Yet another Software Updates thread.

fimi
New Contributor III

Hello,

We are getting really frustrated with the ability not to control updates. With every release of macOS it seems to get worse. It gets extra annoying with people that have M1's that are standard accounts as well. We've tried a mix of scripts and things like install or defer. Simple commands like softwareupdate but now there is some bug where it just hangs and then recon and check-in breaks (also doesn't work for M1's). The MDM command mass action for update also is not really reliable. In general all the above for some machines it works ok but for a majority it's a huge fail. We are currently on Monterey latest for the most part and trying to get the rest of the people on Big Sur to upgrade. A big thing is not impacting people while working but at this point we are just tempted to force updates during a specific time of day. It seems like deferrals also just cause issues and aren't reliable.

 

What have people come up with that has a high success rate?

14 REPLIES 14

supersizeal
Contributor

I'm tired trying to figure out how to run Mac OS Updates myself.  Nothing works.  What have you tried, so I can test it out myself?

fimi
New Contributor III

The most simple command to install all updates and force restart is:

sudo softwareupdate -i -a -R

You add it to scripts and just setup with a policy. Though this won't give a warning to users and just start the restart once it's done.

Mass Action:

https://docs.jamf.com/best-practice-workflows/jamf-pro/managing-macos-updates/Updating_macOS_Using_a...

Using Policy (Never really works):

https://docs.jamf.com/best-practice-workflows/jamf-pro/managing-macos-updates/Running_Software_Updat...

 

Install or Defer (works fairly decent and has some extra options):

https://github.com/mpanighetti/install-or-defer

 

For upgrades (worked for a majority of people from Big Sur to Monterey):

https://github.com/kc9wwh/macOSUpgrade

Best is to cache the macOS pkg and then run this.

 

awoodbury
Contributor
Contributor

Have you tried erase-install.sh?

 

https://github.com/grahampugh/erase-install

fimi
New Contributor III

I will give this a shot.

 

Thanks

sdagley
Esteemed Contributor II

@fimi I have not used it in Production, but in testing the MDM update command using the "Update OS version and built-in apps (macOS 10.11 or later, Supervised or enrolled via a PreStage enrollment)" selection with the "Specific version: 12.2" and "Download and install the update, and restart computers after installation" options was reliable for upgrading Big Sur machines to Monterey 12.2. Using the "Download and allow macOS to install later" option for that did NOT work.

RW_tygeeks
New Contributor

On your M1 devices this have been working for Us on the Monterey Builds 

 /usr/sbin/softwareupdate -aiR --user $SecureTokenUser --stdinpass "$SecureTokenUserPassword "

kavila
New Contributor III

Using this script has allowed a majority of my end-users to manually authorize the update from self-service. Works for both M1 and Intel based Macs. 

Note: A Monterey installer is required on each machine prior to running this. 

Hugonaut
Valued Contributor II

@fimi

I created this workflow, it works flawlessly everytime. Takes into account Intel/M1, standard users & allows you to pass administrator credentials via jamf parameters for standard accounts. In your case with standard users, do not use scripts ending in #2 & #3, you just need to use ending scripts #1 & #4. If you have a mixed environment, just include all of the scripts, even if they're standard it will fail & fallback to using the final script to run the install command as admin.

 

https://github.com/Rocketman-Tech/Upgrade-to-macOS-Monterey

________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman
________________


Virtual MacAdmins Monthly Meetup - First Friday, Every Month

PEBKAC
New Contributor

I think some people in this thread are a little confused. What the OP is referring to is SEQUENTIAL OS updates, eg 12.2 to 12.2.1 NOT OS upgrades e.g. Big Sur to Monterey. Our org also uses install or defer and yes it is completely broken right now in Monterey for Intel machines (m1 still appears to be working) We have no new solution for updates are are extremely frustrated as well. 

fimi
New Contributor III

@PEBKAC To be honest it's kind of both.

Hugonaut
Valued Contributor II

@PEBKAC  If the machine/account has a securetoken & bootstrap token escrowed, the mdm deferral command via jamf allows incremental updates for macOS 12.0.1 & Up.

________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman
________________


Virtual MacAdmins Monthly Meetup - First Friday, Every Month

fimi
New Contributor III

So far https://github.com/grahampugh/erase-install is working. For example to get 12.2.1 the command would be in the policy:

/Library/Management/erase-install/erase-install.sh --build=21D62 --update --reinstall --confirm --depnotify

Pros:

So far it's worked on every machine. 

Ideal for Self Service for Standard users.

The only cons I find:

-It download the whole package (takes long). Though you can probably cache the download before hand.

-Users can still exit the update before it actually starts. A prompt is shown

-Really only ideal from Self Service. Meaning no check in policies. Otherwise after a reboot even with a recon policy on startup it may not work and still report an old OS version and try to run again. So those people that never update are still hard to do. Even if you force it on them they can technically cancel unless you remove it from the script. Then if you remove it from the script you might have a very upset employee where their computer rebooted mid meeting.