Upgrading MacOS - Best Practices?

johntgeck
Contributor

Hello everyone and thanks in advance. I'm just looking for a little guidance in what avenue to pursue for upgrading my fleet and keeping everyone on the same page moving forward. Jamf Pro seems to have a few different methods for doing this. Documentation found here shows using Smart Groups and Mass Actions to upgrade devices. That's a simple enough method and I would love for it to be that easy. My experience with the Mass Action "Update OS version and built-in apps" is that it is a black box that I have no idea of whether or not it is working. With a >12gb download, it's a little aggravating to just fire off the command and hope that as long it ends up in the History > Management Commands > Completed list, that it worked properly and the computer will... update itself at some point?

 

Option 2 seems to be that a lot of people are using scripts like the ever-popular erase-install to handle upgrades. Is this because the Mass Actions don't work? People would rather the end users handle the upgrades via Self Service than push them out?

 

Option 3, and I'm not sure if I've seen anyone using this but it seems like it's sort of built for this function, would be using the Patch Management function. I'm going to level with you, we've done very little with this function of Jamf Pro in our enterprise, but I'm happy to learn.

 

Option 4, and my least favorite, deploy a team with flash drives to update the labs by hand and then make a static package available in Self Service. Inelegant, cumbersome, and possibly not going to work (at least the self-service piece).

 

For those that use self-service to deploy, how do you handle the long download time? Do you have a separate policy that caches the installer first?

 

Just looking for guidance on which approach people find to be the most effective and hassle-free in their environment, as it seems sort of unclear the best way to handle this.

1 ACCEPTED SOLUTION

johntgeck
Contributor

Thanks for the reply. Yeah, I really wish the MDM command worked; it's so simple! But yeah, I literally haven't had it work a single time.

 

I've also tried creating a policy using the erase-install packaged installer in conjunction with the provided launcher script according to the recommendations in the wiki, but 1) it took nearly 2 hours to download on a 200mpbs down connection, and 2) it cached the installer and didn't run it despite having the "--reinstall" argument specified in the parameters of the script. I'm going to continue hacking away at this one because it might be useful for labs, but trying to get teachers to leave their laptops plugged in for 2 hours and not shut them or take them home is an exercise in futility.

 

Perhaps I'll create two versions of the policy -- one to cache it silently in the background, one to live in Self Service where they can just hit the "Upgrade" button and it will install from whatever's in erase-install's working directory.

 

I agree with you that flash drives are the worst way to handle this which is why I'm shouting this question into the void. I think it's pretty telling that an entire cottage industry of scripts and apps exists just to make this process less painful, lol.

View solution in original post

8 REPLIES 8

pete_c
Contributor III

If the Mass Actions / Management Commands (MDM) actually worked reliably, we (the admin community at large) wouldn't have needed to create Nudge or erase-install.  Those projects are your most flexible options and have already anticipated and solved the most common issues.

You wouldn't send a team to visit each managed device with a flash drive to update one app; there's no reason to treat macOS differently.

 

EDIT: similar thread started recently, see here.

johntgeck
Contributor

Thanks for the reply. Yeah, I really wish the MDM command worked; it's so simple! But yeah, I literally haven't had it work a single time.

 

I've also tried creating a policy using the erase-install packaged installer in conjunction with the provided launcher script according to the recommendations in the wiki, but 1) it took nearly 2 hours to download on a 200mpbs down connection, and 2) it cached the installer and didn't run it despite having the "--reinstall" argument specified in the parameters of the script. I'm going to continue hacking away at this one because it might be useful for labs, but trying to get teachers to leave their laptops plugged in for 2 hours and not shut them or take them home is an exercise in futility.

 

Perhaps I'll create two versions of the policy -- one to cache it silently in the background, one to live in Self Service where they can just hit the "Upgrade" button and it will install from whatever's in erase-install's working directory.

 

I agree with you that flash drives are the worst way to handle this which is why I'm shouting this question into the void. I think it's pretty telling that an entire cottage industry of scripts and apps exists just to make this process less painful, lol.

Hey @johntgeck,

I've been looking into this a lot recently and stumbled upon this thread, wondered if you or anyone in this thread has had any breakthroughs?

I've also tried and failed the MDM update method many times, I try every so often hoping that something will have changed and that it will suddenly work perfectly. Seems (somehow) even more broken for iOS/iPadOS...

I have extension attributes to find the latest major OS available to run on our Staff machines, this is scoped to a policy which silently installs the correct OS installer for the model. The last part is a script which is part of a Self Service policy and executes the startosinstall command, utilising an encrypted securetoken admin user to update - we've had some success, but it's mixed.

A colleague has recently implemented a 30min admin self service command (which I'll link to if you're interested). Planning to add this instead of the encrypted user to elevate the existing users permissions then run the same update command. Fingers crossed it'll work, but it's still not as straightforward as simply updating via System Settings...

Also planning to do a similar thing for rebuilds (Self Service object), as I've had enough of booting to recovery haha!

Let me know if you've had any luck with anything else in the meantime - Love the 40k icon 😉

AJPinto
Honored Contributor II

As we sit at the end of 2022, handling macOS updates is hot garbage and JAMF is not doing anything to make matters easier.

 

Apples "Solution" for handling OS updates and Upgrades have two options.

  1. Use MDM commands
    1. JAMF handles this very poorly using Mass Actions
  2. Allow the Users to handle things
    1. Use configuration profiles to gate what OS updates are displayed to users

That is it. Apple is pushing HARD for user agency with OS updates and upgrades. Your best option is to use Apples Best Practices, not JAMFs. Configure Softwareupdates, set deferrals.

 

  • Once a deferral is up allow users to self install.  
  • Force OS updates via MDM command on a schedule or as needed
    • every 60 days, or when a 0 day comes out for example
  • Force compliance for devices that fail to install OS updates
    • I handle this with software restrictions targeting OS Versions to force users to engage

 

 

Older options may work in Intel Macs, but will not function on Apple Silicon devices

  1. Using CLI to install OS Updates and Upgrades will require user interaction on Apple Silicon. This covers the erase all contents workflow you mentioned.
  2. JAMF Patch management is no longer possible. This requires a macOS delta package to push to devices. Apple stopped offering OS Update Delta's with Catalina.
    1. With Software Upgrades (12 > 13) you could still push the install macOS.app with Patch Management, but I would not recommend it. You would still need to use a script to kick off the installer which patch management cannot do, and would not work on Apple Silicon as it would be CLI.

Thanks for the detailed response. I'm glad I'm not the only one with these frustrations. My main I'm running into with allowing users to run them is that our users are not local admins. We use standard mobile accounts for teachers and students, so it seems like my only option outside of using Graham Pugh's erase-install then is to create a smart group of all devices with a previous-than-desired MacOS version, scope a policy to them that installs the InstallAssistant pkg from apple's software servers, and then a separate policy in Self Service that executes the MacOS Installer with elevated privileges. My main issue with this is that it requires you to reinvent the wheel every time an OS gets released and users have to live with either running the incremental updates themselves or constantly living with the little red badge. Both are not exactly ideal end user experiences. Especially not on a premium product like a Mac.

Same here. Our users do not have admin access. We are mostly M1 now, so I should walk around and enter my admin credentials for each of the 200 plus users?

AJPinto
Honored Contributor II

Honestly, yes. Apple expects you to issue OS updates with MDM commands, which only work about 70% of the time. Outside of that Apple expects you to have FileVault enabled on your devices, and the users to have access to FileVault which would grant a secure token allowing users to install updates themselves. As far as shared devices like in a classroom where provisioning FileVault is not really possible, yes manually run OS updates yourself if MDM commands dont work.

 

Submit Apple Feedback, this is absolutely a garbage process but Apple only cares about their feedback requests.

AJPinto
Honored Contributor II

The direction Apple has gone in is to use MDM commands, not to deploy the full installer and use some janky erase instal script which may work today but not tomorrow. Times change and so must our processes, for better or worse.

 

Apples way: Issue the MDM command for OS updates with JAMF, and allow a user deferral or force install. When the deferral is up the updates will install, if the user clicks install now they will not be prompted for admin access. The problem is the MDM command to run OS updates only works about 70% of the time, and out side of that 70% you need to manually install updates.

 

To allow Self Servicing of OS updates on Apple Silicon (ie install updates without using MDM commands) you need to make your users volume owners. The credentials box is actually not an admin check but a volume owner check. Apple is not very clear on how to make someone a volume owner aside of giving them a FileVault token or admin access. There is no way around this, you need a secure token to install updates and JAMF only gets that with a MDM command no amount of CLI shenanigans will work.

 

Are these options good? Absolutely not. Do Apple or JAMF care? I think you know the answer. I cannot stress enough submit Apple feed back and JAMF ideas Constantly.