macOS updates / ScheduleOSUpdate command

edward
New Contributor II

Hello,

I would like to get all of our Macs up to date and create a plan to maintain this.    I would like to use the ScheduleOSUpdate command with the InstallLater command as described in Use MDM to deploy software updates to Apple devices - Apple Support

 

My questions are:

  1. Can these apple commands be used in a configuration profile that gets deployed via Jamf Pro? I am having trouble finding an example or specific guidelines.
  2. Or are these commands intended only for a Mass Action Command as indicated Introduction - Technical Paper: Deploying macOS Upgrades and Updates with Jamf Pro 10.34.0 or Later ... ?
  3. How can I see the status of a Mass Action Command after I send it to multiple computers?
  4. I would love to hear your experiences if you have tried the ScheduleOSUpdate or if you have other suggestions.

 

One more question on a similar topic.  I created a Configuration Profile (in Jamf) for software updates.  Does the Software Update Server need to be filled in if we expect the clients to download the software from Apple?

Thank you in advance for your responses.

Eddie

1 ACCEPTED SOLUTION

AJPinto
Honored Contributor III
  1. Softwareupdates cannot be deployed with a configuration profile. You would use a configuration profile to set softwareupdate deferrals or configure automatic updates.
  2. JAMF Splits the MDM Commands for Software Updates. Some like installASAP are available in the inventory record, others like MaxUserDeferrals (InstallForceRestart) and come only from mass action's. 
    1. Softwareupdate Scan, Softwareupdate status and some of the others happen automatically without you needing to do anything when you issue the other MDM commands.
  3. Unfortunately you cant, JAMF does not have any method to see issued and completed MDM commands other chan checking each device individually.
  4. I exclusively use the MDM commands to issue software updates now. Other use superman or nudge, but since those tools actually cannot do anything other than pester the user to do the thing I dont bother with them. 
    1. My work flow
      • A policy runs a script on my devices every day. If there are OS updates available it prompts the user with JAMF Helper and opens System Settings > Software Update. If there are no updates it just exits, we have a 7 day defer. This usually gets about 50% of my users to update
      • 21 days after the OS updates release I push a MaxUserDeferrals mass action with 2 deferrals. Unfortunately MDM commands have about a 30% fail rate, and there is no logging or reporting you can really use. We will usually be around 90% at this point which is compliant for my organization, they want above 95% but 90% will keep you off reports.
      • At 30 days I will send notifications to the stragglers advising if their device is not updated it will start to receive software restrictions due to being out of compliance. 
      • at 35 days I target all devices not running the OS we want with software restrictions and force quit all the core apps with notifications to run OS updates. This is usually online devices, and maybe less than 10 devices with actual issues. Make the users come to me.

 

Your last question. Software Update Servers are depreciated as of 4 years ago or so. The best you can to is configure content caching which is where Macs will cache the OS updates for other Macs, this is literally just a check box and you have no control beyond that. All OS updates must come directly from Apple, you cannot house them on an internal OS update server anymore.

 

 

some literature if you are interested. 

macOS Upgrades and Updates Using a Mass Action Command - Technical Paper: Deploying macOS Upgrades a...

ScheduleOSUpdateCommand.Command.UpdatesItem | Apple Developer Documentation

Get the OS Update Status | Apple Developer Documentation

View solution in original post

7 REPLIES 7

AJPinto
Honored Contributor III
  1. Softwareupdates cannot be deployed with a configuration profile. You would use a configuration profile to set softwareupdate deferrals or configure automatic updates.
  2. JAMF Splits the MDM Commands for Software Updates. Some like installASAP are available in the inventory record, others like MaxUserDeferrals (InstallForceRestart) and come only from mass action's. 
    1. Softwareupdate Scan, Softwareupdate status and some of the others happen automatically without you needing to do anything when you issue the other MDM commands.
  3. Unfortunately you cant, JAMF does not have any method to see issued and completed MDM commands other chan checking each device individually.
  4. I exclusively use the MDM commands to issue software updates now. Other use superman or nudge, but since those tools actually cannot do anything other than pester the user to do the thing I dont bother with them. 
    1. My work flow
      • A policy runs a script on my devices every day. If there are OS updates available it prompts the user with JAMF Helper and opens System Settings > Software Update. If there are no updates it just exits, we have a 7 day defer. This usually gets about 50% of my users to update
      • 21 days after the OS updates release I push a MaxUserDeferrals mass action with 2 deferrals. Unfortunately MDM commands have about a 30% fail rate, and there is no logging or reporting you can really use. We will usually be around 90% at this point which is compliant for my organization, they want above 95% but 90% will keep you off reports.
      • At 30 days I will send notifications to the stragglers advising if their device is not updated it will start to receive software restrictions due to being out of compliance. 
      • at 35 days I target all devices not running the OS we want with software restrictions and force quit all the core apps with notifications to run OS updates. This is usually online devices, and maybe less than 10 devices with actual issues. Make the users come to me.

 

Your last question. Software Update Servers are depreciated as of 4 years ago or so. The best you can to is configure content caching which is where Macs will cache the OS updates for other Macs, this is literally just a check box and you have no control beyond that. All OS updates must come directly from Apple, you cannot house them on an internal OS update server anymore.

 

 

some literature if you are interested. 

macOS Upgrades and Updates Using a Mass Action Command - Technical Paper: Deploying macOS Upgrades a...

ScheduleOSUpdateCommand.Command.UpdatesItem | Apple Developer Documentation

Get the OS Update Status | Apple Developer Documentation

edward
New Contributor II

Thank you so much @AJPinto . I really appreciate your response and shared workflow.  I will give those ideas a try.

JustDeWon83
New Contributor II

@edward and @AJPinto 

Actually for #3.. Beginning in Jamf 10.44.0, you can now report on MDM commands. Jamf added that feature for iOS and macOS... See release notes below.

https://learn.jamf.com/bundle/jamf-pro-release-notes-10.44.0/page/New_Features_and_Enhancements.html

mline
New Contributor

Hello,

Do you have any examples of your script you run for "

  • A policy runs a script on my devices every day. If there are OS updates available it prompts the user with JAMF Helper and opens System Settings > Software Update. If there are no updates it just exits, we have a 7 day defer. This usually gets about 50% of my users to update"

@AJPinto , also curious if you'd be willing to share your script that you mentioned in your reply.

rcole
Contributor II

Would it be possible to obtain a copy of this script and to see more of this workflow? I think this is a great idea. I'm very interested in the 1st (would love to create this or utilize this) and 3rd and 4th bullet points.

Lessardrp
Contributor

Not an exact status summary of the mass action command, but I roughly track the progress by creating a smart group with the criteria being below my desired IOS version. I pin that smart group to the Jamf dashboard and can see at a glance the progress as the membership number declines.