Patch Management Ideas

rcurran
Contributor

So far the idea is to run updates via this script

softwareupdate -i -r

at login, one day a week, and give the users about 15 minutes to reboot. Half my users are offsite, so I don't think there's much value in a dedicated software update server at this time.

How do you guys do patch management? Thoughts, ideas, and tips are greatly appreciated.

Best

2 ACCEPTED SOLUTIONS

UESCDurandal
Contributor II

Checkout this thread:
https://jamfnation.jamfsoftware.com/discussion.html?id=5890

I'm a big fan of the jamf helper update script from Lisa. Made my life so much easier.

View solution in original post

jarednichols
Honored Contributor

Here you go:

#!/bin/sh

LoggedInUser=`who | grep console | awk '{print $1}'`

# Have we run this already?
if [ -f /Library/Application Support/Fidelity/.BusNov2012Done ]; then
    echo "Bus already run"
    exit 2
fi

if [ ! -e /Library/Application Support/JAMF/.SoftwareUpdateTimer.txt ]; then
    echo "5" > /Library/Application Support/JAMF/.SoftwareUpdateTimer.txt
fi

Timer=`cat /Library/Application Support/JAMF/.SoftwareUpdateTimer.txt`

fRunUpdates ()
{
    echo "5" > /Library/Application Support/JAMF/.SoftwareUpdateTimer.txt

    /Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType fs -heading 'FIMT is installing updates to your Mac' -description 'Please do not turn off this computer. It will reboot when updates are completed.' -icon /System/Library/CoreServices/Installer.app/Contents/Resources/Installer.icns > /dev/null 2>&1 &

    ## In case we need the process ID for the jamfHelper
    JHPID=`echo "$!"`

    ## Run the update policy
    /usr/sbin/jamf policy -trigger herecomesthebus
    touch /Library/Application Support/Fidelity/.BusNov2012Done

    kill -s KILL $JHPID
    exit 0
}

if [ "$LoggedInUser" == "" ]; then
    fRunUpdates
else
    if [ $Timer -gt 0 ]; then
        HELPER=`/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType utility -icon /System/Library/CoreServices/Installer.app/Contents/Resources/Installer.icns -heading "Software Updates are available for your Mac" -description "If you would like to install updates now, click Yes. If you would not like to install updates now, click Cancel. You may choose to not install updates $Timer more time(s) before this computer will forcibly install them. A reboot will be required." -button1 "Yes" -button2 "Cancel" -cancelButton "2"`


        echo "jamf helper result was $HELPER";

        if [ "$HELPER" == "0" ]; then
            fRunUpdates
        else
            let CurrTimer=$Timer-1
            echo "user chose No"
            echo "$CurrTimer" > /Library/Application Support/JAMF/.SoftwareUpdateTimer.txt
            exit 1
        fi
    fi
fi
## If Timer is already 0, run the updates automatically, the user has been warned!
if [ $Timer -eq 0 ]; then
    fRunUpdates
fi

It needs to be changed each month (for each month's unique bus "tag", though I figure it's part of process. I'll see if I can automate it so I don't need to change the script, but I haven't had the time.

View solution in original post

8 REPLIES 8

UESCDurandal
Contributor II

Checkout this thread:
https://jamfnation.jamfsoftware.com/discussion.html?id=5890

I'm a big fan of the jamf helper update script from Lisa. Made my life so much easier.

tkimpton
Valued Contributor II

SUS server

Defaults write command to point to SUS

Script at startup

software update I -a

Users rarely logout because they always shutdown never logout, so logout policy is pointless.

No messin and sorted

jarednichols
Honored Contributor

SUS server (but not hosting the updates)
Defaults write command to point to SUS
Script during imaging
Policy once a week ensures the SUS is set
Policy constructed monthly for non-Apple patches (Flash, Office etc)

Once monthly policy with Lisa Cherry's jamfHelper script. It bugs users once a day for 5 days to run them at their leisure. On the 6th day if they haven't run them yet patches force. On the 7th day, Casper rested and Jared said it was good.

UESCDurandal
Contributor II

@Jarednichols Would you mind sharing how you were able to implement the timer in your jamfhelper script?

We have a dual system going with jamfHelper being the daily annoyance for which users could press the Yes button and reboot now. However they often do not... So the script reminds them that they can run updates anytime through Self Service... However they often do not.

I'd love to have a system where after the 5th day of refusing, it will install at a set time, say 5pm when users will often be going home.

jarednichols
Honored Contributor

Here you go:

#!/bin/sh

LoggedInUser=`who | grep console | awk '{print $1}'`

# Have we run this already?
if [ -f /Library/Application Support/Fidelity/.BusNov2012Done ]; then
    echo "Bus already run"
    exit 2
fi

if [ ! -e /Library/Application Support/JAMF/.SoftwareUpdateTimer.txt ]; then
    echo "5" > /Library/Application Support/JAMF/.SoftwareUpdateTimer.txt
fi

Timer=`cat /Library/Application Support/JAMF/.SoftwareUpdateTimer.txt`

fRunUpdates ()
{
    echo "5" > /Library/Application Support/JAMF/.SoftwareUpdateTimer.txt

    /Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType fs -heading 'FIMT is installing updates to your Mac' -description 'Please do not turn off this computer. It will reboot when updates are completed.' -icon /System/Library/CoreServices/Installer.app/Contents/Resources/Installer.icns > /dev/null 2>&1 &

    ## In case we need the process ID for the jamfHelper
    JHPID=`echo "$!"`

    ## Run the update policy
    /usr/sbin/jamf policy -trigger herecomesthebus
    touch /Library/Application Support/Fidelity/.BusNov2012Done

    kill -s KILL $JHPID
    exit 0
}

if [ "$LoggedInUser" == "" ]; then
    fRunUpdates
else
    if [ $Timer -gt 0 ]; then
        HELPER=`/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType utility -icon /System/Library/CoreServices/Installer.app/Contents/Resources/Installer.icns -heading "Software Updates are available for your Mac" -description "If you would like to install updates now, click Yes. If you would not like to install updates now, click Cancel. You may choose to not install updates $Timer more time(s) before this computer will forcibly install them. A reboot will be required." -button1 "Yes" -button2 "Cancel" -cancelButton "2"`


        echo "jamf helper result was $HELPER";

        if [ "$HELPER" == "0" ]; then
            fRunUpdates
        else
            let CurrTimer=$Timer-1
            echo "user chose No"
            echo "$CurrTimer" > /Library/Application Support/JAMF/.SoftwareUpdateTimer.txt
            exit 1
        fi
    fi
fi
## If Timer is already 0, run the updates automatically, the user has been warned!
if [ $Timer -eq 0 ]; then
    fRunUpdates
fi

It needs to be changed each month (for each month's unique bus "tag", though I figure it's part of process. I'll see if I can automate it so I don't need to change the script, but I haven't had the time.

rcurran
Contributor

Thanks @jarednichols , the timer seems really ideal.

I took your script and replaced the Fidelity lines with the ones matching my company. I also replaced herecomesthebus with the policy trigger I have been using in combination with Lisa's script.

When testing out the script it seems to bring up the black screen no matter if my system is up to date or not. I'm positive I'm doing something wrong, so any more details you could share would be really great.

Thanks again for the direction.

maweee
New Contributor
New Contributor

To not need to change the script every month just take ".BusNov2012Done" out and insert $4
Then in the policy that runs the script under "Parameter 4" Insert ".BusNov2012Done" and just change it in the policy instead of the script.

jarednichols
Honored Contributor

@mawaeee yep that's it. I just hadn't gotten around to doing it.

@rcurran Hmm odd. If the update policy runs, it should lay down the .BusNov2012Done (for example) file and then the next time round see it and quit. Check your logs and see if it's coming back with an exit 2 or not.