Jamf Nation Community

Managing macOS application patching has always been challenging, especially in large enterprise environments. I’ve experienced firsthand the complexities of keeping applications up to date. With years of hands-on experience in Jamf and automation, I’ve seen the evolution of patching workflows—from time-consuming manual updates to streamlined automation. 

Installomator is a powerful tool for installing a wide variety of apps directly from the developer’s website, reducing the risk of obtaining an unverified application. With the power of Jamf Smart Groups coupled with Jamf’s Patch Management, you can not only install apps but also patch them. 

By automating application patching, you can not only save a lot of time but also significantly reduce the risk of possible zero-day threats. 

Let’s take a look at legacy patching and then explore the current iteration of automated patching that leverages Installomator. 

The Way We Were: Legacy Patching 

Before automation, our patching process was a multi-step manual operation that took considerable time and effort. Here’s how it used to work: 

1. Remote into the patching server

2. Download the package 

• Sometimes, this required installing the app first 
• Capture the package with Composer if needed 

 3. Upload the package to Jamf 

• This could take time, depending on the app size 

• Follow specific naming conventions and categorization 

4. Update the install policy 

• Add the new package to the policy 

• Remove the previous version 

5. Update the patch definition 

6. Update the patch policy version number 

7. Cleanup process 

• Delete outdated apps & downloads from the patching server 

8. Document & close the ticket 

While this method worked, it required a lot of dedicated hands-on time from IT administrators. Depending on the number of apps and their file sizes, updating software across the environment could take hours—sometimes entire workdays just to patch a handful of applications. 

The Way We Are Now: Automated Patching with Installomator 

Enter Installomator—a game-changer in the world of Mac software deployment. With Installomator you can leverage Jamf patch management, policies and smart groups to auto-update applications in your fleet. Here is our current breakdown of the different patching methods in our environment: 

• Installomator: 73 apps (46.50%) 

• Jamf App Installers: 58 apps (36.94%) 

• Manual/Legacy Method: 26 apps (16.56%) 

Installomator is great for supporting apps that are not part of the Jamf App Installer catalog. A big plus is that you can even create your own Installomator labels if the app is not currently in the Installomator script. 

How Installomator Works in Our Environment 

1. The Installomator script runs once a day or once a week during check-in, depending on the app's needs. 

• It checks for and updates apps within scope and installs the latest available version of the app 

2. Jamf setup includes: 

• Two Smart Groups based on Latest Version criteria of the Patch Management title 

• A Jamf Policy that triggers the Installomator script 

• Script parameters to specify how you want this app to be patched 

• i.e. prompt the user before updating or just update without user intervention. 

This transition to automated patch management has drastically reduced the time dedicated to update apps, eliminating hours of repetitive work and potential human errors. 

For the full step-by-step on how to set this up in your environment refer to the resources at the bottom of this post. 

Resource & Setup Guide for Installomator 

Resources 

• Installomator GitHub: 

• https://github.com/Installomator/Installomator 

• Installomator Script: 

• https://raw.githubusercontent.com/Installomator/Installomator/main/Installomator.sh 

• Use VS Code or similar to open the script and find the appName when creating a new policy for patch management or app installation.[Text Wrapping Break] 

Example: Zoom app may appear like this in the script:[Text Wrapping Break]The label to use (passed to Installomator) is the word before the closing parenthesis, which is zoom (case sensitive). 

• Setup/Deployment Instructions Used: 

• https://scriptingosx.com/2020/06/using-installomator-with-jamf-pro/ 

• MacAdmins Slack: #installomator channel 

Jamf Setup Instructions for Installomator Patching 

1. Patch Management 

• Verify the app exists in Jamf Patch Management. 

• If the app is not listed in Patch Management, do the following: 
  • Go to Computers → Patch Management → New. 
  • Search for the app and add it from the Jamf catalog. 
  • Click the + button. 
  • Edit and add the app to the category: “Patch Management - Installomator” 
    • If the app is not patched by Installomator, add the app to the “Patch Management - Manual Update” category instead.
• No need for a patch policy or a definition package here. 

2. Create 2 Smart Groups 

• Installomator - appName - out of date 
  • Criteria: Patch Reporting: appName 
  • Operator: less than 
  • Value: Latest Version 

• Installomator - Member of: appName - out of date 
  • Criteria: Computer Group 
  • Operator: member of 
  • Value: Installomator - appName - out of date 

3. Create a Patch Policy 

• Name: Installomator - appName (where appName matches the label in Installomator) 
  • General: 
    • Trigger: 
      -Recurring Check-in 
      - Once a day or Ongoing 
    • Custom event: appName (from the Installomator script) 
    • Set the frequency to Ongoing. 

• • • Script: 
    • Use the Installomator script with the following parameters: 
    • Required: 
      • Parameter 4: appName (label from Installomator script) 
      • Optional (Parameters 5–7): 
        • NOTIFY=(all | success | silent) 
        • BLOCKING_PROCESS_ACTION=(prompt_user | ignore | silent_fail | prompt_user_then_kill | prompt_user_loop | tell_user | tell_user_then_kill | kill) 
        • REOPEN=(yes | no) 

4. Maintenance: 

• Update Inventory 
• Scope: 
  • Installomator - Member of: appName - out of date 

Naming Schemes and Templates 

• Jamf naming schemes: 

• Smart Groups: 
  • Installomator - appName - out of date 
  • Installomator - Member of: appName - out of date 

• Policies: 
  • For patch management: 
    • Installomator - appName 
    • Add to the Installomator category 

Final Notes 

1. Use the Installomator GitHub repository and script references to find the correct label for each application you plan to patch or install. 

1. Make sure you add (or update) the correct Smart Groups and Patch Policies for each appName. 

1. Leverage the #installomator channel on the MacAdmins Slack for community support and troubleshooting tips. 

Final Thoughts 

Moving from manual patching to automation with Installomator has transformed how we manage macOS application updates. The time savings, consistency, and reduced manual effort make it an essential tool for any Jamf administrator or IT team handling Apple devices at scale. 

If you’re still spending hours manually updating software, it’s time to automate your patching process and unlock the power of Installomator. I have included some resources below to help get you started. Good luck and happy patching! 

Resources 

For those looking to implement Installomator, here are some useful resources: 

• JNUC 2023 Session: Patch That App Up (https://www.youtube.com/watch?v=p2J6fTQXIwU) 

• JNUC 2023: Patch that app up Session Resources (PDF) 

• https://drive.google.com/file/d/1QI4OuN5k7AygnUaFOl01DuSCIOueHZiV/view?usp=drive_link 

• Setup Instructions for patching with Installomator (PDF) 

• https://drive.google.com/file/d/1ll5qSoZ1dvyz4b9n8f5cU-AMPyHoLux8/view?usp=drive_link 

• Installomator GitHub Repository 

• scriptingOSX Guide on Installomator 

• My MacAdmins Contact (@jared.y) 

• #installomator MacAdmins Slack Channel (for troubleshooting and community support)