Skip to main content

Hello, fellow Mac Systems Administrators,



I imagine a lot of you are here to maybe see if this solution will work with possible issues you've been having on your AutoUpdating for Mac 2019, we've spent quite some time on it on and off, and I think we've come up with a solution that works well (at least in our environment).



First off I'd like to start by giving credit to the people who've contributed to this project:




  • @pbowden for creating resources and utilities and providing the tools and scripts to make this work - And the countless hours of endless support given to the community.


  • Duper51 a fellow co-worker of mine who helped immensely with the debugging and solution of this.


  • Carl Ashley for providing some useful documentation on viewing the MacOS TCC log to solve the PPPC violations that no one really knew were happening.




GitHub repo to our modified @pbowden script and MobileConfigs: https://github.com/GN/Microsoft-AutoUpdate-for-Mac-Jamf-Deployment



The problems:




  • With the release of macOS 10.14 (Mojave), there were a lot of security changes namely PPPC restrictions that caused the command-line MSUpdate tool to not be able to communicate with the Microsoft AutoUpdate Daemon, and JAMF not having the correct PPPC permissions to run and interact with everything that it needed to. @pbowden's MobileConfig seems to not be updated to the latest security settings that we've determined JAMF, and the AutoUpdate tools need. This is where we think most of the issues are occurring with people's deployments.


  • The old script MSUpdateHelper4JamfPro.sh provided by @pbowden (which is what we're currently using - we haven't tried the new one. We didn't realize there was a new one released but what we have now works) calls to update the Microsoft AutoUpdater. For whatever reason this function was not working as intended/expected for us, so we shimmed a function in called "downloadMAU()" this downloads and installs the latest release of MAU into its standard location. This mitigates the issue(s) of not having the latest version of MAU and applications not updating because of it.




Please note: Every time the script runs it will download and install the package. With a little bit of work its definitely possible to check the currently installed version and compare it to the one that will be downloaded.



Update: We've updated it with some logic that will check the current version installed v.s. the latest release from Microsoft and if they don't match it'll download and install the latest release(We got un-lazy and made it work)!



We've created an updated script and a new PPPC MobileConfig which provides JAMF and the Microsoft AutoUpdate tools the permissions it needs to run the AutoUpdate cycle. Everything we've made has been published in the provided GitHub repository, it should be a relatively simple plug-n-play solution, we've also added Microsoft ATP as a supported application for this script.



Installation Instructions:




  1. At a minimum, you will need the "PPPCPermissions.mobileconfig" imported to JAMF and scoped to your environment.


  2. To prevent users from updating and/or changing update settings the "MSUpdateFullyManaged.mobileconfig" disables and frontend users from interacting directly with the Microsoft AutoUpdater Application.


  3. The "MSUpdateHelper4JamfPro.sh" must be placed in a policy and scoped to the machines you wish to push automatic updates to.


  4. (Optional) - Change the "UPDATE_*" variables using "true" or "false" to determine which software(s) you'd like to update.




Note(s):




  • We've tested this on an outdated version of Microsoft Office back to 16.29

  • We've tested this on High Sierra, Mojave, and Catalina.



Lastly, I would like to say: Your mileage may vary, this is just a solution that we've come up with that works in our environment. Be sure to test any and everything in a non-production area to be sure nothing breaks.



I hope this helped someone or everyone!

Can this MSUpdateFullyManaged config profile replace the straight forward one I have been using below?

Answered my own question by picking apart the profile, looks like it has what I need to replace mine

Will it be able to update while Office apps are currently open? Thanks

Hi,



Has anyone had a problem with the policy not executing the script?



I have it scoped to a few test machines, and it just sits on pending. I can manually trigger it via the terminal on any of the Macs, but it just doesnt start.



Trigger is re-occuring checking and every day for the sake of testing.



UPDATE: Managed to resolve it. Looked most likely like a delay. All is well.

i have 2 questions. with all of the different names MS has for all of their products, does this work for O365 subscriptions? secondly, will the office packages still need to be available through the Jamf pro server, or will it grap the packages from the O365 portal?

@fredrik.virding same issue here. Seems to sit at "Pending" until the user logs out or restarts, then flips to Completed. When I ran a tail on the Jamf log, it looked like it was just sitting on the running the policy.



Might need to make this a startup policy instead of re-occuring.

I'd like to make mention that in Jamf Pro version 10.18, Jamf added native support for Microsoft preferences:



.



Some further documentation can be found here: Managing Microsoft Office Using Jamf Pro.



With Microsoft AutoUpdate, you can set a Deadline for your apps to be update: Set a deadline for updates from Microsoft AutoUpdate



You can configure Microsoft AutoUpdate so the apps will automatically be updated when they are closed. Users will be prompted to restart the app when it is downloaded and ready. If they exceeded the deadline, users will see a prompt similar to the below image.

@danlaw777 This script installs updates to Office 2019 apps, either perpetual or O365 licensed, and it downloads the updates from the Microsoft CDN or your local MAU cache if you have one set up. The initial app installer download would need to come from your Jamf Pro distribution point (you could write a script to download from the Microsoft CDN and then install, but not recommended).

the apps are already on the machine, so if it just the updates that are pulled from MS CDN i should be all set

@robb1068 More than likely you're running into the problem with the MAU daemon being perpetually busy so the script never finishes and hangs any policy calling it. This is why @pbowden wrote the MSUpdateTrigger.sh script which, among other things, will kill the MAU daemon before issuing a single msupdate command to update all Office 2019 apps at one shot.

@sdagley yes, I use the MSUpdateTrigger script for new enrollments and monthly updates, but set as a startup policy. Even with the line to kill the MAU daemon, the policy still hangs until restart if I have it set to re-occuring.



And I'm actually good with it being a startup process. I've never liked poking at Outlook, Word, etc. while the user was logged in and had them open. Our security group recently rolled out Defender ATP and wants that updated on an ongoing basis, so I'm trying to use some of the suggestions on this thread to just update Defender.

Did get it all to work eventually.



Got a question, would it be possible to include Microsoft Teams in this script?

i am getting this error when trying to install the PPPCPermissions.mobileconfig



Script result: /Library/Application Support/JAMF/tmp/MS Office Autoupdate: line 1: syntax error near unexpected token `<'
/Library/Application Support/JAMF/tmp/MS Office Autoupdate: line 1: `<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">'



any ideas? or am i just a moron?

@danlaw I think it's telling you that `<' shouldnt be there

Hi! Pinging this thread again!



Anyone got a solution for getting Microsoft Teams into this script?

@shaquir Hey Bud!! can you give me some insight on how you are accomplishing that?
Thank you!! Need some help!!

@sdagley or anyone, can you tell me how to use that MSUpdateTrigger.sh script to download and install specific builds of the apps.
I'm usually always a few versions behind in our environment due to testing. I see the older script has the ability baked in to change to the specific build. Can it be done with the new script? Or, am i completely missing something?

@LovelessinSEA You can specify a target version by adding --version xx.yy.YYMMDDXX to the call to the msupdate tool on line 113 of MSUpdateTrigger.sh (that's line 113 of the 2020-06-03 version of the script).



So if you wanted to install version 16.40.20081000 the line would be:



    ${CMD_PREFIX}/Library/Application Support/Microsoft/MAU2.0/Microsoft AutoUpdate.app/Contents/MacOS/msupdate --install --apps $1 --version 16.40.20081000 --wait 600 2>/dev/null


(You could change the script to accept an optional parameter with a desired version)

Hi all,



Anyone seen this lately?



ERROR: Cannot send Apple Events to MAU. Check privacy settings

@fredrik.virding I saw that today in my environment but I haven't dig deep to find out the root cause of that message.

@dng2000 & @fredrik.virding take a look at Microsoft Autoupdate Script and 10.14 Mojave at what paul bowden points too. There was a change in the PPPC.

@fneidhardt Thanks for your tip. PPPC was applied via config profile in my environment and I still get that message. To be honest, I've never used this method but just starting to explore it to see if it is a better option than using BigFix to push and run individual PKG's outside of MAU in my environment.

Hi @Gennaro, @pbowden and the others included in this.
First off all, thank you very much for all your work you did there and sharing with us, amazing.
This script (and pppt and so on) is looking very promising and I'm going to test it.
I would just have one question: I'm not sure how to implement MS Teams in the script, as far as i can see i cannot just add some copied lines (and change to teams for sure) and thats it.
Would you be so kind to tell me what I have to do to add Teams as well (or even better 😉 , could you add MS Teams?)
Thank you
BR
Daniel

@dpratl Teams isn't updated by MAU, it self updates. Until Teams is brought into the MAU fold, this won't work to update it. 😕

Hey Guys,



Just thought I would add this to the mix, to fix any issues running the trigger script you must allow /usr/local/jamf/bin/jamf AppleEvents access to /Library/Application Support/Microsoft/MAU2.0/Microsoft AutoUpdate.app/Contents/MacOS/msupdate



Kamal

Terms & ConditionsCookie settings