Jamf Nation Community

ImAMacGuy · ‎02-03-2014

Whats the best way to use Casper 9 and do OS patching? On the PC side we bundle patches once a month and deploy, but on Mac's we tend to just let them go down to the box as they come out. I don't really want to setup yet another patch management app (munki) if I can help it, but I'm getting pressure to move to a monthly patch schedule.

How are you doing it? If you do a monthly patch release, how did you draw the line in the sand when you first implemented it? How do you handle the older OS's and firmware patches (seeing as they won't apply to all systems)? If I bundle all the apps up in one installer, is the system smart enough to know what applies to 10.7, 10.8, and 10.9? Or what's been loaded vs not loaded?

JPDyson · ‎02-03-2014

The thread you started a while back covers this very topic - something in particular you're trying to do that wasn't posted?

https://jamfnation.jamfsoftware.com/discussion.html?id=5404

ImAMacGuy · ‎02-03-2014

That's talking about scripting to prompt users. That has more or less been handled by v9.x, my question is more on scheduling. This topic is about doing a trickle down method as they come out vs a monthly patch day.

The Casper 9 patching is great that it allows user deferment, but there's not really any way to force last months/quarters/years patches down. If I give a force date for patches then any update released after that force date gets forced down too. So I extend the force date, but then none of those old patches are forced down because there's no breakup for the patches.

alexjdale · ‎02-03-2014

I ended up writing a script to handle everything: UI and user prompts, deferral, a "mandatory" date when patches are forced, which patches are installed, and a forced reboot timer.

I couldn't find a combination of Casper features that handled the workflow so I just went ahead and scripted it. The script reads in a list of software update IDs that we've "blessed" and want to push, runs "softwareupdate -l" to see if any of those updates are available to the system, downloads them in the background, then prompts the user to install or defer (until the mandatory date passes, when there is no more deferral option). They are downloaded and installed by softwareupdate for consistency and reliability.

This is easy to manage with Casper, but the script does the work and the JSS is basically coordinating it. Each month we review the updates we want to force and update our list (which is stored on the Casper DP), so we can batch them up however we like. We're basically forcing Apple updates into a monthly patching cycle to match our Windows systems.

scottb · ‎02-04-2014

@alexjdale][/url: Would you mind posting up your script here? Sounds like a good method.

JPDyson · ‎02-04-2014

@jwojda I'm not meaning to be dense, but I'm still not sure I get the distinction you're making. I set minimum acceptable versions for every app I care about patching (in a smart group), and I enable any SWU I want my Macs to have in our prod catalog. I've ALWAYS got patching policies for those applications; even if I didn't update Office this month, I've still got a policy that's called as a part of my patching routine that will run on any Mac not running my preferred version of Office. Doesn't matter how or when it got into that smart group, or when I enabled that particular update.

ImAMacGuy · ‎02-04-2014

I'm looking more at system/os patches... RAW updates, firmware, combo updates, ARD, iTunes, etc...

JPDyson · ‎02-05-2014

Makes no matter, really - most of my policies that run like I described above are for 3rd party apps, but one just calls softwareupdate -ia. If you're scheduling when software update runs, then any update that is available in the catalog and appropriate for the computer will be installed, correct?

alexjdale · ‎02-05-2014

@boettchs I plan to, we're just starting an internal pilot test before we do a full release to make sure there are no hidden defects we didn't find in testing.

ksanborn · ‎06-15-2015

@alexjdale Did the script work for you? If so, can you post it here?

Chris_Hafner · ‎06-16-2015

I don't know how strict a policy you want to set but I;ve had great luck using a number of methods depending on my demographic/department. Here are the methods we've use in the past year with complete success.

•) AutoUpdate turned on. You can control the updates by simply using a software update server and making sure your machines are pointed to it.
•) A series of monthly reminders to users to run software updates, check Self-Service and give a reminder to restart their laptops every so often... like monthly.
•) An automated popup based on SWU smart groups as per the thread you mentioned earlier (https://jamfnation.jamfsoftware.com/discussion.html?id=5404)

All of these have worked for me in production. In the end, you have a huge amount of flexibility depending on how you would prefer this to work. Firmware is always going to be a little interesting but I've had great success recently, running update checks on each machine daily! I'm using a normal daily inventory to check against available SWUs and auto install.

Chris_Hafner · ‎06-16-2015

P.S. For our students, we push critical patches to them in the background via JSS policy as needed. Otherwise we work on training them to check for updates regularly, understand legitimate patches vs illegitimate ones and otherwise keep their units as healthy as possible. After all, we have all the power in the world to automate via the JSS, but once they leave our academy they have to do it themselves.

Jamf Nation Community

OS Patches