Software Updates Best practices?

rmaldonado
New Contributor

Hello again guys--

I am trying to find best practices for delivering software updates to our managed clients. After reading the article here https://jamfnation.jamfsoftware.com/discussion.html?id=5207 I saw that there is a possibility of using self-service as a user initiated method of grabbing the updates and installing without admin. I know how to point the clients to my desired SUS, but I am unclear how to create the policy that the end-use would be clicking. Do I need to create a policy that will run a script? Thanks for the info ahead of time :P

28 REPLIES 28

donmontalvo
Esteemed Contributor III

Yep, create a policy and enable Self Service option. Here's what we've got set up..

HTH
Don

external image link

external image link

external image link

external image link

--
https://donmontalvo.com

mm2270
Legendary Contributor III

Just one small item to add to Don's excellent info and screenshots. Under Scope, you may want to consider creating a Smart Computer Group for any Macs with available updates, or a group that contains more than X number of updates, whatever threshold you feel is important. Doing that will ensure that only Macs that have some updates available will have this SS item show up for them. Otherwise, you may have users clicking on it when there isn't anything to install.
Don is likely already doing something like this, but since he didn't provide a screenshot of his Scope tab, I thought it important to mention.

donmontalvo
Esteemed Contributor III

@mm2270 Ya know, I hadn't thought of that. I just updated our policy to include the scope. :)

--
https://donmontalvo.com

UESCDurandal
Contributor II

@rmaldonado - Throwing my experiences to the mix, I went with the Self Service option when I started using JSS. Only problem is a human one, my folks didn't want to go and install... And just when I thought that hope was lost, I found a script in this thread: https://jamfnation.jamfsoftware.com/discussion.html?id=5404

This script will look for updates, if updates are needed it checks to see if they need a restart, if they don't need a restart then they install automatically, if they do need a restart then it checks if a user is logged in, if no one is logged in then it installs the update and restarts, if someone is logged in then a popup message appears asking if they would like to install updates and restart, if they say yes then it proceeds to install and restart, if they say no then the whole thing closes and it will try again tomorrow.

This process works with two policies:
Part 1: Runs every 15 minutes, once a day. Scoped to a smart group for Macs that need updates. Runs the script I've titled softwareupdate_jamf_helper.sh. Set to update inventory when done.

Part 2: Is only triggered by the manual trigger "runsoftwareupdate", ongoing frequency. Scoped to all computers. In the Packages tab the Set Server and Install All Software Updates buttons are checked.

This has worked flawlessly since I've used it. I hope that one day this gets integrated into the Casper Suite itself. Here's the version of the script that I use:

#!/usr/bin/perl -w use strict; my $AVAILABLEUPDATES=""; $AVAILABLEUPDATES=/usr/sbin/softwareupdate --list; chomp $AVAILABLEUPDATES; printf "available updates is %s ", "$AVAILABLEUPDATES"; # If available updates contains * there are updates available if ($AVAILABLEUPDATES=~/*/){ printf "there are updates available "; if ($AVAILABLEUPDATES=~/(restart)|(shutsdown)/){ printf "updates need a restart "; my $LOGGEDINUSER=''; $LOGGEDINUSER=/usr/bin/who | /usr/bin/grep console | /usr/bin/cut -d " " -f 1; chomp $LOGGEDINUSER; printf "value of logged in user is $LOGGEDINUSER.. "; if ($LOGGEDINUSER=~/[a-zA-Z]/) { printf "as there is a logged in user checking whether ok to restart "; my $RESPONSE = ""; $RESPONSE=system ''/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper' -startlaunchd -windowType utility -icon '/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/Resources/Message.png' -heading "Software Updates are available" -description "Your computer will need to restart in a few minutes, would you like to install the updates now? Please wait for the next message before restarting. You can run updates at anytime by using Self Service in your Applications Folder." -button1 "Yes" -button2 "Cancel" -cancelButton "2"'; if ($RESPONSE eq "0") { printf " User said YES to Updates "; system "/usr/sbin/jamf policy -trigger runsoftwareupdate"; exit 0; } else { printf " User said NO to Updates "; exit 0; } } else { printf "no logged in user so ok to run updates "; system "/usr/sbin/jamf policy -trigger runsoftwareupdate"; exit 0; } } else { printf "no restart required "; system "/usr/sbin/jamf policy -trigger runsoftwareupdate"; exit 0; } } else { printf "there are no updates available "; exit 0; } exit 0;

jwojda
Valued Contributor II

@UESC does the MAS open on 10.8.x machines when you do it that way or does it do it silently?

UESCDurandal
Contributor II

@jwojda - Silently. Unless the update needs a restart, then the popup appears to give the user the choice. No MAS involved at all.

rmaldonado
New Contributor

Thanks everybody for all the helpful responses. I will be giving all these suggestions a try in our test bed and figure out which one will be perfect for us. I'll keep you guys updated!

rmaldonado
New Contributor

.

mm2270
Legendary Contributor III

Is the 'All Managed Clients' group part of the Scope as you show in your screenshot? If so, that's going to lump all your managed Macs into the scope for the SS policy, which would explain why Macs that already have Firefox installed are showing up. You want to scope it only to the Smart Group looking for Macs without Firefox installed. Smart Groups can only contain managed Macs, so there's no need to add the All Managed Clients in there.

rmaldonado
New Contributor

Yeah, I realized that right when I made that last post. Thank you for that! I was hoping nobody would see it before I could edit that post to explain, but you were too fast. Just had a tired moment. Been staring at JAMF too long today :P

rmaldonado
New Contributor

Yeah, I realized that right when I made that last post. Thank you for that! I was hoping nobody would see it before I could edit that post to explain, but you were too fast. Just had a tired moment. Been staring at JAMF too long today :P

mm2270
Legendary Contributor III

Heh, I had a feeling that was why your post disappeared. No worries. Had I seen it was gone I wouldn't have posted. Just crossed paths in the interwebs I guess :)

rmaldonado
New Contributor

Alright guys, my software management is rocking now. Thanks to everyone for their input, I picked and pulled from everyone and found the perfect solution for my environment. If I could bother with ONE last question, I promise I'll leave you guys alone(for now)! All I want to do is have my SS policies run Recon at the end, so that the change in what they see in SS is instantaneous(to them anyway). Does anyone know how to do that? or is it a script that needs to be run?

UESCDurandal
Contributor II

@rmaldonado - Glad you found what you're looking for! :)

Check the Update Inventory button in the Advanced section of the policy.

rmaldonado
New Contributor

@UESC this script is a lifesaver. I have got updates working perfectly.

On a related note, I work in a place where security is extremely important, and I was approached today about the icon that pops up in the update window that this script uses(message.png) and was told that it might be construed as malicious since it looks so generic -_- I know that the /Library/Application Support/JAMF/bin/jamfHelper.app/Contents/Resources/ is installed to every machine as soon as it joins via casper, but I am having trouble locating where that content comes from. My end result is uploading my own icon, and then modifying the script to call my custom icon instead :) thanks guys, collectively you have all helped me stand up a custom update model for my environment.

lisacherie
Contributor II

So glad the script is helping others :)

You can customise the icon here:
/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/Resources/Message.png

If you change it here too, if you have the login/logout status showing, this will also show your customised icon.

rmaldonado
New Contributor

thank you @lisecherie. The script is awesome, and solved all of our issues with Apple software updates through casper. I now have it working 100% with our personal icon :)

Chris_Hafner
Valued Contributor II

Strange question regarding the icon (message.png). What is your most successful method for modifying that file. jamfHelper.app gets installed during the recon process (or imaging). I'm assuming that there's an easier way to distribute the modified jamfHelper without breaking anything.

P.S. This script is fantastic! Thank you so very much!

rmaldonado
New Contributor

The file 'message.png' as well as several other equally customizable items are located within your actual netboot set--in our case this location is the secondary HD of our Mac Mini providing netboot services.

SO: /Library/NetBoot/NetBootSP0/YourNetBootSet.nbi/NetBoot.dmg mount the .dmg within the mounted .dmg navigate to /Applications/ Right click on 'Casper Imaging.app' Show Package Contents
Navigate into /Contents/Resources

You can now see the various files that your netboot set plants on the clients. replacing any of these .icns or .pngs with your customized files (but remembering to name them identical to the ones you are replacing) will give you the desired results.

That's how we do it here, but I hope that helps!

lisacherie
Contributor II

Each time the jamf binary is updated/reinstalled it replaces the png file.

Its kind of low priority for me as it is cosmetic, so I have a policy that I flush every now and again to replace the file after doing casper upgrades. If you wanted to be clever put in an extension attribute to compare something on the png file, and then scope to smart group.

rmaldonado
New Contributor

@lisacherie is correct in that it will replace your custom icon when the JSS come out with an update. You would just have to replace the default icons with your custom ones at time of upgrade. I have full access to everything so the overhead is minutes for me to replace the default icon. I guess it depends on how much access you have :P

Chris_Hafner
Valued Contributor II

Thanks for the info! This really is one of the very best user forums I've ever had the privilege of subscribing to. Now to see what I can't go break. ;-)

johnnasset
Contributor

This script works awesome. Would there be a way to modify it so downloads are updated in the background prior to the message displaying for logged in users? Testing this as a logged in user, I click okay to install updates and then it downloads and installs and then I'm greeted again by the Casper dialog to restart the machine. Over our crappy wireless, this can take some time, esp for big updates. It would be nice if the updates were downloaded and installed in the background with the restart occurring as soon as they click okay.

lisacherie
Contributor II

You could modify the script you chose to add the following if the user selects no:

softwareupdate --download

If you don't have internal SUS, consider setting one up, the downloads are very fast here from internal SUS. If you do have internal SUS check for this problem, which might be sending you to Apple, and making your updates download slowly....

https://jamfnation.jamfsoftware.com/discussion.html?id=6671

pdye
New Contributor II

I am trying to implement the script posted above on Sierra. It fails with the following:

Running script softwareupdate_jamf_helper.sh...
Script exit code: 255
Script result: Bareword found where operator expected at /Library/Application Support/JAMF/tmp/softwareupdate_jamf_helper.sh line 7, near "--list"
(Missing operator before list?)
Unknown regexp modifier "/b" at /Library/Application Support/JAMF/tmp/softwareupdate_jamf_helper.sh line 7, at end of line
Unknown regexp modifier "/n" at /Library/Application Support/JAMF/tmp/softwareupdate_jamf_helper.sh line 7, at end of line
syntax error at /Library/Application Support/JAMF/tmp/softwareupdate_jamf_helper.sh line 7, near "--list"
syntax error at /Library/Application Support/JAMF/tmp/softwareupdate_jamf_helper.sh line 14, near "if"
Unknown regexp modifier "/b" at /Library/Application Support/JAMF/tmp/softwareupdate_jamf_helper.sh line 24, at end of line
Unknown regexp modifier "/n" at /Library/Application Support/JAMF/tmp/softwareupdate_jamf_helper.sh line 24, at end of line
Unknown regexp modifier "/b" at /Library/Application Support/JAMF/tmp/softwareupdate_jamf_helper.sh line 24, at end of line
Unknown regexp modifier "/n" at /Library/Application Support/JAMF/tmp/softwareupdate_jamf_helper.sh line 24, at end of line
Unknown regexp modifier "/b" at /Library/Application Support/JAMF/tmp/softwareupdate_jamf_helper.sh line 24, at end of line
Unknown regexp modifier "/n" at /Library/Application Support/JAMF/tmp/softwareupdate_jamf_helper.sh line 24, at end of line
/Library/Application Support/JAMF/tmp/softwareupdate_jamf_helper.sh has too many errors.
Error running script: return code was 255.

Is the script as written not compatible with Sierra?

lilmatt
New Contributor

The backticks around the UNIX commands are getting screwed up by the forum software.
Put backticks (the backwards apostrophe on the tilde ~ key) around

/usr/sbin/softwareupdate --list

and around

/usr/bin/who | /usr/bin/grep console | /usr/bin/cut -d " " -f 1

avail
New Contributor III

Thanks @lilmatt - fixed up the backticks, but mine is still throwing up loads of syntax errors. I'm not that great with Perl scripting so I'm scratching my head a bit at how to patch it up!

Actions from policy log: [STEP 1 of 4] Executing Policy Prompt Software Updates - TEST [STEP 2 of 4] Running script Software Updates Prompt... Script exit code: 255 Script result: Backslash found where operator expected at /Library/Application Support/JAMF/tmp/Software Updates Prompt line 29, near ") " (Missing operator before ?) Backslash found where operator expected at /Library/Application Support/JAMF/tmp/Software Updates Prompt line 37, near ") " (Missing operator before ?) Backslash found where operator expected at /Library/Application Support/JAMF/tmp/Software Updates Prompt line 45, near "" (Missing semicolon on previous line?) Backslash found where operator expected at /Library/Application Support/JAMF/tmp/Software Updates Prompt line 51, near "" (Missing semicolon on previous line?) Backslash found where operator expected at /Library/Application Support/JAMF/tmp/Software Updates Prompt line 57, near "" (Missing semicolon on previous line?) syntax error at /Library/Application Support/JAMF/tmp/Software Updates Prompt line 14, near "if" syntax error at /Library/Application Support/JAMF/tmp/Software Updates Prompt line 29, near ") " syntax error at /Library/Application Support/JAMF/tmp/Software Updates Prompt line 37, near ") " syntax error at /Library/Application Support/JAMF/tmp/Software Updates Prompt line 41, near "}" syntax error at /Library/Application Support/JAMF/tmp/Software Updates Prompt line 41, near "else " syntax error at /Library/Application Support/JAMF/tmp/Software Updates Prompt line 44, near "}" syntax error at /Library/Application Support/JAMF/tmp/Software Updates Prompt line 50, near "}" syntax error at /Library/Application Support/JAMF/tmp/Software Updates Prompt line 56, near "}" syntax error at /Library/Application Support/JAMF/tmp/Software Updates Prompt line 61, near "}" Execution of /Library/Application Support/JAMF/tmp/Software Updates Prompt aborted due to compilation errors. Error running script: return code was 255. [STEP 3 of 4] [STEP 4 of 4]

EDIT - I've found the script in this post as well (including lots of other variants to play around with!) [https://www.jamf.com/jamf-nation/discussions/5404/jamfhelper-software-update-trigger](link URL)

mhinsz
New Contributor III

I'm having a similar errorresult with my copy of the script. @UESCDurandal

Script exit code: 255
Script result: Backslash found where operator expected at /Library/Application Support/JAMF/tmp/TEST : Mac OS Software Updates : Weekly line 29, near ") "
(Missing operator before ?)
Backslash found where operator expected at /Library/Application Support/JAMF/tmp/TEST : Mac OS Software Updates : Weekly line 37, near ") "
(Missing operator before ?)
Backslash found where operator expected at /Library/Application Support/JAMF/tmp/TEST : Mac OS Software Updates : Weekly line 45, near ""
(Missing semicolon on previous line?)
Backslash found where operator expected at /Library/Application Support/JAMF/tmp/TEST : Mac OS Software Updates : Weekly line 51, near ""
(Missing semicolon on previous line?)
Backslash found where operator expected at /Library/Application Support/JAMF/tmp/TEST : Mac OS Software Updates : Weekly line 57, near ""
(Missing semicolon on previous line?)
syntax error at /Library/Application Support/JAMF/tmp/TEST : Mac OS Software Updates : Weekly line 14, near "if"
syntax error at /Library/Application Support/JAMF/tmp/TEST : Mac OS Software Updates : Weekly line 29, near ") "
syntax error at /Library/Application Support/JAMF/tmp/TEST : Mac OS Software Updates : Weekly line 37, near ") "
syntax error at /Library/Application Support/JAMF/tmp/TEST : Mac OS Software Updates : Weekly line 41, near "}"
syntax error at /Library/Application Support/JAMF/tmp/TEST : Mac OS Software Updates : Weekly line 41, near "else "
syntax error at /Library/Application Support/JAMF/tmp/TEST : Mac OS Software Updates : Weekly line 44, near "}"
syntax error at /Library/Application Support/JAMF/tmp/TEST : Mac OS Software Updates : Weekly line 50, near "}"
syntax error at /Library/Application Support/JAMF/tmp/TEST : Mac OS Software Updates : Weekly line 56, near "}"
syntax error at /Library/Application Support/JAMF/tmp/TEST : Mac OS Software Updates : Weekly line 61, near "}"
Execution of /Library/Application Support/JAMF/tmp/TEST : Mac OS Software Updates : Weekly aborted due to compilation errors.
Error running script: return code was 255.