so I'm trying to use some of the suggestions on this thread to just update Defender.

fredrik_virding
Contributor

Did get it all to work eventually.

Got a question, would it be possible to include Microsoft Teams in this script?

danlaw777
Contributor III

i am getting this error when trying to install the PPPCPermissions.mobileconfig

Script result: /Library/Application Support/JAMF/tmp/MS Office Autoupdate: line 1: syntax error near unexpected token `<'
/Library/Application Support/JAMF/tmp/MS Office Autoupdate: line 1: `<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">'

any ideas? or am i just a moron?

SamuelHarvey
New Contributor

@danlaw I think it's telling you that `<' shouldnt be there

fredrik_virding
Contributor

Hi! Pinging this thread again!

Anyone got a solution for getting Microsoft Teams into this script?

JamfMyMac
Contributor

@shaquir Hey Bud!! can you give me some insight on how you are accomplishing that?
Thank you!! Need some help!!

LovelessinSEA
Contributor II

@sdagley or anyone, can you tell me how to use that MSUpdateTrigger.sh script to download and install specific builds of the apps. I'm usually always a few versions behind in our environment due to testing. I see the older script has the ability baked in to change to the specific build. Can it be done with the new script? Or, am i completely missing something?

sdagley
Esteemed Contributor II

@LovelessinSEA You can specify a target version by adding --version xx.yy.YYMMDDXX to the call to the msupdate tool on line 113 of MSUpdateTrigger.sh (that's line 113 of the 2020-06-03 version of the script).

So if you wanted to install version 16.40.20081000 the line would be:

    ${CMD_PREFIX}/Library/Application Support/Microsoft/MAU2.0/Microsoft AutoUpdate.app/Contents/MacOS/msupdate --install --apps $1 --version 16.40.20081000 --wait 600 2>/dev/null

(You could change the script to accept an optional parameter with a desired version)

fredrik_virding
Contributor

Hi all,

Anyone seen this lately?

ERROR: Cannot send Apple Events to MAU. Check privacy settings

dng2000
Contributor II

@fredrik.virding I saw that today in my environment but I haven't dig deep to find out the root cause of that message.

caffine247
New Contributor III

@dng2000 & @fredrik.virding take a look at Microsoft Autoupdate Script and 10.14 Mojave at what paul bowden points too. There was a change in the PPPC.

dng2000
Contributor II

@fneidhardt Thanks for your tip. PPPC was applied via config profile in my environment and I still get that message. To be honest, I've never used this method but just starting to explore it to see if it is a better option than using BigFix to push and run individual PKG's outside of MAU in my environment.

dpratl
Contributor II

Hi @Gennaro, @pbowden and the others included in this. First off all, thank you very much for all your work you did there and sharing with us, amazing.
This script (and pppt and so on) is looking very promising and I'm going to test it.
I would just have one question: I'm not sure how to implement MS Teams in the script, as far as i can see i cannot just add some copied lines (and change to teams for sure) and thats it.
Would you be so kind to tell me what I have to do to add Teams as well (or even better ;) , could you add MS Teams?)
Thank you
BR
Daniel

rstasel
Valued Contributor

@dpratl Teams isn't updated by MAU, it self updates. Until Teams is brought into the MAU fold, this won't work to update it. =/

greatkemo
Contributor II

Hey Guys,

Just thought I would add this to the mix, to fix any issues running the trigger script you must allow /usr/local/jamf/bin/jamf AppleEvents access to /Library/Application Support/Microsoft/MAU2.0/Microsoft AutoUpdate.app/Contents/MacOS/msupdate

Kamal

sdagley
Esteemed Contributor II

A Configuration Profile to provide the access @greatkemo describes can be found in @pbowden's GigHub repo: https://github.com/pbowden-msft/MobileConfigs/blob/master/Jamf-MSUpdate/Jamf%20Controller%20for%20Mi...

isThisThing0n
Contributor

Teams does show up as an option in the MAU GUI but it is not yet actually being updated by MAU. It still uses the Microsoft's CDN for independent updates. Hopefully this changes soon.

ImAMacGuy
Valued Contributor II

@greatkemo can you elaborate a bit more? @sdagley I can't seem to get the linked file to work. Keeps returning the error about sending MAU updates to Apple Events

greatkemo
Contributor II

@jwojda If you don't have one already, you need to create a PPPC profile for path

/usr/local/jamf/bin/jamf

and Allow it AppleEvents access to the msupdate binary found here

/Library/Application Support/Microsoft/MAU2.0/Microsoft AutoUpdate.app/Contents/MacOS/msupdate

The trigger script tests to see if you have allowed this access or not in this function...

function CheckAppleEvents() {
    MAURESULT=$(${CMD_PREFIX}/Library/Application Support/Microsoft/MAU2.0/Microsoft AutoUpdate.app/Contents/MacOS/msupdate --config | /usr/bin/grep 'No result returned from Update Assistant')
    if [[ "$MAURESULT" = *"No result returned from Update Assistant"* ]]; then
        echo "ERROR: Cannot send Apple Events to MAU. Check privacy settings"
        exit 1
    fi
}

which can be found between lines 52 and 58 of the script.

source: MSUpdateTrigger.sh

Hope this was helpful.

djrory
Contributor

Can anyone please help me determine why Outlook is not being updated?

I quit Outlook then run the policy with the script found here: script

and this is the result:

Going for Outlook update
Mon 15 Feb 2021 11:48:49 AEDT
RegisterApp: Params - /Applications/Microsoft Outlook.app OPIM2019
Mon 15 Feb 2021 11:48:49 AEDT
Final TARGET_VERSION: 
Mon 15 Feb 2021 11:48:49 AEDT
PerformUpdate: sudo -u rory.powell /Library/Application Support/Microsoft/MAU2.0/Microsoft AutoUpdate.app/Contents/MacOS/msupdate --install --apps OPIM2019  --wait 600
Detecting and downloading updates...
No updates applied
Mon 15 Feb 2021 11:48:55 AEDT

I have all appropriate PPPC mobile configs etc, other apps are updating correctly.

Outlook is version 16.38 but the latest is 16.45... why is it not updating?

31aac25e99ac407a903b45716c965fb8

df68e62a1d944864bb4ef3a23b8ed0fc

effbd8f672234a3da827cfe52bb32321

de2cc6a167ce4f24812d4b79460eadc9

greatkemo
Contributor II

@djrory Are you downloading from your public CDN? Or do you have your own MAUCache?

rstasel
Valued Contributor

@djrory also, if that Outlook is from MAS, MAU won't update it. You can fix this by deleting the _MASReceipt folder within the .app bundle (which, btw, best and easiest way to switch from MAS version to CDN version).

djrory
Contributor

@greatkemo public CDN. @rstasel I wasn't aware of this, I'll try that out. What does MAS stand for and how did I end up with a MAS Outlook and everything else under MAU?

rstasel
Valued Contributor

MAS is Mac App Store. The Office Apps are available through the MAS via VPP, and many of us tried to transition to the MAS version, but saw issues with updates never getting applied (either the MAS process would crash, or users would never quit Word/Outlook and they wouldn't update. So we switched everything to CDN by just deleting that directory, and MAU would pick them up and update them.

djrory
Contributor

Ah Mac App Store, got it. Not sure how that happened but will ensure I deploy all apps via package rather than the App store moving forward.

rstasel
Valued Contributor

glad that was it. MAU ignores the MAS version since it would likely result in a corrupted app if it tried to update rather than MAS doing it.

As for how... guessing CDN Outlook was installed, and someone clicked "install" for the MAS version. That would have likely just "adopted" the existing version, or best case, deleted the existing CDN version and installed the MAS version. Either way, hats off to @pbowden for pointing out that you can just delete the _MASReceipt folder. So much easier than having to notify users you're gonna quit the apps, delete them, then reinstall. I was able to silently convert 100's of machines from MAS to CDN in the time it took for them to checkin, run a quick script, and inventory (20-30 minutes). =)

pbowden
Contributor III

@rstasel great to hear!!

jhuls
Contributor III

Hmmm...so is there an easy way to pull a report in Jamf of which Microsoft applications are MAS and which aren't? Has anyone written an EA for that?

rstasel
Valued Contributor

@jhuls Yup. I use this. Swap out the program name as appropriate.

#!/bin/bash

app="/Applications/Microsoft Excel.app"

if [ -e "$app/Contents/_MASReceipt" ]; then
    VPPCheck=$(mdls "$app" | awk '/kMDItemAppStoreReceiptIsVPPLicensed/ {print $3}')
    if [ $VPPCheck -eq 1 ]; then
        echo "<result>MAS_VPP</result>"
    else
        echo "<result>MAS_Personal</result>"
    fi
else
    if [ -e "$app" ]; then
        echo "<result>CDN</result>"
    else
        echo "<result>None</result>"
    fi
fi