Patch management for both Intel and Apple M1 chips

darth_undesirab
New Contributor

I was in the process of performing some patch management for the Zoom client and found there are two different versions offered, one for Intel and one for Apple silicone. How do I create separate patch management policies for the two separate architectures? I can only select 1 package in patch management for the Zoom client.

23 REPLIES 23

stuartb
New Contributor II

You can't. I asked this of Jamf Support yesterday. I asked them to clarify how we can do it then but I've yet to receive an answer.

kfbbt
New Contributor III

Maybe setup a whole new Site within your instance for just new machines?

bernard_ga
New Contributor

A workaround I can think of is to roll your own patch management server then set up a separate Zoom patch feed so that you can set up a new patch management profile specific for M1 apps. I have yet to test if this works.

pvcit
New Contributor III

You can also create your own custom package that has both of them included and some code to detect M1 use this package, non M1 use this one.

stuartb
New Contributor II

way too difficult for me. Seems Jamf have no plan to fix this either which is a shame.

dave_segreto
New Contributor II

Really, all we'd need is two Definition lines for each release.
e.g. for Zoom:
5.5.1 (12484.0202) x86_64
5.5.1 (12484.0202) arm

stuartb
New Contributor II

Indeed but they won't do it and I can't see all apps suddenly working any time soon.

taugust_ric
New Contributor III

The Zoom 5.5.1 IT installer looks to be a universal binary. Perhaps they received some feedback that distributing separate binaries for each architecture wasn't enterprise friendly...
543781342f464278a5b0633e89769f88

davidhiggs
Contributor III

Make it easy on yourself, use the Zoom for IT installer which has a Universal binary.

Now when it comes to something like VLC, that's a different type of problem. 3.0.12 is x86_64 and 3.0.12.1 is arm64 - Jamf only updated the definition to 3.0.12.

Who knows what other crazy things developers will do when they update their apps, and how often will they change their mind. Until Patch is improved, we'll need to use a good external patch definition source (or make one), and make some smart groups to scope to the right architecture.

stuartb
New Contributor II

OK thanks I'll see if the universal binary takes on my M1 macbook

ooftee
New Contributor III

Not all apps will have universal binaries, upvote this one:
https://www.jamf.com/jamf-nation/feature-requests/10107/patch-management-for-apple-silicone-mac-s

timdambrosio
New Contributor III

Cisco Webex another one that comes in x86 or ARM only.

emily
Valued Contributor III

If y'all would like to have a separate Apple Silicon patch title for any applications in particular make sure you submit an individual feature request for each one. That helps the teams see what's in highest demand to best prioritize building out that patch title in the Patch Management service.

ryan_ball
Valued Contributor

As if Patch Management wasn't hard enough, multiple architectures now complicates it even further. Those interested in an intelligent Patch Management solution that easily accommodates both x86_64 and arm64 architectures might want to check out Alectrona Patch in the Jamf Marketplace. Feel free to chat with us for more details.

timdambrosio
New Contributor III

You can also just add Jamf again as an external path source with https://jamf-patch.jamfcloud.com/v1

Use the secondary one for arm64 titles. That doesn't help for titles like VLC where the version is slightly different but it's a quick fix for those where the version is the same across architecture.

Ronen
New Contributor II

Hey @darth_undesirable ,

This is not exactly what you asked for, but it helps a lot to keep the environment up to date, and from my knowledge, it's for both Intel and M1 chips.

just run it once a week and all your zoom clients will be upgraded to the latest version.

#!/bin/bash

#https://www.jamf.com/jamf-nation/third-party-products/files/1051/install-latest-zoom-client

# this is the full URL
url="https://zoom.us/client/latest/ZoomInstallerIT.pkg"

# change directory to /private/tmp to make this the working directory
cd /private/tmp/

# download the installer package and name it for the linkID
/usr/bin/curl -JL "$url" -o "ZoomInstallerIT.pkg"

# install the package
/usr/sbin/installer -pkg "ZoomInstallerIT.pkg" -target /

# remove the installer package when done
/bin/rm -f "ZoomInstallerIT.pkg"

exit 0

Hope that helps something.

ianatkinson
New Contributor III

I must be missing something, why are companies pushing out non universal binaries? Isn't the fact that you can compile the app to work natively across either architecture the selling point of it?

Having to start putting multiple versions of packages into JAMF to deal with both sounds horrible 😞

aaronj
New Contributor III

@ianatkinson, horrible is a good word for it. I do not know why they are, but they are. In particular Adobe is the biggest offender right now. I'm sure that there are others. With Adobe, you cannot even install an intel application using a package from the Adobe Admin Console unless you choose Apple Silicon when creating that package. To clarify, even if the Adobe application doesn't have an Apple Silicon version yet, you still have to create the installer package for Apple Silicon.

The gist of what I am saying here is that as administrators, we do not directly control what packages are available. In an ideal world everything would be universal, but we don't live in that world. It makes sense then for the tools we use for Mac administration to support the situation where multiple packages are being offered by vendors, as that is the world that we currently live in.

Chris_Hafner
Valued Contributor II

100% not surprised that we're upset about Adobe installers again, but hey, at least flash is finally and actually dead.

ianatkinson
New Contributor III

Ah Adobe. I can feel my hair getting a bit greyer already.

eithor
New Contributor

@timdambrosio It seems that Jamf will not allow external patch source set to the URL of the "internal" one https://jamf-patch.jamfcloud.com/v1/. The error is "invalid hostname". If specifying just jamf-patch.jamfcloud.com you get connection error when trying to use it. I'm on 10.29 Jamf cloud

timdambrosio
New Contributor III

@user-pmoiOXuOXp drop https:// from the url.

It works fine for me on 10.29.2 and 10.130b

528a3192c5dd4e8d855eecbebfff5717

Tildo
New Contributor II

Worked like a charm @timdambrosio