What will App Installers do/not do? Brainstorming and testing this out.

VintageMacGuy
Contributor II

This is from the release about JAMF Pro 10.37, but leaves a lot to the imagination:

App Installers

App Installers allow you to deploy apps from the Jamf App Catalog to a smart computer group and automatically updates and deploys those apps. This streamlines the app lifecycle management process by removing the need to manually monitor, package, and update apps.

 

The documentation page isn't much more help:

Patch Management

You can manage the software updates in your environment using the built-in functionality in Jamf Pro. Managing software updates allows you to ensure that the software in your environment is up to date on target computers, and allows you to update the software if it is out of date.

You can manage both third-party macOS software updates and Apple Updates using the following methods available in Jamf Pro:

Patch Management

You can use the Patch Management workflow and other technologies available with Jamf Pro to manage the third-party macOS software updates in your environment. This method offers the capabilities to view the software currently installed on the computers in your environment, to notify when new software is available, and to distribute the new software to target computers.

App Installers You can use App Installers to distribute available third-party macOS software titles from the Patch Management Software Titles list in the Jamf App Catalog to a smart computer group. This method distributes the software title once and automatically updates the software title when a new version is released. Software Update

You can use Jamf Pro for Apple Updates by running Software Update on computers. This method allows you to install all updates available from Apple.

You can also manage the software updates in your environment using Title Editor, a Jamf-hosted service that extends the built-in Patch Management functionality in Jamf Pro. You can use Title Editor to create custom software titles, override existing patch definitions, and create custom patch definitions.

Related Information

Jamf Resources:

 

It sounds like I will be able to choose an app (eg: Google Chrome) from the App Installers section / Patch Management Software Titles list, Point it to a Smart Group (and only a smart group?), and it will automatically install said app to the machines in the smart group, and then automagically keep them up to date with no admin intervention?

I am currently using Patch Management and manually uploading .pkg files to JAMF Pro, creating new Patch policies whenever a new version comes out, and then scoping it via the same method I scope a Policy. The Macs come online, check in, and update their apps with some user notice if the app is open and silently if the app is closed.

Looking under Computers/MacApps, I have the following options:

O - App Source
Mac App Store (Relies on Apple's Mac App Store for updates)
O - Jamf App Catalog (preview) Relies on Jamf for updates
No cloud connection. Add a cloud connection via Cloud Services Connection

So I go to Cloud Services Connection and it asks for a JAMF username and password:
Cloud Services Connection Setup Enter your Jamf ID credentials to enable the Cloud Services Connection.

I add my email and password and it says now I am connected and gives a EULA to agree to regarding "yes, I own a license for the apps I am asking for".

Now, back to Mac Apps in JamfPro/Computers and I can now select an app like Acrobat Reader from the same list that Patch Management uses for updates, with an option to toggle "deploy" on and off, and a drop down menu of my Smart Computer Groups. 

I am guessing that this will look for my Intel Macs, push a copy of Acrobat Reader to them (not sure what happens if they already have it) and then automatically update it as new versions roll out with no admin interaction? And I am curious as to why I now need to make smart groups rather than using the old way of scoping like a policy? I thought the idea was to limit the use of Smart Groups as they can take a lot of CPU cycles?


36 REPLIES 36

VintageMacGuy
Contributor II

After setting the above up and starting an Intel Mac, by the time I opened the Applications folder, the app I used was already installed. I checked in JAMF to see where it was listed and I found it under Computers/<this computer>/History/Management History and identified as an entry labeled "InstallEnterpriseApplication" and the install time. No mention of what app was installed (feature request?) or any other details that I could find.

tzeilstra
New Contributor III

Definitely looking forward to seeing this develop.  Obvious limitations right now include the inability to postpone the installation of a new version once it's released (in order to allow for testing or a staggered deployment) and selecting a window for any potential updates to take place - either after hours or during a regularly scheduled patch window.  I'd also love to know happens if the app in question is in use when Jamf is ready to deploy an update.

esummers78
New Contributor III

If there is an update it force quits the app even if there is unsaved work. This is something that I hope is fixed before this comes out of preview.

dletkeman
Contributor

It would be nice to have a little more documentation on this.  I really dig the idea; however, I can't set up a self serve option with Jamf Apps.  Also it is a little unclear what happens when deploying apps that are already deployed to our fleet of computers.  It would be nice if there was an option in Patch Management for Jamf Apps to management new updates.

 

esummers78
New Contributor III

Jamf said a self service option is coming later. If the app is already deployed another way, it should upgrade it. Currently no options to control updates, but hopefully that changes before it is out of preview. 

dletkeman
Contributor

I do realize that this is still very new and I am excited of where this will lead.

Very excited at the potential for this new feature.

 

dhausman
Contributor

Does this only work if you are cloud hosted?

esummers78
New Contributor III

Yes. It is a Jamf Cloud only feature.

tzeilstra
New Contributor III

Very happy to report it seems to work just fine on-prem!  Thanks for not making this Cloud-only JAMF-Devs!!!

esummers78
New Contributor III

Are you sure? Jamf said in their announcement that on-prem is not supported.

It is allowed to work now in because it's a "preview"

At some point, that will stop.

VintageMacGuy
Contributor II

I agree - this looks promising, but I think it could use a 'delay' feature so the process has a bit of lag time to let us test new revisions before dropping them on end user machines. My normal test process for Patch Management is to put the updated version into JAMF as a .pkg and deploy to my test machines to make sure deployment works without error or weird results, then expand to my beta test group to get real world use feedback, then to the wider fleet. 

This looks like it skips the first two steps and jumps straight into deploying to the fleet. It seems to be taking the place of the Apple Store App deployment section where apps purchased through the app store get deployed to devices and automatically updated. But I trust Apple Store updates more than most updates that come straight from the manufacturer.

I also can foresee an issue where a bad update gets pushed out to most of the fleet before I am even aware anything is happening. Hence my wish for a few checks and balances before automatically loading software on end user devices.

dhausman
Contributor

I tried asking support yesterday a few questions that I could not find answers to in the documentation or release notes.  I setup firefox, chrome and edge to roll out to me as a test. I got notification from patch management that firefox was updated yesterday.  So I checked my mac Apps Firefox deployment and it still reported the old version. So my questions to support were:

 

  1. When does it check for updates?  What is the frequency that it checks for new packages. What is the turn around time?
  2. When does it deploy packages?  Assuming after it checks on the next inventory cycle.
  3. What happens if a user is using the app when it decides to patch? Does it just force the app closed? Not sure that will go over well with my users.

The person I chatted with was not able to answer these questions, although he did say that it would not work for me since I am on Prem.  Turns out at some point yesterday that new version of Firefox did download and install on the smart group that I had this pointed at.  

It would be nice to have some additional information and documentation about how this works. I will be putting in a feature request to be able to roll back to a different version.  At this point I may still autopkg stuff so I have the option to roll stuff back just in case something goes wrong with a bad update.

jamesandre
Contributor

I ran a test yesterday, deployed the latest Chrome to a Mac with an existing Chrome (98.x).

I had Chrome open with some active sessions, multiple tabs. Jamf deployed the newer version of Chrome (99.x) while it was running, Chrome in the Applications folder was 99.x (Using command + i) and the running Chrome was still 98.x (Using About Google Chrome). Chrome continued to run fine, without an Aww Snap. I quit and relaunched Chrome and it was now the newer version (99.x).

I’m not sure if this behaviour would continue with future updates.

JustinC
Contributor II
Contributor II

Hi everyone. We recently published an FAQ on App Installers to try and provide some more insight into how it all works.

https://www.jamf.com/blog/jamf-app-installers-faq/

Emily also provides some more details on her blog over at

https://www.modtitan.com/2022/03/in-weeds-with-app-installers-preview.html

Nerdherder
New Contributor II

Hi Justin and others,

It seems some on premise customers have tried it out and it works for them.

But your FAQ clearly says "We are supporting the use of App Installers for Jamf Pro Cloud customers only".

Does that mean on-premise customers can use it without support or you will be taking steps to prevent it from working for on-premise?

It totally works. Documentation is not great. I think they really meant to say We are supporting the App Installers for customers leveraging Cloud Services Connection.   

 

In settings if you got into Cloud Services Connection under global, you sign in with your Jamf.com login, and it gets connected to the cloud services connection, which then enables App Installers.   You can be on Prem, I am and it works.  Hope this helps clear it up.

Nerdherder
New Contributor II

Right, I know it works now...and maybe it's a nomenclature thing I'm not up on, but the FAQ says it is not support for on premise ...here's the whole FAQ response:

Who can use App Installers?

We are supporting the use of App Installers for Jamf Pro Cloud customers only. We don’t support it for subscription on-premises customers as we rely on Cloud infrastructure.

 

Does that mean there's another way to have a jamf catalog subscription??  Setting up the cloud services connection is the only way I know of...so there wouldnt be a need to distinguish on-premise vs. cloud.

I really want this to work for on-premise, I just dont want to invest the time to get up to speed if it's only available to us now as a teaser to get more people to transition to their cloud service

danlaw777
Contributor III

Good Morning all, i was so excited for this release I had Jamf upgrade me early. i was both surprised, and a little sad, at the results from the upgrade. Firstly, no downtime, no install issues, no problems with the upgrade itself. i went through the console and looked and there it was! the only downfall, there are only 65 app that can use this right now, and since we've had Jamf for about 3 years, most of these i already have scripted/packaged and ready to go. so as an initial test i randomly grabbed an app and scoped it out. Super simple, i mean, REALLY simply. My really old uncle who only knows how to get on a pc and check sports pages could do it!

 

MY question is this, and i'll be testing here as soon as i finish posting this is.....what happens if I already have these apps and scope them out? does it automatically update them? does it rewrite over them? or does it do a Steve Jobs and just die?

 

more to follow! (testing today and off a few days next week so update may be in a week or so. 

If you have one of the apps scoped out, it will install the app, and update it whenever there are updates.  If a user uninstalls the app, it will get re-installed on the next update.

i didnt see that anywhere in the documentation

It was in the FAQ posted above.

dletkeman
Contributor

I'm wondering what would be the most efficient work flow for deploying computers now.  Currently I use DEPNotify to push out several policies that install the base applications I want our users to have.  Once DEPNotify is done I know the computer has everything it needs for the user.  I'm not sure how to fit App Installers in with all this.  I guess I could still push out the apps via policy but still have the App Installer also scoped out to the same machines.  It just seems somewhat wasteful to me.  Do App Installers evaluate at check-in, during inventory check-in, during policy evaluation or something else?  Do they only push out during app updates?  I just haven't had time to test all this and there's not enough information available for me to confidently use this feature yet; however, I love where this is headed.

It would be nice if App Installers just took over exclusively patch management instead rather than as the initial install.

Self Serve App Installers would be nice though, but this isn't available yet.  But according to the FAQ it is coming.

 

Nerdherder
New Contributor II

So the answer from support is definitely that it is for cloud customers only.

The fact that it works now for on-premise customers hasnt been explained, but it'd expect that to go away soon:

Thanks for reaching out. At this time App installers are for Cloud Subscription customers only. The reason behind this is that there are future roadmap items that will rely on the infrastructure that will only be available to Cloud Subscription customers, and as such we are only supporting the use of App Installers by Cloud customers for now. We apologize for the inconvenience. There is a feature request that I would encourage you to upvote: https://ideas.jamf.com/ideas/JN-I-25878

ianatkinson
Contributor

I've installed 10.37.2 today so I thought I'd give this a go, though we are on-premises.

I tried scoping Chrome to my own computer with Chrome running, after a while the Chrome weirdly broke in that it wouldn't load any content, then it just quit. When I re-launched it it was at the new version.

There are no settings in this as you can have with patch management where you can put a message and a timer on for people using the apps, it's a bit useless if it just randomly kills whatever it is that needs updating with no warning.

I had the same issue with the chrome app installer. When it patches chrome, it becomes unresponsive, so it is not just you.  I went back to using patch management because I can prompt the user to restart chrome, or have it quit on it's own after a set amount of time.  I like the idea and the ease of app installers, but it just does not work in a graceful way for chrome. I can't use that in production, our support center would be super mad at me. This will just generate support calls. I will spend the 5 minutes in patch management to avoid giving a user a negative experience.

Same problem. It also seems to be very slow rollout?  

I am also curious what the device limitations are. Is this for User approved devices only? Only 10.15+? Etc. I can't find any documentation that answers these questions. 

It uses the Jamf agent, so there shouldn't be limitations on enrollment method.

gk
New Contributor III

If a user already has a specific app installed, does this uninstall/reinstall or does will the App Installer recognize the app is installed and simply patch as needed? 

In other words, can I deploy the app via this method and eliminate my Patch Management packages?

JustinC
Contributor II
Contributor II

@gk if a machine in the smart group scope of an App Installer deployment already has the app installed, it will get updated to the latest version if an update is available and will receive all future updates (whilst is remains in the smart group). You shouldn't have to use Patch Management to deploy packages to any smart group that is part of an App Installer deployment.

AVmcclint
Honored Contributor

We're at 10.39.1 and the documentation is no clearer than it was in the beginning. I'm confused as hell about the work flow, the sequence and timing of events, scoping to smart groups only?... Even enabling the Cloud Services Connection to enable this isn't very clear. Sometimes Jamf's documentation is as obfuscated as Apple's.  I am definitely looking forward to using this but it's as clear as mud right now. 

Hi @AVmcclint . We have taken this feedback onboard and have provided more information on the workflow and timing of events in the new version of the admin guide https://docs.jamf.com/10.40.0/jamf-pro/documentation/App_Installers.html

Hopefully this helps. Please let me know if there other areas where more information could be provided.

Doof
New Contributor

I've been testing this out and have successfully deployed a number of applications to a smart group. When I add additional devices to this smart group after the initial deployment, I would expect (hope) that the apps are automatically pushed out to the newly added computers, but so far that doesn't seem to be the case. I've had to go back to each of the individual apps, disable the deployments, save it and then re-enable them to trigger the installations for the new devices in the group. This is very inconvenient if the feature is used to manage a large amount of applications.

JustinC
Contributor II
Contributor II

@Doof this shouldn't be the case. When App Installers checks for changes to the smart groups every 20-ish minutes, any new machines that appear in the smart group should receive the required software from App Installers. How long after adding a machine to a smart group were you waiting before disabling/re-enabling the App installer deployment?

Doof
New Contributor

Thanks for the reply Justin. I gave it at least an hour. As a test I had 8 applications pointed to a smart group. I added about 30 new devices to the group. After about an hour after noticing no movement, I toggled off and on the deploy switch on 6 of the 8 applications, but I purposefully left two of the applications alone. The 6 applications I toggled on and off quickly deployed, but the remaining two I hadn't touched were still MIA even after leaving it overnight. I'm hoping the updates coming to app installers with this next version of Jamf Pro make this process a little more transparent.

@JustinCI am seeing similar behaviour as well. New devices added to smart groups are not getting picked up and I have to manually toggle the Deployment on and off before they are picked up.