Will JSS 10 finally bring us easy patch management?

donmontalvo
Esteemed Contributor III

We tried to get @gregneagle to speak at JNUC2014. Your's truly offered to walk on stage in a tutu, introduce him, and walk off stage, stoping to curtsy along the way. Such a golden opportunity and he declined (OMG THANK YOU!!!). ;)

Posted to IRC today:

Direct link to image: http://donmontalvo.com/jamf/jamfnation/IRC/valid-constructive-criticism-01.png
external image link
Direct link to the relevant feed: http://osx.michaellynn.org/freenode-osx-server/freenode-osx-server_2014-06-18.html

A couple years ago we had a JNUC session where JAMF sat with some of the large clients and discussed the upcoming version, and what we wanted/needed in the new version. I came prepared, suggesting (1) exclusions and (2) ring fencing. Both requests made it into JSS 9 (as exceptions and sites).

I really hope JAMF does the same at JNUC2014, so we might finally get new patch management functionality in JSS 10. Whether it's something simple like adding is equal to or greater than to Smart Computer Group criteria (not sure that would be reliable in all scenarios), or some other way of determining if an installed piece of software needs to be updated.

external image link

@loceee's Patchoo (gesundheit!) got a lot of attention, as it showed, at least conceptually, what might be possible if JAMF could dedicate some time/resources...:

Hello junki! Casper patching done right!
https://jamfnation.jamfsoftware.com/discussion.html?id=10636

...and it stirred up a lot of discussion; if you're not already on the ##osx-server IRC channel, do yourself a favor and join. Scroll to the bottom of:

http://wiki.afp548.com/index.php/Main_Page

Don't miss @tbridge's excellent IRC article:

http://www.afp548.com/2013/02/06/a-field-guide-to-irc

The more attention this gets, the greater the chances JAMF might pull this off...hopefully without anyone needing to parade around in a tutu at JNUC2014.

Thanks,
Don

--
https://donmontalvo.com
128 REPLIES 128

RobertHammen
Valued Contributor II

I have lots of questions on how this will work. In larger corporate environments I need to scope the updates to a static group first, and let some period of time (1-2 weeks) pass before deployment to everyone who needs it...

emily
Valued Contributor III
Valued Contributor III

I wonder if this would apply to Apple software updates in addition to third-party apps?

donmontalvo
Esteemed Contributor III

NetSUS/AppleSUS should handle this.

--
https://donmontalvo.com

bpavlov
Honored Contributor

This sounds very interesting and exciting. However, I hope there's more to it than what they stated because right now it sounds like it depends on JAMF Nation to get update links and then it deploys to all computers. That definitely won't work for all environments. 2 major problems I see with that right off the bat:

  1. Admins should get the ability to deploy their own customized updates because some vendors have horrible packages that sometimes need to be modified.
  2. Admins should be able to deploy the patch to one, many or all computers based on whatever groups they configure in the JSS.

Let me reiterate that it is very exciting to hear this news. It's kind of like rolling some of the features of Munki and AutoPkg into one. The ability to update out-of-date applications based on the app version the computer is running (Munki) while also automating how it checks/downloads updates (AutoPkg).

I just hope when it gets deployed that it's fully featured and not something that is limited in how it can be customized.

mm2270
Legendary Contributor III

From what was presented, it does not auto deploy to all computers. You set up each individual software title individually and for each one you set up, have the option of choosing between just placing the update in Self Service or deploying it silently.

The preview at JNUC was only a brief overview. There is definitely more to come on this so we'll just need to be patient. But what we saw looked pretty awesome.

loceee
Contributor

Watching with interest (and continuing secret work on Patchoo2 - let's just say I am planning on eliminating many of those yicky smart groups and wonky version checks).

I am hoping they have some sort of software testing track implementation. It's invaluable to have dev / beta / production client groups.

But I also will just be happy to something simple that will save many hours of wasted time for the majority of Casper admins!

Life's too short to be packaging.

donmontalvo
Esteemed Contributor III

I agree! The concept of staged deployment is built into @gregneagle's Munki tool. New/updated apps or patches need to be vetted before deployment. Automatic downloading/packaging/importing into JSS is awesome, hopefully staging will be included in JSS n.

--
https://donmontalvo.com

mscottblake
Valued Contributor

Yeah, that's my number one request. The munki catalogs are a great idea. So great that I was trying to come up with a best of both worlds approach for my environment. I'm very interested in how the patch management gets implemented.

elliotjordan
Contributor III

As JNUC attendees may have seen at my session this afternoon, AutoPkgr now supports direct JSS integration, and can be extended to completely automate the Mac app patching process (although you may want to proceed with caution).

There's a discussion open here, for those who are interested:
https://jamfnation.jamfsoftware.com/discussion.html?id=12280

I'm hoping other Casper admins find this as useful as we have. We're looking forward to seeing what JAMF introduces, but until then AutoPkgr is your friend.

donmontalvo
Esteemed Contributor III

Woohoo....UNDER REVIEW:

Please make JSS track "package-id" and "version" in package receipts
https://jamfnation.jamfsoftware.com/featureRequest.html?id=2367

--
https://donmontalvo.com

donmontalvo
Esteemed Contributor III

In the interest of keeping this thread alive, here is another tidbit from the ##osx-server IRC channel.

Scroll to around 09:12: https://botbot.me/freenode/osx-server/2015-01-20/?msg=30023695&page=6

@gneagle: Yet another example of a basic task that should be simple, but isn't: https://jamfnation.jamfsoftware.com/discussion.html?id=13056 @adamcodega: I don't know why people are even bothering trying to update apps with Casper right now. @gneagle: adamcodega: Because that's the tool they bought and they expect to be able to use it @adamcodega: Well, now they know.

@gregneagle will probably rag on me for picking up on "fumes from a previous conversation"...but he has some very valid points.

Just a reminder to take a moment to watch the relevant part of last October's JNUC2014 keynote address.

This link takes you to that point in the video. Enjoy!

https://www.youtube.com/watch?v=X-jKKPGNPE8&t=48m8s

--
https://donmontalvo.com

daz_wallace
Contributor III

I heard this was shown at JNUC2014. +1 / #WANT

davidacland
Honored Contributor II
Honored Contributor II

I'm definitely looking forward to this being added. I'm assuming it will be before Oct this year otherwise JAMF may get some criticism.

It doesn't look like an easy thing to add in, considering the number of possible variables with every update. Just hoping it will be smooth enough to use when it is released!

mm2270
Legendary Contributor III

The only concern I have about what was shown is that it was mentioned JAMF would be using the Third Party Applications information from JAMFNation to determine versions and download locations. If that's the case, they will probably need to control that information. Right now, anyone can go in and edit the information in the 3rd party section for any product. Allowing anyone here to edit it could potentially mean breaking everyone's patch management solution. So JAMF will either need to have specific fields in each entry they lock down and have control over, or just not allow anyone to edit those entries anymore.
It will also mean its on JAMF to continuously stay on top of and keep those entries as accurate as possible. That's kind of a tall order unless they are working on some pretty advanced process to automate that.

All in all, I look forward to what they are putting together. Until then, we'll use our custom processes, since the current process of Smart Groups and manual packages is tedious. AutoPkg and AutoPkgr help alleviate this somewhat, but some organizations aren't inclined to plug in an external product for this and would rather use what's built in to the product they purchased. Even if its not perfect, my guess is JAMF's patch management solution will have a pretty good uptake by customers.

Chris_Hafner
Valued Contributor II

One of the other things that JAMF was very clear to point out was that they recognize the need to focus on quality control (for lack of a better term) as opposed to fast feature roll out. A lot of folks went through a lot of issues with the transition in early 9.x, myself included. Trust me, I want it. I want it bad. However, when I do get my hands on JAMFs version of patch management I want the darned thing to work or I don't want it at all!

I'm really happy that JAMF announced the fact that they are working on it. Personally, I'm not ready to move toward AutoPKGr even though I know it works. It's too much outlay and thumb holding for my organization (I'm Casper Admin + a million other things). Personally, I'm willing to hold off for as long as necessary to get something I can trust, that will also make my job easier.

dvasquez
Valued Contributor

I agree. I hope that it works and that implementation can be a little more straight forward. I have had all kinds of issues implementing things (early on) that I really wanted to use that would in theory increase our productivity. I am also excited about this new tool. Yes please more QA and testing before a quick software release. Chris_Hafner I get what your saying about work loads as I am in a similar situation. I am totally ok with working to implement something new that does not require more hand holding.

CasperSally
Valued Contributor II

I agree with @Chris_Hafner, even though I created the original patch management feature request (https://jamfnation.jamfsoftware.com/featureRequest.html?id=662

Autopkg makes it so easy to get the latest files, it takes me ~10 minutes a month to update/stage policies without even trying to automate it with other tools that are out there. I'm fine with that at this point. Like Chris, I manage a million other things outside of Casper, and just want something that is quick and reliable.

I want patch management built in to the product, but I also don't want it at the expense of support being stretched too thin. Since moving over to config profiles and relying on cert based communication, something breaks with each upgrade for us that takes weeks+ to resolve. Apple's yearly upgrade cycle forces us to upgrade JSS 1-2x a year just to support the latest OS (and iOS).

The thought of JAMF taking on something else big and seemingly complicated scares me. Hopefully I'm underestimating the size and resources of the dev/support team.

donmontalvo
Esteemed Contributor III

I doubt (or hope) the patch management feature(s) won't rely on community manifests - we really need the ability to create/manage our own manifests internally (for risk mitigation, security, confidentiality, etc., reasons).

I'd love to see a followup communication from JAMF on where they are, what path they are heading down, even if is fuzzy/vague enough to protect themselves from being derailed (always a risk when too many conductors are trying to drive a train).

Planning my trip to JNUC2015... :)

Don

--
https://donmontalvo.com

lashomb
Contributor II

I'd rather have community sourced manifests than JAMF sourced ones to be honest. Just look at Licensed Software definitions and how fast those go out of date. AutoPkg is a perfect example of how effective and quick community-sourced "recipes" can be.

As for security, my only concern is that the source of the software is from the vendor and not a third-party, after that, it doesn't matter how I get it. If I have an application that I don't want to share my specific recipes for, no one is forcing me to do so.

donmontalvo
Esteemed Contributor III

@lashomb I think a good compromise would be to give us the option to choose. Create our own, or link to community provided manifests. Everyone would be happy. :)

--
https://donmontalvo.com

lashomb
Contributor II

@donmontalvo As long as it has something easy like autopkg repo-sync, which will pull down the latest recipes from your added repos from github. We don't need to go backwards now that the Mac Admin community has excellent tools like this available.

donmontalvo
Esteemed Contributor III

@lashomb yep, and that's why it is important to keep this thread alive. JAMF are monitoring this thread, the more feedback they get on how these methodologies can help make the lives of Mac admins better, the better. :)

--
https://donmontalvo.com

sirkyle
New Contributor III

Something I have noticed missing from this thread is built-in "blocking application" support for policies. Is seems a bit ridiculous to have to script this for each application deployment. I suggest the developers at JAMF review how Munki addresses this issue. Out of all the feature request, little things like this save huge amounts of time and will make the product more palatable to admins regardless of the level of skill.

donmontalvo
Esteemed Contributor III

dvasquez
Valued Contributor

Let's hope!!

Do it!

donmontalvo
Esteemed Contributor III

If JSS 10 can allow import of profiles, for delivery as we deliver PKGs/DMGs that would be helpful for environments that have proxy servers.

--
https://donmontalvo.com

donmontalvo
Esteemed Contributor III

As we approach JNUC2015, good to keep this thread fresh.

Interesting and sometimes funny responses to a Feature Request:

Smart computer group application version compare with greater than & less than

--
https://donmontalvo.com

donmontalvo
Esteemed Contributor III

@CasperSally fingers crossed your Feature Request finally comes to fruition...

Patch Management Integration

--
https://donmontalvo.com

dpertschi
Valued Contributor

The 2014 teaser is, well, a year + in the making. I'm desperately hoping something substantial is announced on this next week.

mm2270
Legendary Contributor III

I'll be watching this thread with interest come next week. I do expect there to be an announcement around this, since it was shown off a bit last year. If its not announced that its release is imminent, well, there will be some 'splaining to do I reckon.

davidacland
Honored Contributor II
Honored Contributor II

My guess would be that it'll get mentioned but not sure if it's anywhere near ready.

I've started using the autopkg / JSS importer method but would personally still like something more integrated from JAMF.

emily
Valued Contributor III
Valued Contributor III

Saying it was "shown off a bit" is pretty generous; at the marketing event we didn't even get any screenshots, just general conversation about the effort to make it. I wouldn't be surprised if we maybe get some screenshots and general concept but not much more.

/me is setting low expectations to not be disappointed

mm2270
Legendary Contributor III

@emilykausalik It sounds like you're referring to JAMF's Ice Out event, yes? If so, then yeah, there was not even a mention of the patch management solution from what I recall.
But I was referring to what was actually shown at JNUC 2014 during the first day keynote. It was more than just a mention or a bullet point. There was some type of demo of it in action. Now, granted, it probably was just a canned demo or concept recording or something, not sure, but still, it got some actual screen time.

This was about a year ago, and in those intervening months, we've heard nary a peep about this. That's a little concerning. I'm sure 10.11 may have derailed some of the development this year on it since JAMF needed to work to make their existing product compatible with it. Still, a year is a while, so I'm a bit surprised there's been no talk of it, no beta versions with early builds of it in place, etc. Its been very quiet.
I won't be there next week to see anything, but I'm hoping it gets brought up again at least. I don't think everyone that was there then, who will be there now, will just forget JAMF talked about it last year.

CasperSally
Valued Contributor II

@mm2270 - The Ice Out Event - don't bring back the bad memories!

I'm sure they'll mention patch at JNUC, and I'll be following along the news for sure. I'm not expecting production release of patch soon, but probably some beta release in a month or so? Totally conjecture, but I know more support JAMFers were moved to the Patch team in recent weeks/months.

While I requested
3rd party patch management back in 2012 (!!!) I'm quite happy with our Autopkgr implementation. The only place my patching could be a smoother would be the promotion from test to production, but I haven't implemented the new launch daemon approach yet - awaiting to see what JAMF will announce this week.

Honestly, I am more worried about support getting stretched more thin at this point than I am at finally getting Patch now. I've had some lingering JSS issues I'd really like to see finally resolved.

donmontalvo
Esteemed Contributor III

"Quality first, Patch Management in the works but will be released when ready." - JAMF CEO

Music to my/our ears.

--
https://donmontalvo.com

Aziz
Valued Contributor

@donmontalvo And I have no problem with that. I'd rather have something be great and working day one instead of being rushed and broken. Also, Dean is a pretty cool CEO.

donmontalvo
Esteemed Contributor III

Agreed, it is great to hear the JAMF CEO tell the JAMF community that Patch Management is coming, it is taken very seriously, and that quality is #1. Everyone wins. :)

--
https://donmontalvo.com

jgwatson
Contributor

Was there a timeframe? Why preview it 1 year ago if it's going to take forever to complete? Are we talking months, years?

mm2270
Legendary Contributor III

Sounds good! Glad it was brought up and is still a goal for the company.
I hope to see some Casper Suite beta builds incorporating it sometime next year.

Chris_Hafner
Valued Contributor II

They mentioned ~<6 months... I think (hard of hearing here). But promised regular updates. Regardless, I am happy that it's still a big priority.