Patch deployment with Jamf Patch best practices?

UbiquitousChris
Contributor

Hey Jamf Patch users,

I'm very curious about how folks are deploying patches using Jamf's built in management capabilities. We already have an automated process set up for ingesting and prepping patch policies for deployment. What I would like to know is...

How is everyone deploying patches? Are you allowing users to install themselves via Self Service, or just deploying patches automatically?
If you're deploying patches with Self Service, are you using a deadline? How long are you giving your users to install? How are you notifying your users that patches are available?
If you're deploying patches with automatic installs, how are you doing this non-disruptively for your users?

Whats working for you? What isn't working? I'm looking for ideas on how to improve this process for our users.

6 REPLIES 6

UbiquitousChris
Contributor

As of today, we currently deploy patches through Self Service once a week on Thursdays. We give our users 3-4 days to install most patches on their own before enforcing installation. We give a grace period of 60 minutes before we force close apps.

Problems we're seeing:
- Notifications: We use the built in notifications to alert users via Self Service and Notification Center. Users either feel like there are too many notifications, or they aren't notified enough. Some users dont believe they should have to go and click the update button in Self Service, but then complain when we enforce.
- I'm starting to feel like this process isn't aggressive enough and we should be patching faster.

robertliebsch
Contributor

I'm in hot water again as folks miss the notification center, or ignore it, and/or not opening Self Service.
Could be 7 day deadline, or a 30 day. Could notify daily, could notify every 3rd or 7th day. I have a deep feel that it is gonna be ignored.

Zoom is the biggest problem since people get booted from meetings...

robertliebsch
Contributor

My manager just went through his Notification Center history and did not see ANY notifications. The configuration calls for daily.

UbiquitousChris
Contributor

Notifications are so flaky. When they work, they work well, but they seem to only reach about 50% of our systems. There's a very old open PI about this:

PI-005955 Jamf Pro fails to display consistent notifications when computers become eligible for a new software title.

I get the feeling this is one of those things that Jamf is just never going to fix. 😞

Edit: I opened up a feature request for this.

robertliebsch
Contributor

Joined that party and upvoted.
Found this in another thread: https://www.modtitan.com/2016/10/demystifying-jamfhelper.html
Basically a non-acting popup that requires you to click Close, but you can put a message on there to hit Software Updates in Self Service. I imagine I could scope it to a smart group, if smart groups updated in a timely fashion....

mwilkerson
New Contributor III

@robertliebsch This is what I use Yo.app for (https://github.com/sheagcraig/yo). Recompiled with your logo, it can do what you mention... display a persistent notification, with a close button, but also an action button if desired. Like every notification tool, though, it has some shortcomings, so definitely test, test, test.