softwareupdate -iaR via policy

cbrewer
Valued Contributor II

Does anyone have a workflow in place for successfully triggering softwareupdate --install --all -restart via policy on a T2 Mac while that Mac is at a login window? I've found that when I send that command via a policy, the update installs but the softwareupdate restart doesn't happen. If I send the exact same command via ssh (Jamf Remote or other) the update is installed and the restart happens as expected. I've tried some variations of this process using a policy to execute a script that runs softwareupdate but I get the same result.

This seems trivial as, ultimately, all I am trying to accomplish is automatically installing software updates on a T2 Mac that is sitting unused at a login window.

Most of my testing at the moment is attempting to go from 10.14.6 18G103 to 10.14.6 18G1012.

5 REPLIES 5

dmichels
Contributor II

I am experiencing the same issue. The Policy runs and shows completion, but on the iMac it still shows update needs to be done.

tlarkin
Honored Contributor

This is because if there is a bridgeOS update, it actually needs a shutdown not a restart and the T2 chip detects the shutdown and then will proceed to pull the update from Apple and apply it. To compound this issue even further, Apple sends a lot of non error output of softwareupdate to stderr even though there aren't errors. The best thing you can do from a scripting standpoint is see what softwareupdate -ia does and scrape stderr to validate if a shutdown or a restart is required then do so in code.

cbrewer
Valued Contributor II

Right, and if i shutdown (shutdown -h +1 &) after softwareupdate, the BridgeOS is successfully updated upon starting back up. However, the --restart option in softwareupdate handles the shutdown and starting back up automatically for T2 Macs. My core issue is that it doesn't work when run via a Jamf policy while the Mac is at the login window.

tlarkin
Honored Contributor

Yup, I have ~100 zoom rooms globally I am looking at removing macOS from because of reasons like you mentioned. Not only is SWU unreliable, it is unpredictable. I have used scripts, I have used setting the SWU options to always update, and I have even setup remote desktop to these Mac Minis in all the Zoom Rooms to login remotely and run SWU from the GUI.

I have mixed results of success and failure, across all methods, across my entire Org. So, I am looking at replacing macOS with Chrome or an Appliance because trying to automate patching of the Minis has been unsuccessful in an automated fashion and I am looking to ditch the tech debt.

File bugs with Apple is my best recommendation, and if you have an SE please have them follow up internally. SWU needs a huge overhaul and its current state is not that good at all.

donmontalvo
Esteemed Contributor III

Curious if this issue got resolved with the new version of Jamf Pro (10.26.1)?

--
https://donmontalvo.com