Help

Policy scope cannot be based on a smart computer group that uses the "latest version" criteria.

pmcgurn
New Contributor III

Posted on ‎09-15-2016 05:22 PM

Found this nice little limitation a little while ago. So basically, "patch reporting" can't be used to do anything actionable, like, say, patch something.

The use case was checking for machines not on the latest version of Chrome, and if found, running a script like this:

#!/bin/bash

#Command will trigger Google's native updater process in the background
cd /Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Resources/
./CheckForUpdatesNow.command

exit 0

And then update inventory to have it drop out of the computer group.

Labels:
Reply
12 REPLIES 12

mpermann
Valued Contributor II

Posted on ‎09-15-2016 06:18 PM

I noticed the same thing. It seems odd that you can't scope based on latest criteria. Maybe someone from JAMF will comment on why this is.

0 Kudos
Reply

erin_miska
New Contributor III
New Contributor III

Posted on ‎09-16-2016 09:47 AM

@pmcgurn (and @mpermann), check out my response to the same question on this KB: https://jamfnation.jamfsoftware.com/article.html?id=443

I think your use case (and @chad.jannusch's) is a little less dangerous than the one we were originally worried about, but you could still end up in a sticky situation if you used a smart group for "is not latest version". For example, if a new version of Chrome is released and one of your end users happens to install the new version on their own before JAMF has updated our definition of "latest version", the JSS will consider them to be on an "unknown" version. "is not latest version" will pull in computers with unknown versions, and your script will try to run on that computer that's already up-to-date but reporting as unknown. If your policy is set to ongoing, the script could run repeatedly until JAMF updates our definition of "latest version".

"less than latest version" would probably be OK...

We'll think about potentially removing this block and providing more of a disclaimer instead, but ultimately our focus is on building a more purpose-built solution so that you don't have to use complicated smart groups and policies to patch your machines. (We are also working on minimizing the amount of time it takes us to update our definition after a vendor releases an update.)

0 Kudos
Reply

RobertBasil
Contributor

Posted on ‎10-26-2016 12:38 PM

For example, if a new version of Chrome is released and one of your end users happens to install the new version on their own before JAMF has updated our definition of "latest version", the JSS will consider them to be on an "unknown" version.

And that's the problem. Patch Reporting should report the installed version number of the software, even if it's not listed in the JAMF patch tables.

Reply

blindcola
New Contributor III

Posted on ‎02-17-2017 12:20 PM

Part of my workflow is to use an EA that my autopkg recipe updates every time it packages Chrome. We use separate test and production recipes. Often our production version is a couple days behind the current autoupdate version of software. That's fine with Lab environments, but there's really no reason why staff cant just run with the auto update from chrome. Also developers get crabby when you overwrite a beta install with last weeks production version. We use autopkg output equally for patching and continuous availability. One global policy scoped to this EA, for self service or a custom trigger call.
Have a look if you haven't come up with a workaround yet.
https://github.com/dlhughes/JAMFPro_Extension_Attributes/blob/master/GoogleChromeStatus
This is how we handle complex scoping in a way that "hopefully" will transition smoothly into what jamf is putting together.

0 Kudos
Reply

barnesaw
Contributor III

Posted on ‎05-08-2017 11:35 AM

Simple way around this: One smart group that uses the latest version criteria. Second smart group based on membership in the first group.

It's an unnecessarily difficult way to accomplish the stated goal, but c'est la jamf.

Reply

jamf_tx
New Contributor II

Posted on ‎03-21-2018 08:11 PM

Surprisingly, this is still an issue in 2018 with JAMF Pro 10.2.2. I want to run an auto-update script when patch management detects the version is out of date, and I can't simply create a smart group like Patch Reporting: Google Chrome less than latest

7cb9f271b711498d89da96d460e8c6d5

0 Kudos
Reply

remyb
Contributor

Posted on ‎03-22-2018 12:19 AM

Yep, ran into the same problem last week.. :-(

0 Kudos
Reply

rstasel
Valued Contributor

Posted on ‎02-05-2020 02:26 PM

zombie thread. This is still a thing! Honestly, the fix is remove the blanket restriction and only have it apply to "is not latest version". That way, we can all do "less than latest version".

0 Kudos
Reply

devoted_lkrygsm
New Contributor III

Posted on ‎08-03-2021 11:08 AM

This is infuriating that this is still a thing.

Way to make "Patch Management" absolutely useless for actually doing anything.

0 Kudos
Reply

k_spatula
New Contributor

Posted on ‎11-10-2021 05:51 AM

Read about this recently.. as a workaround: https://scriptingosx.com/2020/06/using-installomator-with-jamf-pro/
It is not a solution but a workaround to be able to use the smart group with latest version value to be used on policies.

0 Kudos
Reply

SlidewaysF30
New Contributor III

‎05-13-2022 05:13 AM - edited ‎05-13-2022 05:14 AM

DELETE

 

 

0 Kudos
Reply

seanchristians
New Contributor

Posted on ‎06-07-2023 11:23 AM

Still an issue in June 2023, Jamf Pro version 10.46.1. Until Patch Management can automatically package software titles, instead of just providing an inventory, this needs to be resolved.

Reply