Jamf Nation Community

Hi Stevewood - currently this is for OS X machines (iMacs, MBPro, MacAir) I want a policy to only check for software updates at logout and to install them all in one policy, can this be done ? Policy will run once a week.

what execution frequency would I choose ?
is your explanation instructing to create 2 separate policies ?

software update server has not been set anywhere, computers are configured via casper with baseOS and apps. Now I simply want to create a policy to check/install software updates (once a week check).

Stevewood - so basically I would create the one policy that would check/install updates with the following new policy settings ( the process of installing them does a check as well)

To install: on the Options tab under General, set the Trigger to Logout, but on the Software Updates section of the Options tab, set to Install from Apple's Software Update server. (is the Apple software update server an available option to select or do I have to enter something manually?)

also; what is this 'a logout hook that checks for policies must be configured in the jss for this to work' ? is this already configured ?

Just as a side not, running un update policy at logout can be tricky. You mentioned laptops and if I user logs out and closes the laptop to leave, the updates may not get installed correctly or at all. This may cause you some problems.

Something to keep an eye on.

This is my first time setting up a policy for Software Updates, so please bear with me if I repeat myself, or sound stupid, I just want to make sure I am setting it up correctly.

If I want to setup my own SUS I would have to go to the JSS --> Computer Management --> Software Update Server --> New // and fill out the information pointing the SUS I setup? then create the policy to use the SUS by going to the JSS --> Computers --> Policies --> New --> Software Updates --> --> (from drop down list choose) MY SUS ?

If I choose to not create my own SUS and use the Apple Software Update Server would I simply do the following;
JSS --> Computers --> Policies --> New --> Software Updates --> (from the INSTALL SOFTWARE UPDATES FROM drop down list I see 2 choices) do I choose 'Each computers default software update server' or do i choose 'Apple Software Update Server' ?

set trigger (logout, once a week), scope

The "Each Computer's Default Software Update Server" would make a device adhere to a designated SUS set with a Managed Preference, or if none is applied with a Managed Preference (or other means) then Apple's servers will be used.

The other two would override a SUS set with a Managed Preference, I believe.

We update our Macs at logout, but with a few differences.

1. We cache needed updates 1st via: softwareupdate -da
2. After that if you run recon, it should update the computers record to show that updates are available
3. We have a smart group that macs are added to if they have updates available.
4. At logout the Macs in the smart group install all required updates, this will check to see what the Mac needs & will download any updates not downloaded already.

The above stops any delays in logging out due to updates downloading as the majority should already be downloaded.

`bentoms - what does your software update policy look like? how are you doing the caching of the updates, where are you pitting the; software -da you using your own SUS or Apples? what is your smart group criteria?

@tcandela, we actually do a few things a bit differently.. But for the above;

Create a policy that runs once a week with the below in the run command field: softwareupdate -da & tick "Update Inventory" in the policy.

Create a "Smart Group" with the criteria something like: "Available updates not like 0"

Create another policy that is scoped to the smart group created above, & tick the box to install all available updates & run @ logout.

We have 11 internal software update servers, but are moving to caching servers.

Hey @bentoms

Does that mean you're no longer worrying about restricting Apple Software Updates to end users?

Darren

@daz_dar, not really.

We have 10 ASUS's cascaded off of a "Master" that pulls down all updates from Apple.

The Master only syncs with Apple every Sunday, the Cascaded servers sync with the Master every Saturday.

Currently we have around 160GB of updates, & tbh a good chunk we don't need.

So, we're looking at caching servers not only to lessen the amount of un-needed updates.. but also to serve updates to our iOS clients.

If a dodgy update comes out, we'll run the below on our clients to stop them from downloading it:

softwareupdate --ignore <update to ignore>

Cool, thanks for sharing!

I remember your current setup allowed you 6 days to stop the update from cascading and was just wondering the reason for the change.

Darren

Bentoms - in your comment on 1/4/15, do I need to use the software update payload when I do this?

Will this updating also update the OS if applicable (I don't want it to update OS)?

@tcandela, I guess you mean the profile?

In short, no. The client just needs an Apple Software Update server, be that a self hosted one or Apple's own.

When I go to policies, I create 'new' policy , do I use the 'software updates' payload to configure the policy and put the softwareupdate -da command somewhere here, or only use the 'files and processes' payload and put the command there?

Will use apples own

@tcandela, ah.. files & processes.

So no need to use the software update payload. I want it to be available in self service when updates are available. Below are the steps you provided 1/4/15, would they be applicable to use as a self service ? Would it run OS Yosemite upgrade or just updates to like iTunes, Safari etc...

Create a policy that runs once a week with the below in the run command field: softwareupdate -da & tick "Update Inventory" in the policy.

Create a "Smart Group" with the criteria something like: "Available updates not like 0"

Create another policy that is scoped to the smart group created above, & tick the box to install all available updates & run @ logout.

@tcandela the above example would just query the Apple Software Update Servers for any software that is available for the clients OS. Things like:

incremental updates of the Mac OS and its applications, Security Updates, device drivers and firmware updates.

The -da will download all available updates for the client (https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man8/softwareupdate....).

So updates & not upgrades to things like the latest OS version.

If you then have a smart group scoped on something like: "Available updates not like 0" you could then have a policy in Self Service to install all updates & restart.

i just ran softwareupdate --list from the command line on a 10.10.1 system (to see if it matches the 2 items that App Update is showing i need to update, 10.10.2 and iPhoto).

The softwareupdate --list showed only ONE update for 10.10.2. So any updates that are part of apps installed from the app store WILL NOT be included when running this command? iPhoto update will have to be performed manually then i suppose.

So I will just be using the 'General' and 'files and processes' payloads for this policy, no need to use the 'software update' payload since i will just have it use the default update server which is Apple's (unless i want to specifically select Apple software update server from the list).

@tcandela, that's right. iPhoto is an app delivered by the App Store & has no command line updater.

"Applications" is for the apps that are updated via ASUS, such as those built into the OS.

i know i should test this on my own but if it use self service instead of installing updates @ logout, willl the user that runs the 'software update' be prompted to 'restart' if necessary? Here is the process I am doing to create the self service policy

A - Create a policy that runs once a week with the below in the run command field: softwareupdate -da & tick "Update Inventory" in the policy.

B - Create a "Smart Group" with the criteria something like: "Available updates not like 0"

C - Create another policy that is scoped to the smart group created above, & tick the box to install all available updates & select 'Self Service'

where is the box that i tick to install all available updates?

I have created a simple policy that run the software update --download --all command in the execute command section of 'files and processes'
the Maintenance payload has 'update inventory' checked

smart group with criteria set with 'available updates not like' 0

creating a second policy scoped to this smart group (will put it in self-service), where is the box that I check to 'install all available updates' ?

I think if you add a Software Update policy and tell it to "Install Software Updates From" either the client's default server, or a specific server, it will install all of the updates.

There used to be separate check boxes to Set the Server, and Install All Updates, but this behavior changed, I believe in v9, right @bentoms?

@RobertHammen You're right.

Just to add though, that Installing All via Software Update will check for updates downloaded (if any are) as well.

So it ties in.

When I do the softwareupdate -d -a The smart group does not get populated with computers that have gotten updates downloaded.

My smart group = My Smart Group criteria is "Available updates not like 0"

So I just setup a policy using the software update payload running once a week on logout

@tcandela You need to go into your JSS under Computer Management > Inventory Collection, there is a setting called "Collect available software updates". That needs to be checked. The Smart Group criteria you're using doesn't see items downloaded into the /Library/Updates/ directory.
I know you are a Site admin from your other posts, so you'll likely need to discuss this with your full JSS admin to see if they are OK with turning that function on. Afterwards, when Macs submit inventory, they will query the SUS they are pointed to (Apple one or internal) and pull a list and count of available updates.
If your JSS admin doesn't want to turn that on, and its possible they won't since its a global setting that affects all managed Macs clients, what you can do in the interim is build an Extension Attribute that would provide a count of packages in the /Library/Updates/ folder.
Only thing is, as far as I know, Extension Attribute are also global and so probably your JSS admin would need to add it in, but it would only be running a simple script to get a count of waiting packages in that folder and not querying anything external. I don't believe EAs can be scoped to only a Site, but not 100% sure on that.

mm2270 - I never knew that, thanks. I'll talk with the Full JSS admin.

currently i created a simple policy using the software update payload, triggered @ logout, once a week, its working with no problems so far. Also used jamfhelper to notify users that a software update check is in progress ...... (just in case they find the grey screen just sitting there to be odd and they get tempted to hold the power button down to shut the computer down.)

I have the policy triggered to run at logout, looks like shutdown triggers the policy just as well.

Is it possible to have two ASUS urls?
One pointing to an internal and the other pointing to Apple world's default?

I used to run an onsite ASUS when bandwidth wasn't so "widthy" back in the mid 2000's
The major problem we had (if memory serves) was some users were away for weeks or months on end. Their machines would never update.

My shop now has some uber-duper fibre connection so downloading is a snap to what it used to be. And to have one less administrative thing to do is also nice so I now use Apple's default.

Just curious if this is possible now or if anyone has invented a workaround?

Thanks in advance as always,
-p