OS Security Updates

New Contributor

I'm new to JAMF and I'm trying to setup how JAMF will handle security updates. We do not want users to have access to install them. We prefer to install them to a test group, test, then install them to the other macs. Our MacBooks are DEP enrolled. When I use the "Defer Software Updates" in Configuration profiles it does make it where the user cant do an update, but I'm not sure how I can with JAMF. I can run the softwareupdate -l command I dont see the updates either with the Defer option on. Any sugestions?


Legendary Contributor III

You could always download the Security Updates from Apple's site and then upload them into your Jamf distribution point as the original pkg files.
You'll need to create a Smart Group for machines that require the update(s) to target the right systems. You can do this by getting machines at a specific OS version, but not at the build version that it gets updated to when a security update is installed. So for example, the last Security Update 2008-004 for Sierra 10.12.6 updated the OS build to 16G1510

Valued Contributor

Probably need a script to turn off "Install system data files and security updates." Also, if their admins, they can just turn it on.fe4bccb6d44e4c10aa5382461795c138

New Contributor

I am wondering if this resolved the question? I am running into the same issues. I would like to download and install updates to a test group first but I really didn't want to manually download updates each month if I could avoid that overhead.

Contributor II

What if in your Policy to Defer Apple Updates you Excluded your Test Group of computers. Then created a Policy to Run Apple Security Updates. Payload: Software Updates, Apple's Software Update server and Scope that to your test computers. I actually scope all and just Flush Logs of the computers I want to test.