I was in the process of performing some patch management for the Zoom client and found there are two different versions offered, one for Intel and one for Apple silicone. How do I create separate patch management policies for the two separate architectures? I can only select 1 package in patch management for the Zoom client.
A workaround I can think of is to roll your own patch management server then set up a separate Zoom patch feed so that you can set up a new patch management profile specific for M1 apps. I have yet to test if this works.
That's what I did. Using this method for Webex Teams & Meetings until they come up with a universal package. Here's what my postinstall script looks like and the referenced payload structure. If anyone needs help borrowing this method let me know.
#!/bin/sh ## postinstall pathToScript=$0 pathToPackage=$1 targetLocation=$2 targetVolume=$3 #Set the temp paths to run the package dir="/private/var/tmp/webex" dirarm64="/private/var/tmp/webex/arm64" dirintel="/private/var/tmp/webex/intel" #Store device architecture type uname=$(uname -m) #Check for ARM architecture if [ $uname = "arm64" ]; then #Install the ARM package echo "ARM Mac detected, installing arm64 Webex package." /usr/sbin/installer -pkg $dirarm64/Cisco_Webex_Meetings.pkg -target / #Check for Intel architecture elif [ $uname = "x86_64" ]; then #Install the Intel package echo "Intel Mac detected, installing x86_64 Webex package." /usr/sbin/installer -pkg $dirintel/Cisco_Webex_Meetings.pkg -target / else #Architecure check failed echo "Architecture did not match arm64 or x86_64, aborting install." fi #Cleanup tmp files /bin/rm -rf $dir
The current Webex Meetings ‘Apple M1 chip’ download package is universal. Don’t know why they don’t label it as such. The package has seperate binaries for x64 and Arm inside with a script that does the detection.
Make it easy on yourself, use the Zoom for IT installer which has a Universal binary.
Now when it comes to something like VLC, that's a different type of problem. 3.0.12 is x86_64 and 188.8.131.52 is arm64 - Jamf only updated the definition to 3.0.12.
Who knows what other crazy things developers will do when they update their apps, and how often will they change their mind. Until Patch is improved, we'll need to use a good external patch definition source (or make one), and make some smart groups to scope to the right architecture.
If y'all would like to have a separate Apple Silicon patch title for any applications in particular make sure you submit an individual feature request for each one. That helps the teams see what's in highest demand to best prioritize building out that patch title in the Patch Management service.
As if Patch Management wasn't hard enough, multiple architectures now complicates it even further. Those interested in an intelligent Patch Management solution that easily accommodates both x86_64 and arm64 architectures might want to check out Alectrona Patch in the Jamf Marketplace. Feel free to chat with us for more details.
You can also just add Jamf again as an external path source with https://jamf-patch.jamfcloud.com/v1
Use the secondary one for arm64 titles. That doesn't help for titles like VLC where the version is slightly different but it's a quick fix for those where the version is the same across architecture.
Probably need to drop the https:// from the url, see below he responded to someone with that suggestion and a screenshot.
@timdambrosio - I would like to give this a try. I've setup the secondary patch source for Apple Silicon software.
I selected Adobe Creative Cloud in both.
It has ingested data from our fleet from both, looks identical as it should.
So now I would attach the Intel package to one, and the Apple Silicone package to the other.
I guess I'm just worried about things colliding? Our Creative Cloud desktop app policies are setup with smart group targets/exclusions so that intel will only show up if you have intel, apple silicone will only show up if you have apple silicone.
How will patch management know to install the silicone version on ARM computers and the intel version only on intel? Or will both run on all machines and the version is isn't compatible will just fail.
I might be overthinking this, but I was just worried about things colliding somehow.
Seems like a good suggestion, I just wanted to hear more before I actually try it.
You just need to add the appropriate exclusion group to each patch policy. So All Intel Macs excluded from the ARM patch polices and vice versa.
It also helps to name everything clearly with _ARM or _Intel or use hyphen if that's your thing. The patch polices themselves don't need that though otherwise it'll show up in self service and look **bleep**. Just the software titles.
Hey @darth_undesirable ,
This is not exactly what you asked for, but it helps a lot to keep the environment up to date, and from my knowledge, it's for both Intel and M1 chips.
just run it once a week and all your zoom clients will be upgraded to the latest version.
#!/bin/bash #https://www.jamf.com/jamf-nation/third-party-products/files/1051/install-latest-zoom-client # this is the full URL url="https://zoom.us/client/latest/ZoomInstallerIT.pkg" # change directory to /private/tmp to make this the working directory cd /private/tmp/ # download the installer package and name it for the linkID /usr/bin/curl -JL "$url" -o "ZoomInstallerIT.pkg" # install the package /usr/sbin/installer -pkg "ZoomInstallerIT.pkg" -target / # remove the installer package when done /bin/rm -f "ZoomInstallerIT.pkg" exit 0
Hope that helps something.
I must be missing something, why are companies pushing out non universal binaries? Isn't the fact that you can compile the app to work natively across either architecture the selling point of it?
Having to start putting multiple versions of packages into JAMF to deal with both sounds horrible :(
@ianatkinson, horrible is a good word for it. I do not know why they are, but they are. In particular Adobe is the biggest offender right now. I'm sure that there are others. With Adobe, you cannot even install an intel application using a package from the Adobe Admin Console unless you choose Apple Silicon when creating that package. To clarify, even if the Adobe application doesn't have an Apple Silicon version yet, you still have to create the installer package for Apple Silicon.
The gist of what I am saying here is that as administrators, we do not directly control what packages are available. In an ideal world everything would be universal, but we don't live in that world. It makes sense then for the tools we use for Mac administration to support the situation where multiple packages are being offered by vendors, as that is the world that we currently live in.