- Jamf Nation Community
- Products
- Jamf Pro
- macOS Update Management
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
macOS Update Management
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-18-2023 04:38 AM
Hi all,
Apologies if this has been covered before but i'm looking for some advice on masOS updates.
Is it possible to control updates (i.e. deferrals) via computer groups? For example our Windows Updates are controlled via update rings but i cannot find any information on the equivalent for macs in Jamf.
TIA.
10 REPLIES 10
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-18-2023 04:55 AM - edited 08-18-2023 04:57 AM
@infrase2020 A Configuration Profile with a Restrictions payload will allow you to specify the number of days to defer major and/or minor macOS updates.
If you want to control when those updates must be applied there's not a 100% reliable way at the moment, but Apple has publicly announced that macOS Sonoma will include support for specifying a deadline for installing a specific version of macOS. Hopefully it'll actually work as advertised.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-18-2023 05:52 AM
I use this tool https://github.com/grahampugh/erase-install mixed with smart groups and the JAMF built in popup window with a custom message and standard deferral options. We really don't have anything else at this point but this at least makes it look professional.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-18-2023 08:05 AM
Erase-install is a great tool, given that users are cooperating. With your user base, where users seem to cooperate, this is probably a great option. You mentioned 90% adoption rate. However, ours is more like 20%, so we need a bigger sledgehammer that the users can't dodge. ;) I have high hopes for the update deadlines in macOS 14 as a consequence.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-18-2023 05:55 AM
Thanks both for the responses.
So am i correct in saying at the moment we cannot put any deadlines on security updates? For example i have one pending but in the ideal scenario i would create a policy that says these updates must be installed within x number of days?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-18-2023 06:25 AM
@infrase2020 The closest you can come to an enforced deadline at the moment is using a tool like Nudge which will "encourage" users to initiate an update. You can send an MDM command that prompts the user to update with a limited number of deferrals, but the odds of that actually working are very low.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-18-2023 06:45 AM
The method I used was pretty successful the times we used it. Around 90% adoption rate with the rest being stragglers or people who ignored our coms and did the updates themselves.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-18-2023 08:01 AM
There's nothing similar to it, as others have already pointed out currently. However, in macOS 14, they have added that functionality, given that the MDM implements support for it. So in order to get Windows Update for Business like behavior, we'll have to wait until macOS 14 and JAMF pro support for that. And yes, it's appaling that this hasn't been implemented by Apple a long time ago. Pure mac admins probably don't know what world of hurt they're in compared to WUFB. ;)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-18-2023 01:21 PM - edited 08-18-2023 01:22 PM
Unfortunately no. OS update management is one of the many areas Apple is still operating a decade behind standards.
What I use is software restrictions. I have a smart group that defines what a complaint OS is not, and target software restrictions at all devices on that list. You would be amazed how complaint people become when you block all their applications, and they get constant pop up’s to run OS updates. I also use JAMF helper to notify people when OS updates are available (others prefer nudge), my users are well trained by this point. I typically have 80% patching compliance before I ever attempt to push OS updates which is 2 weeks after public release. In Mac land you get the best results when working with your users.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-18-2023 08:19 AM
Nudge is a great tool, but is not "set and forget" in that it requires a target version to be set. For my needs, this is too much management as there are constantly updates being released, so I went with Install or Defer.
It can enforce updates but doing so via command line is basically broken, so I set the following key to ensure that users are prompted but need to take action by installing the updates from Software Update:
<key>ManualUpdates</key>
<true/>
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-21-2023 03:30 AM
In Short, no.
I raised a feature request for this :
https://community.jamf.com/t5/jamf-pro/macos-updates-policy-vs-remote-command/m-p/293646#M260773
But there doesn't seem to much demand for it beside from windows admins. The Jamf beta software update stuff doesn't really work in the way you would want software rings to work.
