Patch Management for macOS

cmudgeUWF
New Contributor III

Does anyone have any experience with pushing macOS security patches via JAMF? With this week's big list of patches for macOS, it impressing a need for greater control of patches for macOS. I've been seeing some stuff about SUS, but I don't want to invest time and resources into something that is being deprecated.

7 REPLIES 7

WacoKUNDA
New Contributor II

Hey cmudgeUWF,

Any news on this one from your side please?

I tried a few ways using patch management, however none worked.

Is there anyone in the Jamfworld with some advise please? instructions or "How to's" please Jamf? If anyone has news on how to do this successfully please let us know?

crskerman
New Contributor II

I had a ticket in around this the other week.
Here's what Jamf recommonded to me:

In regards to the end goal, would we be able to advise to use the policy to run a script for the devices to communicate to Apple directly to download and install necessary updates. As usually when the update is requested from the machine it downloads the necessary version for the the model. this would be the reason for the messages. https://www.macrumors.com/how-to/update-macos-terminal-command/ Have attached an article that may assist you in creating this simple workflow.

kwoodard
Valued Contributor

This is the command I use in ARD to have a computer check for updates, install in the background, then restart when done. The restart portion only seems to work on 10.13 and 10.14. I would imagine that this could be scripted inside JAMF as a policy.

sudo softwareupdate -ia --verbose --restart

WacoKUNDA
New Contributor II

@kwoodard

Thanks mate, I was testing this sudo softwareupdate -i -a --restart and it seem to work when I just ad it to a policy under files and processes. I will try the one you gave sudo softwareupdate -ia --verbose --restart.

Thanks for the help

kwoodard
Valued Contributor

@WacoKUNDA

The --verbose flag gives a return in ARD to show me the status of the update. It shows what updates are found and gives a progress indicator on the status of the install. If you are doing a policy in JAMF, probably won't need it.

jleomcdo
Contributor

I have scripted this process and put it in Self Service. I use the command line "jamf runSoftwareUpdate -fromApple"
I also use the jamfHelper binary to display a start and end message.

WacoKUNDA
New Contributor II

"sudo softwareupdate -i -a --restart" Worked fine for me, however I will test to see how "jamf runSoftwareUpdate -fromApple" goes, for future reference Thanks Everyone