Software Updates

eaititig
New Contributor III
What's the official statement from JAMF about Software Updates? With 12.2, our Mac mini M1s are refusing to update when performed by:-
+ command line softwareupdate with or without sudo
+ not working with running the full installer with sudo and piping password to stdin (not cool Apple)
+ using JAMF to send Remote Commands to updates fails. When I checked the logs, it says:-

SoftwareUpdate: request for status for unknown product MSU_UPDATE_21D62_patch_12.2.1

SUOSUServiceDaemon: Connection invalidated!

Removing client SUUpdateServiceClient pid=32208, uid=0, installAuth=NO rights=(), transactions=0 (/usr/libexec/mdmclient)

The only successful way to install is to sit at the machine and open System Preferences > Software Updates and put in an admin password when requested.
23 REPLIES 23

sdagley
Esteemed Contributor II

@eaititig Were your Macs were enrolled in Jamf Pro via Automated Device Enrollment from your ASM/ABM account?

The MDM Update commands won't work if the Mac was manually enrolled.

sujal1208
New Contributor III

What would be the work around this? Create an update policy? 

emilh
New Contributor III

Yes, I'd also very much like to see an official comment from Jamf on this quagmire of a situation. 

We're having the same issues with our entire fleet of Mac on Big Sur or Monterey (enrolled though ADE or not makes no difference).
The only reliable way to update has been to download the latest complete macOS installer and running startosinstall.

 

sdagley
Esteemed Contributor II

@emilh Try this (It should work if your Macs were enrolled in Jamf Pro via ADE) :


Do a search in Jamf Pro for M1 Macs you want to upgrade to 12.2.1
Click the "Action" button on the search results screen
Select the "Send Remote Commands" Action then click the Next button
Select the "Update OS version and built-in apps (macOS 10.11 or later, Supervised or enrolled via a PreStage enrollment)" item under Remote Commands
Click "Specific version" under Target Version and then select 12.2.1 from the popup
Select "Download and install the update, and restart computers after installation" under Install Action, then click the "Next" button


That will send the MDM command to install macOS 12.2.1 to the Macs selected in Step 1. I _think_ you need to have someone logged in for that to work (I've never tried it without someone logged in). Do not use any of the deferred options under Install Action as that doesn't work reliably (although 12.3 is supposed to fix that)

ardrake
New Contributor III

The current state of managing software updates with Jamf Pro is completely unacceptable for an enterprise environment.  Running an inventory (recon) can't even properly record when there is a software update available, which breaks my smart groups, which breaks my policies.  All of that is a moot point while updates can't be managed with policies anymore, and must be manually pushed with a MDM command that runs at a seemingly random timeframe if ever.

My understanding is that Apple updated MDM commands to allow for a much greater level of control some time ago, and that Jamf has simply not implemented those controls yet.

I think this community is overdue an update on when this is going to be fixed.

ardrake
New Contributor III

Apple also plays a part in fixing this as well, as the restart command sent as part of the update is thwarted by an open app.  A true managed update command will "shutdown -r now" and force the restart.

oklair
New Contributor III

There are no words to describe my frustration with these pitiful macOS update tools. The results are so unpredictable, it's almost a fluke when it works.

And we're not even talking about the miserable user interaction interface... Downloading the packages can take up to 30 minutes; that's enough for the user to forget that he launched it! And BANG! The computer restarts without warning. These are clearly not enterprise-level tools.

ItJustWorks
New Contributor II

Bump. 2023, Mac Studios, escrowed etc. Still a problem. 

I have Cybersec on my back about patching zero days, and I can't do it.

ardrake
New Contributor III

Allegedly MacOS 14 is coming with actual managed update capabilities.  MDM commands have been an abject failure.

sdagley
Esteemed Contributor II

See the Explore advances in declarative device management session from WWDC23 for details about the new capabilities to specify enforced update deadlines and minimum OS versions for enrollment using Declarative Device Management in macOS 14 and iOS/iPadOS 17.

stephaniemm77
Contributor

Happy and disappointed finding this thread....I am having this issue as well. I have labs that rely on OSX updates in order for Xcode to be kept up to date. 

szultzie
Contributor II

The latest i found Jamf Pro 10.48 was with the introduction to Software Updates in Jamf Pro, i can no longer run a MDM command to s single computer (via Mass action or going to the computer record and clicking on. a managemtn command), i need to create a smartgroup to do it.  Not that it every worked reliably, but support asked me to test it with a different one-of computer vs using a smart group.

Yeah, I have tried the smart group in the past, it didn't seem to make a difference. I hope the new update makes a difference

Support has confirmed that the new interface changes nothing in the method of MDM command push. So for me, still broken.

Fan-friggen-tastic 

stephaniemm77
Contributor

I am also having a problem when I run updates that it is getting stuck,  I am trying to manually update 13.1 to 13.4.1 and all my machines that are enrolled in jamf are stuck at a black screen with the Apple logo on them. Anyone know why? I don't have any deferments set, I don't have any policies in place.  I am at a total loss.screen.jpg

aandino
New Contributor III

Quite glad to find out I'm not the only one fighting this battle. An enterprise tool such as this shouldn't be having these issues.

szultzie
Contributor II

Apple goes through all this trouble of keep a chain of custody from apple school manager to Jamf, then why not give us the power to fully control the updates(and everything else) like in the past, on these secured/supervise computers, and leave all the extra security to the consumers.

ardrake
New Contributor III

I think the long story short of it is that MDM commands simply don't work in any reliable/predictable manner.  Hopefully the reality of managed updates via DDM in MacOS 14 lives up to the hype.

szultzie
Contributor II

yeah im not holding my breath

szultzie
Contributor II

So this looks like the DDM config that controls the updates,

com.apple.configuration.softwareupdate.enforcement.specific

I cant find anything on Jamf that lets us do this yet, even though it says DDM is ready in Jamf Pro 10.48

https://learn.jamf.com/bundle/jamf-pro-documentation-current/page/Declarative_Device_Management.html

 

 

ardrake
New Contributor III

As long as it's in place in Jamf by the time 14 goes live...

szultzie
Contributor II

it says it should work with macos 13 Ventura this has been out since WWDC 2021

But there is next to no documentation from Jamf on how to use this. im mainly interested in setting up the configuration and not having to write my own config files, i dont pay jamf to write my own scripts for everything.  All this should be in a GUI format as soon as its made available out of Beta.