Office 2016 Smart Group Version Check

gskibum
Contributor III

I'm getting around to creating a policy that will update the entire Office 2016 suite instead of the individual apps. I've been using AutoPKG, which creates smart groups based on the individual apps. I can't find an AutoPKG recipe that updates the entire suite so no smart group for me to use.

But I'm at a loss at what to scope a smart group against in regard to the entire suite.

What's a guy to do?

2 ACCEPTED SOLUTIONS

CapU
Contributor III

Create a Smart Group that looks for the previous version of Excel then use that S.G. to perform a full update

View solution in original post

mm2270
Legendary Contributor III

As far as I can tell there isn't anything safe to choose from with Office 2016, since any one app could get updated before others. And there doesn't seem to be any one application or file that always get a revved version number. Early on Microsoft was keeping the app versions in lock-step. or releasing updates for all apps at once, but that trend is now over and they are releasing individual updates for single apps but not others in the suite. So yeah, its a bit of a pain because one app may have a higher number than the other 4.

As you said though, best practice seems to be to avoid the individual updates as long as you can and go with the full installer once its been updated with the same changes. The only problem is that it can be a while before an updated single installer comes along, so you're left with non applied updates to individual apps for a while. In some environments, this may not be an acceptable thing to do.

View solution in original post

18 REPLIES 18

CapU
Contributor III

Create a Smart Group that looks for the previous version of Excel then use that S.G. to perform a full update

gskibum
Contributor III

@CapU Thank you.

But dang it I accidentally edited something out of my post.

I've noticed along that way that on occasion Microsoft releases an update for a single app and not the whole suite, so I'm wanting to avoid a situation of updating the entire suite in the event that Microsoft releases an update for a single app.

With Office 2011 we could scope against

Applications/Microsoft Office 2011/Office/MicrosoftComponentPlugin.framework/Versions/14/Resources/Info.plist

Is there anything similar in Office 2016? Or is Excel a "safe" app to scope against?

Big picture I suppose it's probably a net gain to update the entire suite even if an individual app is updated, considering how much smaller the entire suite updater is compared to the tally of the individual apps.

mm2270
Legendary Contributor III

As far as I can tell there isn't anything safe to choose from with Office 2016, since any one app could get updated before others. And there doesn't seem to be any one application or file that always get a revved version number. Early on Microsoft was keeping the app versions in lock-step. or releasing updates for all apps at once, but that trend is now over and they are releasing individual updates for single apps but not others in the suite. So yeah, its a bit of a pain because one app may have a higher number than the other 4.

As you said though, best practice seems to be to avoid the individual updates as long as you can and go with the full installer once its been updated with the same changes. The only problem is that it can be a while before an updated single installer comes along, so you're left with non applied updates to individual apps for a while. In some environments, this may not be an acceptable thing to do.

gskibum
Contributor III

Yes it seems we will need to just keep keen attention to the updates that are released, and decide whether to update just the individual app that may get released solo, or update the whole suite.

No automatic-lazy approach to this!

bpavlov
Honored Contributor

MSFT releases updates once a month for all apps. That much has been consistent. Anything out of the ordinary are probably hot fixes to individual apps usually which may or may not effect you depending on how heavily your company relies on all office apps. So in most cases it might just fine to wait until the next release next month.

shaunpbrowne
New Contributor

Hi,

Just to add something to this, we have recently changed the way we push out office updates. Essentially we have 5 policies which deploy the full install of each Office component (Word, Excel etc) to brand new machines and 1 policy that does the updating each month.

I noticed recently that Microsoft have the following static link which downloads a smaller update pkg file for that month (http://go.microsoft.com/fwlink/?linkid=525133). This saves having to deploy the full installers out to machines every month. I simply target the machines with Office 2016 installed and push a message out to users telling them to update from Self Service, after a week I make it an automatic install. I ignore any mid month fixes unless really required.

The only issue with the monthly update file above is that is also deploys the Microsoft Auto Update utility so users could actually update their own machines if they tried, Microsoft also recently changed the app to allow users to install the updates without requiring admin rights (I confirmed this) so anyone could update to the latest version regardless of what you do with Casper. It's not ideal if you trying to keep everyone on the same version but considering how much easier it makes updating via Casper each month I am happy to accept that issue.

shaunpbrowne
New Contributor

We scope our 2016 installs using the following:

Application Title is Microsoft Word.app AND Application Version is like 15.
OR Application Title is Microsoft Excel.app AND Application Version is like 15.
OR Application Title is Microsoft Outlook.app AND Application Version is like 15.
OR Application Title is Microsoft PowerPoint.app AND Application Version is like 15.
OR Application Title is Microsoft OneNote.app AND Application Version is like 15.

This picks out whether any app is installed from the 2016 suite (if for instance a user has Word but removed the others apps). You could be more specific with the versions if you wanted but you'd need to install the update and check how it appears in Casper, it's often the full version number and not just 15.26.0 for example.

gabester
Contributor III

Glad you guys had this up - I needed to use @shaunpbrowne's smart group scoping method today to get 15.27 installed! But I'm pretty sure the file he links to is the full install/update, not just an updater; and it's not small at 1.5GB! Just use a post-install script to set the auto-updater to manual if that's something you want to avoid:

#!/bin/sh

userName=( `who | awk '/console/{print $1}'` )

echo $userName

defaults write /Users/$userName/Library/Preferences/com.microsoft.autoupdate2.plist "HowToCheck" -string "Manual"
defaults write /Users/$userName/Library/Preferences/com.microsoft.autoupdate2.plist "SendAllTelemetryEnabled" -bool "False"
chown $userName /Users/$userName/Library/Preferences/com.microsoft.autoupdate2.plist

pcrandom
Contributor

Sorry to bump, but @shaunpbrowne's post made me wonder what happens with multiple Application Title and Application Version criteria in a smart group. We have a Smart Group that's setup like this:

Application Title is Microsoft Word.app
AND Application Title is Microsoft Excel.app
AND Application Title is Microsoft Outlook.app
AND Application Title is Microsoft PowerPoint.app
AND Application Version is like 15.

Is it best practice to pair up the Title/Version? Is the Application Version check in my SG example only checking against PowerPoint or against any of the four apps?

bbot
Contributor

@pcrandom I've always done individual apps. I've seen times where Microsoft releases certains apps before others... this could throw off the smart group.

BOBW
Contributor II

not sure if it helps but I have moved completely away from using jss to update Office apps.

Currently using MAU and caching server for updates.

This will update your apps even if there is a change to a single app.

MAU will run every 12 hours to download the updates in the background and install when the app is not running.

With the caching server you can also run a manifest server to ensure updates are not pushed out prior to testing on your network.

now there is no more worry about updating smart groups and EA's to manage this.

see https://www.jamf.com/jamf-nation/discussions/22223/microsoft-mau-manifestserver-and-caching-server for more info

there are some updates coming to MAU to allow admins to force updates through scripts next year so I am building towards this.

PeterClarke
Contributor II

Hi: pcrandom, the smart list formulation by; shaunpbrowne above is correct.

Is it best practice to pair up the Title/Version? - Answer: YES definitely

It's important to understand this else you will have problems..
To Clarify:

if you did do:
Application Title is Microsoft Word.app
AND Application Title is Microsoft Excel.app
AND Application Title is Microsoft Outlook.app
AND Application Title is Microsoft PowerPoint.app
AND Application Version is like 15.

Then this "actually means":

ANY version of Microsoft Word.app
AND ANY version of Microsoft Excel.app
AND ANY version of Microsoft Outlook.app
AND ( Any version of the Vn 15 family, of Microsoft PowerPoint.app )

( e.g. by 'family' I mean any 15 combo like: 15, 15.0, 15.1, 15.12.7 etc.. )

So each of the Application AND Versions DOES need to be tested (paired up)
- exactly how "shaunpbrowne" said above…

To Quote:
Application Title is Microsoft Word.app AND Application Version is like 15.
OR Application Title is Microsoft Excel.app AND Application Version is like 15.
OR Application Title is Microsoft Outlook.app AND Application Version is like 15.
OR Application Title is Microsoft PowerPoint.app AND Application Version is like 15.
OR Application Title is Microsoft OneNote.app AND Application Version is like 15.

pcrandom
Contributor

So to apply the 15.29 update for Macs that have any Office 2016 applications installed (putting aside whether it's wise to do the update this way), I'd have to do this:

To Quote:
Application Title is Microsoft Word.app
AND Application Version is like 15
AND Application Version is not 15.29
OR Application Title is Microsoft Excel.app
AND Application Version is like 15
AND Application Version is not 15.29
[etc...]

So there's an implied parentheses around each Title-Version pair (or triplet as above)? I tried explicitly putting parentheses around them but it changed the ORs between each set into ANDs.

Are there any other invisible/implicit rules or logic in criterias?

PeterClarke
Contributor II

That would certainly work…

To be honest, myself, I just check against the version of MS word, and then update the suite on that basis…

pcrandom
Contributor

Thanks @PeterClarke. Looks like Microsoft got in an update late last week, so then I'd have to do this:

Application Title is Microsoft Word.app
AND Application Version is like 15
AND Application Version is not 15.29
AND Application Version is not 15.29.1

Or just combine the last two with a "not like".

@BOBW, I will definitely consider the MAU route...

jhuls
Contributor III

For what it's worth I use my own EA's to check version numbers on software. I don't remember what led me down this path instead of using Jamf's stuff but this is an example of the script I use.

Has anyone worked much with the caching server approach? I'm curious if there is any sort of control in deploying updates. We certainly don't want them to update on MS's schedule. One just has to look at MS's record of deploying Windows updates automatically to know that this is not a good idea. I wouldn't care if the client checks every so often if there was a way to prevent it from getting the locally cached version until I said otherwise.

#!/bin/sh

if [ -d /Applications/Microsoft Word.app ];then
    result=`/usr/bin/defaults read /Applications/Microsoft Word.app/Contents/Info CFBundleShortVersionString`
    if [ $result == "" ];then
        echo "<result>No version</result>"
    else
        echo "<result>$result</result>"
    fi
else
    echo "<result>Not installed</result>"
fi

exit 0

pcrandom
Contributor

@jhuls We used an EA for Office 2011. Most likely you wanted to be able to report on or sort by the version info whenever the EA was originally created and you carried it forward? Just guessing because that's what we've done for things like Firefox and other applications. Haven't needed to do that with Office 2016 yet, and trying to keep the number of EAs relatively light in our environment.

As far as the caching server goes, definitely look at @BOBW's post history. He seems to have been working on that recently. And the caching server document here: http://macadmins.software/docs/

donmontalvo
Esteemed Contributor III

Would take less than an hour to create accurate/reliable EAs to cover all the Microsoft Office 2016 apps:

https://www.jamf.com/jamf-nation/discussions/22528/version-major-version-major-minor-version-and-the...

Another hour to create Smart Computer Groups to provide granular reporting/scoping.

Good logic starts at the bottom and works its way up...EAs, Smart Computer Groups > Policy scope...

--
https://donmontalvo.com