- Jamf Nation Community
- Products
- Jamf Pro
- Questions about update settings, pushing security ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Questions about update settings, pushing security updates and OS X updates
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-25-2015 07:54 PM
Hey all,
First question is in regards to the App Store settings located in System Preferences >> App Store.
Will toggling these all auto check for updates, download and install security updates/os x system updates as well? Or does it not really perform that way? Boss suggested the idea to replace normal management by pushing updates, but I'm hesitant due to not being able to test the updates and not completely sure they work exactly the way he thinks. Anyone have any experience with this?
Second question is about pushing software updates. How do you deal with the risk of data loss from os updates/upgrades, and how do you deal with the restarts and install times that usually occur after such updates?
Thanks!
Wayne
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-25-2015 08:19 PM
I have ours setup with the following.
A smart group containing machines with updates pending.
Scoped to a policy that applies a script with a pmset command to wake the machine in the middle of the night.
A general policy to apply any pending updates restricted to occur only in the middle of the night, ie. when the pmset wakes them up.
Works very well for desktop hardware, which for us is by far the majority.
Its less effective for laptops as there are a few users who never leave their machines at work overnight so sometimes these have to be applied during the day or contacted specifically to get them to do it manually through a Self Service policy.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-26-2015 04:14 AM
I have several posts that discuss the settings in System Preferences: App Store. They're available from here:
Managing OS X’s automatic security updates: https://derflounder.wordpress.com/2014/12/24/managing-os-xs-automatic-security-updates/
Managing automatic installation of ConfigData and security software updates on Yosemite: https://derflounder.wordpress.com/2014/12/27/managing-automatic-installation-of-configdata-and-secur...
Managing automatic App Store and OS X update installation on Yosemite: https://derflounder.wordpress.com/2014/12/29/managing-automatic-app-store-and-os-x-update-installati...
If you want to set these settings, but also check updates before your machines get them, I'd recommend setting up a Software Update Server (SUS) to download the updates from Apple, then point your machines to your SUS instead of to Apple's software update service. Reposado is an open source SUS which can be run on just about any OS. Reposado can be managed via the command line or with Margarita.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-26-2015 08:05 AM
In regards to JSS > Computer Management > Inventory Collection > Collect available software updates:
Do system software updates available still get checked and reported to the JSS even with all the checkboxes unticked in System Preferences > App Store?
I imagine the Jamf binary is running a "softwareupdate -l" and then reporting back to the JSS?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-26-2015 08:06 AM
Yes in short the recon process runs a softwareupdate -l and stores the output from that appropriately.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-26-2015 08:21 AM
Great.
This is how we do it in our K12 environment:
~1500 MacBook Airs. (1st year of 1:1)
- Staff/Faculty on 10.10.x, students mix of 10.9/10.10 - will be big push to all on 10.10.3+ before Fall Semester
- All checkboxes in System Prefs are unchecked via script for all Macs
- Update Inventory runs once a day via policy, and another at startup for all managed clients
- No SUS, but Caching service turned on on each buildings' JDS (Mac Mini Server, network segments defined for each building)
- Software Update Polices: In Self Service, Featured on main page, scoped to a smart group of "has available software updates" Once no more updates exist, clients fall out of smart group and icon in SS goes away.
- Currently not enforcing any updates, but do use jamf helper to display a reminder sporadically.
- This summer, will be putting together method of deferment/enforcement at time intervals if updates exist.
Mac Desktops:
Same setup as above, except there is one policy set to force install all available software updates once a week after 5PM and restart as required by the update.
For us this has worked fairly well, gets rid of the notification nag for users - suggestions always welcome though!
