Questions regarding SoftwareUpdate in the Monterey era

MSBV
New Contributor II

Hello everyone,

We've been using Jamf for half a year now, and we got most of it working with scripts and other hacks, but one thing we still struggle with is updates.

We have 2 issues with software updates, 1. how to force install them without user interaction.
2. how to prevent Major updates like Ventura before they are approved.

And I'll explain.

1. I've tested a few scripts and methods that I found/created, but apple has made our lives harder requiring user authentication for major updates, and does not install updates that require restart at all, just downloads them.

Has anyone managed to force update install and restart from Jamf via script? or is this locked now and must involve user interaction?

 

2. I've seen countless posts saying: "block InstallAssistant, and defer updates for 90 days" I don't know how no one mentioned this, or thought of it, but that will not apply only to the update you're thinking of, it applies to every update.

For example, let's say I want to block Ventura and use these methods. Users on older OS that need a full installer upgrade or something like that, will be blocked by the InstallAssistant restriction. While users who just want to update from 12.5 to 12.5.1 will have to wait 90 days since their last update to even see 12.5.1 available.

We found this issue when testing Ventura and 13.1 came out. I was excluded from the upgrade block but not from the defer, and 13.1 would not show up.

So is there a way to block InstallAssistant that matches a certain version? maybe by a hash?

Thanks for reading and have a great day

1 ACCEPTED SOLUTION

AJPinto
Esteemed Contributor

 

The short answer. Managing MacOS updates absolute sucks and has always sucked as Apples concept of update management is garbage. 

 

There is really a lot to decompress, and this gets very complicated very fast. There are literally tons of JAMF Nations discussions on this very topic if you search for them. I like to complain so here is my take.

 

OS update deferrals

  • Deferring with MDM - You can pick 1-7-30-60-90 days to defer minor and major OS updates. Generally, this works as expected except you will see different results depending on many variables like how the device was enrolled. If you are not using DEP do not expect OS update deferrals to work very well.
    • Deferring MacOS Ventura on MacOS 12.3-12.6 is not possible anymore without deferring all updates.
    • Deferring MacOS Ventura on MacOS 12.6.1 works as expected providing your devices are enrolled and managed correctly. Though Apple does not really say what "correctly" is.

How MacOS Ventura is installed

  • MacOS 12.2 and below will download macOS Ventura as an install macOS Ventura.app
    • You can use JAMF to block install macOS Ventura.app with a software restriction
  • MacOS 12.3 and above will download macOS Ventura as a delta, there is no .app downloaded
    • You can only block this with MDM Deferrals, and cannot block it past 90 days
      • MacOS 12.3 - 12.6 there is a bug where MacOS Sees Ventura as a Minor update, not a Major update. You must defer Minor updates to block Ventura for these builds of macOS.

 

How MacOS Updates are installed

  • Intel Macs can use a bootstrap token or a secure token to authorize the install of OS updates
    • Bootstrap token could be used when running OS updates from command line using the softwareupdate binary. No user notification tools beyond what you build in to the script.
  • Apple Silicon Macs CAN ONLY authorize updates with a Secure Token
    • The Secure token is given to volume owners on macOS and to MDM if a device is managed correctly
    • Secure token allows JAMF to tell macOS to install OS updates and will prompt the users if the correct options are picked.
    • Some people have written scripts to put in JAMF SS to allow a user to tell macOS to install OS updates using JAMF API commands to send the MDM Command down. I find this rather dumb as the user can just click the install update button. 
      • Some people have wrapped these API scripts into policies to try to force OS updates to run, again you can just do this with JAMF and clicking a button.
    • One of the major problems with using MDM commands to run OS updates is they have about a 30% fail rate, and JAMF has no notifications or logging built in for the admin. You just need to watch the OS builds change with smart groups and hope.

 

 

All that aside. What should you be doing?

Deferring Ventura

  • You need your entire fleet on macOS 12.6.1+, and you need to enable the major OS update deferral. Your devices also need to have been enrolled with DEP and many other nuances. If you are not able to defer Ventura at this point, I would say don't bother. You can’t defer Ventura past 1.22.23 anyway as that is the 90-day mark and the farthest you can defer anyway.

Issuing software updates

  • Apple has been loud and clear. You should be using MDM commands to tell Macs to run OS updates and Upgrades. You can still get by using scripts on intel macs which also don’t work very well, but MDM commands are what apple wants you doing if you don’t want users in control of the update process.

Just to say it again, there is no way to defer Ventura past 1.22.23 on macOS 12.3+, period. If this is a problem for your org, you need to submit feedback to apple but are a bit late to hope for any changes.

View solution in original post

12 REPLIES 12

AJPinto
Esteemed Contributor

 

The short answer. Managing MacOS updates absolute sucks and has always sucked as Apples concept of update management is garbage. 

 

There is really a lot to decompress, and this gets very complicated very fast. There are literally tons of JAMF Nations discussions on this very topic if you search for them. I like to complain so here is my take.

 

OS update deferrals

  • Deferring with MDM - You can pick 1-7-30-60-90 days to defer minor and major OS updates. Generally, this works as expected except you will see different results depending on many variables like how the device was enrolled. If you are not using DEP do not expect OS update deferrals to work very well.
    • Deferring MacOS Ventura on MacOS 12.3-12.6 is not possible anymore without deferring all updates.
    • Deferring MacOS Ventura on MacOS 12.6.1 works as expected providing your devices are enrolled and managed correctly. Though Apple does not really say what "correctly" is.

How MacOS Ventura is installed

  • MacOS 12.2 and below will download macOS Ventura as an install macOS Ventura.app
    • You can use JAMF to block install macOS Ventura.app with a software restriction
  • MacOS 12.3 and above will download macOS Ventura as a delta, there is no .app downloaded
    • You can only block this with MDM Deferrals, and cannot block it past 90 days
      • MacOS 12.3 - 12.6 there is a bug where MacOS Sees Ventura as a Minor update, not a Major update. You must defer Minor updates to block Ventura for these builds of macOS.

 

How MacOS Updates are installed

  • Intel Macs can use a bootstrap token or a secure token to authorize the install of OS updates
    • Bootstrap token could be used when running OS updates from command line using the softwareupdate binary. No user notification tools beyond what you build in to the script.
  • Apple Silicon Macs CAN ONLY authorize updates with a Secure Token
    • The Secure token is given to volume owners on macOS and to MDM if a device is managed correctly
    • Secure token allows JAMF to tell macOS to install OS updates and will prompt the users if the correct options are picked.
    • Some people have written scripts to put in JAMF SS to allow a user to tell macOS to install OS updates using JAMF API commands to send the MDM Command down. I find this rather dumb as the user can just click the install update button. 
      • Some people have wrapped these API scripts into policies to try to force OS updates to run, again you can just do this with JAMF and clicking a button.
    • One of the major problems with using MDM commands to run OS updates is they have about a 30% fail rate, and JAMF has no notifications or logging built in for the admin. You just need to watch the OS builds change with smart groups and hope.

 

 

All that aside. What should you be doing?

Deferring Ventura

  • You need your entire fleet on macOS 12.6.1+, and you need to enable the major OS update deferral. Your devices also need to have been enrolled with DEP and many other nuances. If you are not able to defer Ventura at this point, I would say don't bother. You can’t defer Ventura past 1.22.23 anyway as that is the 90-day mark and the farthest you can defer anyway.

Issuing software updates

  • Apple has been loud and clear. You should be using MDM commands to tell Macs to run OS updates and Upgrades. You can still get by using scripts on intel macs which also don’t work very well, but MDM commands are what apple wants you doing if you don’t want users in control of the update process.

Just to say it again, there is no way to defer Ventura past 1.22.23 on macOS 12.3+, period. If this is a problem for your org, you need to submit feedback to apple but are a bit late to hope for any changes.

MSBV
New Contributor II

What is going on here? I just now came back to the topic, and I see I picked that as the answer? What shenanigans are happening here?

As for the actual answer:
Deferring the updates is not relevant, as I mentioned in the post, it defers all updates for everyone, including those already on Ventura.

I already try MDM push even with recon calling a policy that installs all updates, so far it has been pushed to 4 users, out of 400 and it has been almost a week.

Would having a local admin on every system and running the updates/upgrades with that user solve the issue? Because so far I've only been able to update Xcode and not the OS.



MSBV
New Contributor II

I may have a solution, but I can't seem to pass the password of the local admin that isn't the current user to the sudo command. Has anyone managed to get echo password | sudo working on M1's?

hunter_gardner
New Contributor II

Does your local admin account have a secure token? That could be the issue you're running into when passing the password.

MSBV
New Contributor II

It has FDE access if that's what you mean. It should have the same access as the user running the script.

If we're both talking about the same thing, what's the course of action in that case? is there a way to authenticate as another user? or has apple blocked that?

AJPinto
Esteemed Contributor

 

It is possible to use an "expect block" to enter the password in to the command window when prompted. You would use su instead of sudo and specify the user you want the command to run as. However, this still generates a Bootstrap Token and you need a Secure Token to install OS updates.

 

To get the Secure Token the softwareupdate binary spawns this popup. There is no way to fill this out for the user that I am aware of.

AJPinto_0-1673444267009.png

 

I respect the gumption you have, but it wont work. You cannot use scripts to silently install OS updates on Apple Silicon devices with softwareupdate. You look in to scripting JAMF API which will work, but it is far from ideal.

MSBV
New Contributor II

Expect block does not work, I've tested that before. Jamf api also implemented, but only 12% are updated. it does not push the update from Jamf.

AJPinto
Esteemed Contributor

Correct, the MDM command no matter how its issued tells the Mac to download updates from Apple. Honestly, the softwareupdate binary also just tells the mac to download updates from Apple. Apple stopped releasing downloadable macOS Deltas a few years ago. So, you cannot get the OS update files to package and deploy directly from JAMF. 

 

I see about a 75-80% patching success rate. To be clear that is still way too low, especially without any centralized log reporting for macOS. Needing to access each device individually to see why its not patching gets VERY old.

AJPinto
Esteemed Contributor

 

 

If you are wanting to use scripts (policies) to install updates on Apple Silicon, the answer is DON'T. It wont work without user interaction and that is how Apple wants it. As I said above you need to use MDM commands issued with Mass Action to install OS updates on Apple Silicon Macs.

 

 

This is JAMFs documentation for issuing macOS updates. 

All Macs

macOS Upgrades and Updates Using a Mass Action Command - Deploying macOS Upgrades and Updates with J...

Intel ONLY Macs

Running Software Update Using a Policy - Deploying macOS Upgrades and Updates with Jamf Pro | Jamf

Make special note of the 3rd bullet in this article.

MSBV
New Contributor II

Yeah like I stated in the OP, tried those, it does not work. There must be a way to do it until Jamf find fix this issue.

AJPinto
Esteemed Contributor

The best I can suggest is to submit feedback with Apple and reach out to your Apple SE. This is not JAMF problem to fix. Software updates are working exactly as Apple has designed them to work. If you don't like the work flow, that needs to be taken up with Apple.

Product Feedback - Apple

Jawalker
New Contributor III

As far as blocking and deferring major updates use the restricted software tab in your jamf pro server.

Screenshot 2024-01-16 at 4.37.10 PM.png

 It's actually quite easy to setup and block these major updates as well you can block other software you don't want installed. I had to end up blocking xtorrent on a company machine... haha ridiculous.

Below ill attach a screenshot of what I used to block OS updates in my environment.

Screenshot 2024-01-16 at 4.42.05 PM.png