Posted on 01-12-2016 07:51 AM
Hi,
I'm new to Mac patching. We are running JSS 9.81 version & having Net SUS appliance to patch the Macs. So far, testing looks good however I've a quick question about roll back of Mac patches which we push/install via Casper. Is there any best practice available to roll them back if any issue reported by end user?
Please also help me to understand how can I fetch patch compliance report from JSS Casper?
Any help in this regard would be appreciated.
regards,
Navdeep
Posted on 01-12-2016 08:08 AM
There really isn't any way to rollback OS X updates.
Posted on 01-12-2016 08:13 AM
You can't roll back Mac patches, certainly not if you're talking about operating system level ones from Apple's software update. Once they are installed, they are installed. OS X doesn't have a built in mechanism to roll anything back, and trying to undo a system level patch would be extremely dangerous. Let's just say trying to uninstall one could do more harm to the OS than the patch has done itself. So don't go there is my advice.
In general, you are going to need to do thorough testing of any patches before releasing them, to be sure they don't have adverse affects to your clients. I also wait a while and read up on released patches to see what's being reported and make decisions on that (as well as my own testing of course) to determine what to release.
Also, look at standing up a Software Update server in your environment and making sure all Macs are directed to get available patches from it, so you have control over what can even be installed. Your options here are: Reposado, JAMF's NetBoot/SUS Appliance (uses Reposado code), or Apple's OS X Server.
Its possible to "uninstall" regular applications, but there isn't even really a good best practice for that. For example, Casper can index some packages in Casper Admin which would allow you to then use them in a policy to "uninstall" that package from target systems rather than installing it, but its not 100% accurate most times. It also won't work with many installs since some .pkg or .mpkg installers also make changes with postinstall scripts which can't easily be undone in a simple uninstall Casper policy.
Generally speaking, whenever I need to uninstall software, I either use the product's designated uninstall script if it came with one, or build my own script. I don't rely on the uninstall feature in Casper, or use some 3rd party uninstaller. Some of those are OK, but even if they work well, they aren't designed to be used out of management product like Casper.
Posted on 01-12-2016 08:22 AM
Many thanks folks for the quick responses, much appreciated.
Please can you shed some light on my other query i.e. patch compliance reporting via JSS Casper. I want to report the patch compliance to the management like how many Macs are successfully patched, how many are pending/failed etc.
Thanks in anticipation
Regards,
Navdeep
Posted on 01-12-2016 08:34 AM
We all want to be able to do better reporting on patch compliance, so you're not alone there. Right now, your best bet is to build Advanced Searches using the criteria you need to determine compliance, like, all Macs that have application version X, or patch "abc" installed, etc. based on inventory information, and then export those results to a spreadsheet format. You can do similar reports for machines that do not fit those requirements to see the inverse. That's very high level of course, so there's a lot I'm not really getting into here, but it should give some guidance.
If you need graphs, you'll have to come up with a custom solution, because there isn't anything built in that will let you see those, outside of the dashboard pie charts, but you can't really do much with those other than view them in the console.
BTW, I didn't read your post carefully enough, so apologies on posting all that info on a Software Update server. I see you already have a NetSUS appliance up and running, so that's a good step.
Posted on 01-13-2016 12:34 AM
@mm2270 Many thanks for your response. I got your point & will work on advanced searches to meet the objective. I also hope Jamf would introduce some smart reporting features in the upcoming versions because management is more interested to see the beautiful reports only!
Posted on 01-13-2016 02:44 PM
It isn't ideal, but if you use something like Nessus for vulnerability scanning, you may want to look at generating your management reports from there. I know that in my environment, ultimately management cares more about seeing vulnerabilities addressed than they care about seeing apps updated. (i.e. - they really don't care which version of Flash is on my Macs UNLESS there is a security update)