First question is in regards to the App Store settings located in System Preferences >> App Store.
Will toggling these all auto check for updates, download and install security updates/os x system updates as well? Or does it not really perform that way? Boss suggested the idea to replace normal management by pushing updates, but I'm hesitant due to not being able to test the updates and not completely sure they work exactly the way he thinks. Anyone have any experience with this?
Second question is about pushing software updates. How do you deal with the risk of data loss from os updates/upgrades, and how do you deal with the restarts and install times that usually occur after such updates?
I have ours setup with the following.
A smart group containing machines with updates pending.
Scoped to a policy that applies a script with a pmset command to wake the machine in the middle of the night.
A general policy to apply any pending updates restricted to occur only in the middle of the night, ie. when the pmset wakes them up.
Works very well for desktop hardware, which for us is by far the majority. Its less effective for laptops as there are a few users who never leave their machines at work overnight so sometimes these have to be applied during the day or contacted specifically to get them to do it manually through a Self Service policy.
I have several posts that discuss the settings in System Preferences: App Store. They're available from here:
Managing OS X’s automatic security updates: https://derflounder.wordpress.com/2014/12/24/managing-os-xs-automatic-security-updates/
Managing automatic installation of ConfigData and security software updates on Yosemite: https://derflounder.wordpress.com/2014/12/27/managing-automatic-installation-of-configdata-and-secur...
Managing automatic App Store and OS X update installation on Yosemite: https://derflounder.wordpress.com/2014/12/29/managing-automatic-app-store-and-os-x-update-installati...
If you want to set these settings, but also check updates before your machines get them, I'd recommend setting up a Software Update Server (SUS) to download the updates from Apple, then point your machines to your SUS instead of to Apple's software update service. Reposado is an open source SUS which can be run on just about any OS. Reposado can be managed via the command line or with Margarita.
In regards to JSS > Computer Management > Inventory Collection > Collect available software updates:
Do system software updates available still get checked and reported to the JSS even with all the checkboxes unticked in System Preferences > App Store?
I imagine the Jamf binary is running a "softwareupdate -l" and then reporting back to the JSS?
This is how we do it in our K12 environment:
~1500 MacBook Airs. (1st year of 1:1)
Same setup as above, except there is one policy set to force install all available software updates once a week after 5PM and restart as required by the update.
For us this has worked fairly well, gets rid of the notification nag for users - suggestions always welcome though!