Patch Management for Safari Monterey/Ventura ?

JevermannNG
Contributor II

How can I create a Patch Management Rule to distribute Safari for macOS Monterey and for macOS Ventura Clients?

The Patch Management Policy does not offer an option for both systems.

I created one for the Ventura Clients which is scoped to a Smart Group, but how can I setup a second one for the Monterey Clients?

1 ACCEPTED SOLUTION

AJPinto
Honored Contributor III

You can use patch management to deploy the Safari package. However due to JAMFs limitations with Patch Management its easier said then done to target both Monterey and Ventura with the same Patch Management Policy. 

 

Things you will need:

  • Use JAMF composer to package both Safari packages and place them in the /private/tmp/ directory or another preferred directory
  • Post install script will trigger the correct package to install.
    • Something like the script below should work, though it will need a function to exclude macOS 14.
#!/bin/sh
## postinstall
 
 
OS_Version=$(sw_vers | grep -o "13")
     
if [[ -n "$OS_Version" ]]; then
        echo "Installing Ventura Package"
        installer -pkg "/private/tmp/Safari_Ventura.pkg" -target /
        echo "done installing Ventura package"
    else
        echo "Installing Monterey package"
        installer -pkg "/private/tmp/Safari_Monterey.pkg" -target /
        echo "done installing Monterey package"
fi  
 
sudo rm -rf "/private/tmp/"
 
exit 0;     ## Success
exit 1;     ## Failure

 

View solution in original post

7 REPLIES 7

AJPinto
Honored Contributor III

You can use patch management to deploy the Safari package. However due to JAMFs limitations with Patch Management its easier said then done to target both Monterey and Ventura with the same Patch Management Policy. 

 

Things you will need:

  • Use JAMF composer to package both Safari packages and place them in the /private/tmp/ directory or another preferred directory
  • Post install script will trigger the correct package to install.
    • Something like the script below should work, though it will need a function to exclude macOS 14.
#!/bin/sh
## postinstall
 
 
OS_Version=$(sw_vers | grep -o "13")
     
if [[ -n "$OS_Version" ]]; then
        echo "Installing Ventura Package"
        installer -pkg "/private/tmp/Safari_Ventura.pkg" -target /
        echo "done installing Ventura package"
    else
        echo "Installing Monterey package"
        installer -pkg "/private/tmp/Safari_Monterey.pkg" -target /
        echo "done installing Monterey package"
fi  
 
sudo rm -rf "/private/tmp/"
 
exit 0;     ## Success
exit 1;     ## Failure

 

Thank you for the workflow and script!

Chubs
Contributor

Curious why you don't let the native software updater pull down/ install safari?  

 

I find your lack of faith disturbing

Because it works not reliable on our Clients. The Safari Updates show up in the inventory list of the Clients but the Client is not able to install it. Patch Management is the most reliable way to fix this.

Sooo using the MDM command to force install updates (with deferment if you wanted) doesn't work?  That sounds a bit incorrect.  MDM commands are the most reliable method for this.  Using some third party script is second rate to the MDM commands from my experience.  I've done both.

I find your lack of faith disturbing

AJPinto
Honored Contributor III

In my experience I have found that MDM Commands to install OS updates have about a 70% success rate. Most failures are caused by something on the network or something preventing a reboot. The issue is really how miserable Apple is at reporting what is going on with OS updates unless you can access the install.log. Many people feel more comfortable deploying packages and scripts as the logging is much better.

 

Apple is starting to get with the program and JAMF has a fairly rudimentary ability to report on what is going on with OS updates, but it still has a long way to go and even longer to change admin behavior and earn trust.

In a well oiled environment, MDM is the answer.  The logging (non declarative) isn't terrible.  I came from a higherED environment where what you said is correct. The environment was rusty (at best) and needed some intervention.  I wrote my own Nudge that didn't require all of those moving pieces and had about an 85% success rate which was acceptable.  My current employer has an environment that's well oiled, so MDM is the answer.  Unfortunately, I wish mobile OS updates were more streamlined like caching the OS and applying during a maintenance window (hospital environment - so it needs to be scheduled and not wild-west).

I find your lack of faith disturbing