Updating to macOS 11.6 with Jamf Pro 10.32.x and MDM commands

mark_buffington
Contributor

Greetings Jamf Nation!

Many organizations are likely running software updates on their fleets this week, as well as with new Jamf Pro versions. As a Jamf who knows a few things about macOS software updates and their various nuances, I want to share a couple tips, as well as explain a bit of what goes on behind the scenes in the macOS update process, specifically by way MDM commands on macOS 11.2 or greater.

Some organizations deploy macOS updates leveraging a full installer and the startosinstall command, some will use tools to compel users to update on their own, and other will use Jamf policies or MDM commands to update.

As the macOS 11.6 release is not yet distributed in a full installer by Apple, there can be some downstream consequences to an organization's preferred software update workflow, including issues updating to that version via MDM commands due to PI-009722, explained later in this post with workarounds.

 

tl;dr – Summary is all at the bottom...

 

Why MDM-based updates?

  • In Jamf Pro, policies can be made for software updates for Intel Macs, whether it's a native Software Update payload, or a specific "Files and Processes" policy containing the `softwareupdate -iaR` command.
    • Note: use of command line or agent-based updates can't update something if it's deferred by a configuration profile restriction.
  • For computers with Apple silicon, updates require authorization with a volume owner user's password, or macOS can request and use a bootstrap token escrowed with Jamf Pro if an update was scheduled with an MDM command, avoiding the need for user interaction to authorize an update.
    • Note: software updates scheduled by MDM commands override any deferral settings from configuration profiles, as devices report ALL available updates (even deferred) when an MDM server queries which are available.
  • macOS updates via MDM commands are available to both types of computer processors, both Intel and Apple silicon, and further enhancements to end-user experience are coming to macOS 12 from Apple. 

Note: Not all organizations wish to automate software updates with commands, and would rather guide users to install it on their own time. For that, there's a great app called Nudge which can be deployed and configured to achieve user-led updates as well. (There's also a Jamf Pro Applications and Custom Settings schema for the app, so the settings can be configured in the Jamf Pro UI.) 

 

More info on managing software updates and the specific sets of commands used for it can be found in Apple's MDM Guide for IT, or added to this post later. (I'm already sensing I'm writing a bit much here. πŸ˜€)

 

Changes in macOS 11 to AvailableOSUpdate queries

Here are a number of things we've observed about software update queries in macOS Big Sur during its release availability:

  • Prior to macOS 11, computers would only respond with the latest point release of macOS as available, and therefore Jamf Pro would instruct computers to install all available updates that were reported as available.
  • In Big Sur, computers will report back to MDM -ALL- available versions of macOS it can find, often including the version that is currently installed on the computer. That means a computer with macOS 11.4 can report back to an MDM server that the following versions are available: 11.4, 11.5, 11.5.1, 11.5.2, and now macOS 11.6 as of this writing.
    • Note: Jamf Pro 10.32 has changes in logic for parsing out the latest, non-major macOS update, and only instructing computers to install that version. Major updates, (like from macOS 11.x to macOS 12, when available,) can be installed using MDM commands within Mass Actions.
  • Beyond just the numerical version of a macOS update, there are also two distinct types of updates and installers that can be reported back within an MDM query: Full "InstallAssistant" macOS installers, and "MSU Update" or "patch" style updates, (which are what users would receive when clicking in System Preferences to update.)
    • Both types of updates can leverage a Bootstrap Token with Apple silicon
    • Both types of updates are handled differently on macOS, with certain versions of macOS 11 having issues with full installers, or full installers installs when a user with Standard privileges is logged in.
    • Ideally, the "patch" style of update is preferred, as it uses less bandwidth, and is similar to normal user-driven updates.
  • The first MDM AvailableOSUpdates query will only list full macOS installers, and not the available "patch" update versions.
    • This is captured in PI-009722, "(Third-Party Issue) When the Download Only or Download and Install Updates commands are executed on supervised computers with macOS 11.2 or later the AvailableOSUpdates query responds with product keys for full macOS installers instead of macOS patch versions. This causes inconsistent results on target computers."
    • Combined with the lack of a full macOS 11.6 installer, this means that the first AvailableOSUpdates query ran on a computer will not report this version as available to Jamf Pro. The second time the command is run, the computer will inform Jamf Pro of the appropriate available updates will be reported within the query response.
    • An upcoming release of Jamf Pro has additional logic built in to work around the issue in PI-009722 without needing the workaround below.

 

Summary of successful macOS update workflow using MDM commands, and workaround for PI-009722: (at the time this writing)

  • Start on Jamf Pro 10.32.x version, so only the latest macOS version is instructed to be installed
  • Run a synthetic MDM query of AvailableOSUpdates command in a Jamf Policy
    • "Files and Processes" payload, "Execute Command" and enter:
      /usr/libexec/mdmclient AvailableOSUpdates
  • After the command runs, send the Download and Install Updates command or Mass Action to target computers

 

If you're curious to see the user experience and try any of these updates yourself, it's advised to first test on individual machines before sending Mass Action MDM commands.

 

I hope this is helpful to anyone who reads it!

16 REPLIES 16

ubcoit
Contributor

Thanks, worked for me on a M1 MBP. Ran /usr/libexec/mdmclient AvailableOSUpdates manually in terminal then sent Download and Install Updates. Watched data received go from 2.5GB to 6GB and awhile later I was asked to terminate terminal, no other prompts or warnings. Not a great user experience to just push this out. I assume if it existed you would have posted it but I'll ask. Is there a way to simulate the Download and Install Updates client side, /usr/libexec/mdmclient Engage?

Do you know if macOS 11.6 was considered a minor or major macOS release?

I see new options for delaying updates now vis configuration profiles in 10.32.1 but it's not clear what a minor/major software update is. I believe it was clear before Big Sur but no so much now!

Thanks!

Per the Apple documentation page linked above, macOS should present a notification.

After the update has been downloaded and prepared, a 60 second countdown begins.

I haven't seen that in my experience, which is why I mentioned testing on your own first. πŸ˜€

Regarding Major vs. Minor versioning and different deferral keys for different types, a Major update would be like any macOS 11.x version going to macOS 12. When a macOS 11.x device reports its available updates to an MDM server, it has a key of `IsMajor` with a "true" or "false" value.

Jamf Pro uses that data to allow administrators running macOS updates by MDM to choose when to opt-in to a Major update if only a patch or minor update like 11.6 is available.

hb3b
New Contributor II

Thanks for sharing this, Mark. We're actually seeing an odd behavior with the built-in Software Update Policy payload where 11.x clients will download the 11.6 installer but not install it. It appears that calling softwareupdate with the -iar arguments does trigger a shutdown/reboot. Are there issues with how the policy's logic parses the output of softwareupdate -l for the 11.6 update?

Also, can you please confirm if a one-shot script like this is sufficient to cover all the edge cases you're aware of. Any issues with doing both MDM and "softwareupdate" and seeing which one arrives first?

#!/bin/bash

/usr/libexec/mdmclient AvailableOSUpdates

jss="https://jamf/JSSResource"
username=''
password=''
system_udid=$(system_profiler SPHardwareDataType | awk '/Hardware UUID/ { print $3 }')
system_id=$(curl --silent -u "$username:$password" "$jss/computers/udid/$system_udid" | awk -F "id>" '{print $2;exit;}' | tr -d '</' )
curl -X POST -u "$username:$password" "$jss/computercommands/command/ScheduleOSUpdate/action/install/id/$system_id"

softwareupdate -iaR

 Thanks!

Hi!

Have you tried if the script above works?

Yes, it’s working very well for us.

Am i to understand the JSS is the url for our jamf cloud, and the user is an API user?

Yes, an API user with the following permissions:

  • Jamf Pro Server Objects: Computer [Create, Read]
  • Jamf Pro Server Actions: Send Computer Remote Command to Download and Install macOS Update

Hi again,

I did see this on occasion in some testing, any clues?

Password: Software Update Tool Finding available software Downloading macOS Big Sur 11.6 Downloaded: macOS Big Sur 11.6 Failed to authenticate

If this is a M1 machine, it would be indicate that "softwareupdate -iaR" or the like was run on it but the user "X"'d out of the password prompt. We had that happen here (as we rolled out a form of that script above to everyone - M1 and Intel on all recent OSes). The strange part is that even after they failed to authenticate, this one machine that showed that message couldn't be updated via MDM and we're not exactly sure why at this time.

Ah! I see! That does seem like one of those lovely M1 things.

As for the "install" MDM command, have you tried with installASAP?

taugust_ric
New Contributor III

@mark_buffington thank you for this post, it was very informative.

What is the recommended procedure for software updates in macOS Big Sur for shared systems (computer labs, classrooms, clusters, etc), where updates are scheduled to be installed during maintenance windows "after hours" when systems are not in use.

 

It seems that in Big Sur, even on the Intel Macs, the softwareupdate -iar command no longer works as it did previously in macOS Catalina and earlier versions of the operating system.  Similar to what @hb3b states, if computers are not logged in, the softwareupdate command does not allow a restart to occur to complete the install of the updates.  I've attempted to work-around this by setting up policies that automatically login with an administrator account and then run the software updates while that account is logged in, but it's very un-reliable, and we have had instances where we have had "reboot loops" occur due to the restart flag (com.jamfsoftware.tasks.restart.plist) not being cleared at the end of the software update policy.

We really need a reliable method for installing updates on these types of systems in educational environments.  They make up about 1/3 of the systems managed by our Jamf Pro environment.  Any details or recommendations on how to get this working as it previously did would be greatly appreciated!

hb3b
New Contributor II

One thing to note for folks using "softwareupdate" is that changing the "delay updates for X days" setting in a profile won't take effect on endpoints until they are restarted or this is run:

launchctl kickstart -k system/com.apple.softwareupdated

It's not required if you're deploying updates via MDM but it will definitely impact users who elect to update on their own.

user-lOCkETbIwx
New Contributor

New to JAMF and mac management. My main focus has been SCCM and Intune. How would I user the script above to patch our systems? Can I patch systems without any of this advanced functionality and just use our JAMF cloud instance? No disrespect to anyone, but so far, patching PCs with Intune is a lot more intuitive.

I think you could fix your statement. Patching PC's is a lot more intuitive, Intune really has nothing to do with it. Patching on macOS has always been garbage compared to what you can do with Windows. You also jumped in at a time when Apple is doing out with the old and in with the new where it concerns OS patching. 

 

My advice, give up on scripting this. Its not how Apple wants it done, and even if it works now it will not work for long. Apple has been very clear they want to you to use Management Commands from your MDM for patching. JAMF is really dragging their feet at supporting the new (not new but 9 year old) software update management commands. May want to get with your JAMF CA and raise hell about OS patch management, as it is horrible right now and really has always been horrible.

Like I said, no disrespect. I was just merely highlighting the fact that patching PCs right now with Intune is more intuitive than with JAMF and that was not what I was expecting.  

None taken. You have a point, and I welcome you to the root tops with us to yell it until some billionaire listens. We need more people submitting feedback to both Apple and JAMF that this is unacceptable and there is no excuse for being this backwards and behind in 2021. Microsoft figured this out 20 years ago. Yes Intune and SCCM are 1st party for Microsoft, but JAMF says they are the leading MDM offering for macOS and its time they stop saying it and act like it. JAMF does many things great, OS updates is not one of them.