Updating to macOS 11.6 with Jamf Pro 10.32.x and MDM commands

Greetings Jamf Nation!

Many organizations are likely running software updates on their fleets this week, as well as with new Jamf Pro versions. As a Jamf who knows a few things about macOS software updates and their various nuances, I want to share a couple tips, as well as explain a bit of what goes on behind the scenes in the macOS update process, specifically by way MDM commands on macOS 11.2 or greater.

Some organizations deploy macOS updates leveraging a full installer and the startosinstall command, some will use tools to compel users to update on their own, and other will use Jamf policies or MDM commands to update.

As the macOS 11.6 release is not yet distributed in a full installer by Apple, there can be some downstream consequences to an organization's preferred software update workflow, including issues updating to that version via MDM commands due to PI-009722, explained later in this post with workarounds.

tl;dr – Summary is all at the bottom...

Why MDM-based updates?

• In Jamf Pro, policies can be made for software updates for Intel Macs, whether it's a native Software Update payload, or a specific "Files and Processes" policy containing the `softwareupdate -iaR` command.
  • Note: use of command line or agent-based updates can't update something if it's deferred by a configuration profile restriction.
• For computers with Apple silicon, updates require authorization with a volume owner user's password, or macOS can request and use a bootstrap token escrowed with Jamf Pro if an update was scheduled with an MDM command, avoiding the need for user interaction to authorize an update.
  • Note: software updates scheduled by MDM commands override any deferral settings from configuration profiles, as devices report ALL available updates (even deferred) when an MDM server queries which are available.
• macOS updates via MDM commands are available to both types of computer processors, both Intel and Apple silicon, and further enhancements to end-user experience are coming to macOS 12 from Apple. 

Note: Not all organizations wish to automate software updates with commands, and would rather guide users to install it on their own time. For that, there's a great app called Nudge which can be deployed and configured to achieve user-led updates as well. (There's also a Jamf Pro Applications and Custom Settings schema for the app, so the settings can be configured in the Jamf Pro UI.) 

More info on managing software updates and the specific sets of commands used for it can be found in Apple's MDM Guide for IT, or added to this post later. (I'm already sensing I'm writing a bit much here.  😀)

Changes in macOS 11 to AvailableOSUpdate queries

Here are a number of things we've observed about software update queries in macOS Big Sur during its release availability:

• Prior to macOS 11, computers would only respond with the latest point release of macOS as available, and therefore Jamf Pro would instruct computers to install all available updates that were reported as available.
• In Big Sur, computers will report back to MDM -ALL- available versions of macOS it can find, often including the version that is currently installed on the computer. That means a computer with macOS 11.4 can report back to an MDM server that the following versions are available: 11.4, 11.5, 11.5.1, 11.5.2, and now macOS 11.6 as of this writing.
  • Note: Jamf Pro 10.32 has changes in logic for parsing out the latest, non-major macOS update, and only instructing computers to install that version. Major updates, (like from macOS 11.x to macOS 12, when available,) can be installed using MDM commands within Mass Actions.
• Beyond just the numerical version of a macOS update, there are also two distinct types of updates and installers that can be reported back within an MDM query: Full "InstallAssistant" macOS installers, and "MSU Update" or "patch" style updates, (which are what users would receive when clicking in System Preferences to update.)
  • Both types of updates can leverage a Bootstrap Token with Apple silicon
  • Both types of updates are handled differently on macOS, with certain versions of macOS 11 having issues with full installers, or full installers installs when a user with Standard privileges is logged in.
  • Ideally, the "patch" style of update is preferred, as it uses less bandwidth, and is similar to normal user-driven updates.
• The first MDM AvailableOSUpdates query will only list full macOS installers, and not the available "patch" update versions.
  • This is captured in PI-009722, "(Third-Party Issue) When the Download Only or Download and Install Updates commands are executed on supervised computers with macOS 11.2 or later the AvailableOSUpdates query responds with product keys for full macOS installers instead of macOS patch versions. This causes inconsistent results on target computers."
  • Combined with the lack of a full macOS 11.6 installer, this means that the first AvailableOSUpdates query ran on a computer will not report this version as available to Jamf Pro. The second time the command is run, the computer will inform Jamf Pro of the appropriate available updates will be reported within the query response.
  • An upcoming release of Jamf Pro has additional logic built in to work around the issue in PI-009722 without needing the workaround below.

Summary of successful macOS update workflow using MDM commands, and workaround for PI-009722: (at the time this writing)

• Start on Jamf Pro 10.32.x version, so only the latest macOS version is instructed to be installed
• Run a synthetic MDM query of AvailableOSUpdates command in a Jamf Policy
  • "Files and Processes" payload, "Execute Command" and enter:
    /usr/libexec/mdmclient AvailableOSUpdates
• After the command runs, send the Download and Install Updates command or Mass Action to target computers

If you're curious to see the user experience and try any of these updates yourself, it's advised to first test on individual machines before sending Mass Action MDM commands.

I hope this is helpful to anyone who reads it!