Jamf Nation Community

What I'd want to be able to do is allow some flexibility with the dialogue
options for the end user.

"Updates were applied to your computer (or updates are available for your
computer) that require a reboot. If you would like to install these
updates now please save your work and quit all applications before
clicking Yes. Would you like to reboot now?"

Then there would be a yes or no box. Right now, with what the JSS uses
that isn't an option. I know that people have suggested other programs for
user interaction, Growl perhaps. I like having the tools in one system
though. Maybe I just haven't really thought if existing policy could make
it happen.

What I want to happen if they were to click NO at that prompt is that a
little timer runs in the background and pops it up again every X hours
(probably possible with a bunch of policy work). At some point they don't
get a choice though, you need a threshold period to force people to update
or they never will if given the option. Finally after 72 hours of an
ignored prompt or multiple no clicks, the box just does what it's suppose
to do. We have similar capability on the Windows side with SCCM. At some
point the update becomes mandatory and the box will reboot regardless. How
else are you suppose to maintain the integrity of the system you're
suppose to be managing?

Craig E

When we have OS updates that require a restart, we post a notice to the
Intranet that updates requiring a restart are required and they have until
day X to install them from Self-Service. After day X the updates will be
installed and they computer will reboot.

I have a smart group of computers (belonging to people) and I have policies
set up such that if you have OS updates to install you are notified 2x per
day. Once in the morning and once in the afternoon. And the nag notice
directs you to Self-Service.

I also have a policy that runs once a day that checks to see if the
available software updates require a restart. If they don't, then it
installs them silently. If they do require a restart, then it just exits. But by silently installing the easy stuff, we don't bug people to do things
unless we have to.

Maura Fennelly
Technology Department
Archbishop Mitty High School

A few people asked for screen shots of the policies I use for software
updates, so I put together the attached pdf.

It isn't a perfect system, (custom triggers would be better), but it works
well for what it is. I'm happy to answer questions.

Maura

Excellent doc!

A couple questions though, how are you determining how long a Software
Update has been available prior to force installing? And I saw you had a
script for running patches that don't require a reboot... Would it be
possible to get a peek at that?

I suppose the process for when we force updates is manual. We have an
Internal SUS and I keep an eye on what is coming in for updates. When there
is something that will require a restart, we start the process. And when we
have 100% coverage of the machines that belong to people, I turn off the
policy that forces the updates and I turn off the reminders. It generally
take about a week for full coverage.

We try to force update no more than once a month,and since we didn't release
10.6.6 it was more like three months between forced update. 10.6.7 had such
dramatic improvements in the color profiles, we made it a priority to
distribute.

And it is always an option for people to run the policy to install all
software updates from Self-Service. We have a few people who do that on
their own once a week or so.

The script I use to install updates that do not require a restart is part of
a larger script written by someone at JAMF. We had to stop using the
original script because generated enormous log files - people were not
noticing the OK dialog box and the script would run and log for days.

So this is just a snippet of that original script. If there are no updates
that require a restart, they get installed in the background. If there is
an update requiring a restart, it exits out.

#!/bin/bash
#Orginally Written by: Ryan Yohnk
#Purpose: This script provides the ability to display a message to the user,
#wait for them to click OK, then install updates.
#It will reboot the machine immediately after the updates if necessary.
#Modified by Maura Fennelly to only install updates if no restart is
required.

shouldRun=softwareupdate -l | grep * #Checks to see if any updates are
avaiable

if [[ "$shouldRun" != "" ]]; then #If there are updates then...

echo "Found Software Updates" shouldRestart=softwareupdate -l | grep restart #Checks to see if any
updates need to restart if [[ "$shouldRestart" == "" ]]; then #If the updates do not need a reboot
then... echo "Updates do not require a reboot" softwareupdate -ia #Install all avaiable updates else #If the updates do require a reboot echo "Updates require a reboot"

fi
fi

As I said before - It isn't a perfect system. But it works well enough. I'd like to add custom triggers, but haven't made the time to work on that.

Maura Fennelly
Technology Department
Archbishop Mitty High School
mfennelly at mitty.com
408.324.4243

If any of you have used iHook, if you combine iHook with Growl, and
spam the end user to run updates and reboot they finally will. I always
keep Growl up to date, because I didn't turn notifications off and it
spams me every 3 minutes when it needs an update, which is forever
annoying.

When we do our laptop refresh I am going to do a self service policy,
and I already have 6 SUS servers running. Now all I need is that
Google fiber to kick in so I can push out updates over the WAN no
problemo :)