Automagically Patching Your Fleet of Macs

A photo of an Apple laptop on a black background. The lid is very nearly shut, and is giving off multicoloured lights.

What We Are Using

We are a Jamf Pro shop. All of the tools we use with Jamf can be used with other MDM solutions.

A note! This article assumes you’re already a bit familiar with Jamf components such as policies, smart groups, and Patch Management.

So, just what are we using to get our patching done via Jamf? Read on…

3rd Party Software Patching

Installomator
https://github.com/scriptingosx/Installomator
Pulls down and installs latest version of various apps from their source

AutoPKG / AutoPKGr / JSSImporter
https://github.com/lindegroup/autopkgr
Tried and tested, for anything not covered by Installomator

Community Patch
https://beta2.communitypatch.com/
To add apps to Jamf’s built in Patch Management

Apple System Updates

Script by bp88 to notify users of pending Apple Updates
https://github.com/bp88/JSS-Scripts/blob/master/AppleSoftwareUpdate.sh

The Setup in Jamf

3rd Party Software

Patch Management — we have all of our apps added to Jamf Patch management, using Community Patch for any apps that are not provided by Jamf. We use this just to gather data on installed versions. We can then use this in…

Smart Groups — we use the Patch Management Software Title attribute to build smart groups for ‘App Name — Out of Date’. Annoyingly, Jamf does not allow you to use ‘Latest Version’ as the value (can only be used by Jamf Patch Management policies), so we just select the latest version number as the value. This needs to be manually managed, but it’s pretty easy with Jamf and email notifications for new versions of software.

Policies — ‘App name — Scripted Update PUSH’ or ‘App name — AutoPKG Update PUSH’ denotes what method the app is being updated by, and that it is being pushed out.

  • Trigger — Check In (Installomator) or Login (AutoPKG)
  • Frequency — Once every day
  • Payloads
  • Installomator in use > Script Payload > Installomator > Parameter 4 set as the app label
  • AutoPKG in use > Install Package payload > Latest PKG automatically imported via JSS Importer
  • Maintenance > Update Inventory
  • Scope > Smart group ‘App name — Out of Date’

Apple System Updates

Policy

  • Trigger — Check In
  • Frequency — Once every day
  • Payload > Script ‘AppleSoftwareUpdate.sh’ configured to allow 5 postponements
  • Scope > Smart group ‘Pending Apple Updates’

User Experience

3rd Party Apps

For policies that use Installomator, if the app is not running it is updated in the background. The user gets a Notification Centre pop up that the software has been updated. If the app is running, they get a pop up window stating ‘App Name’ needs to be updated. Here they can either postpone, or Quit and Update. If they postpone, the policy will run again the next day.

For policies using AutoPKG, the updates are done with the log in trigger, so the install is done when the software is not running.

Folks can also use Self Service to install the latest versions of these apps as well. The Self Service policies are all set up to leverage Installomator to grab the latest version. These policies are simply scoped to All Managed Computers.

Apple System Updates

If the pending updates do not require a reboot, they are installed in the background. For updates that require a reboot, the user will see a pop up that tells them they have important OS updates to install.

They can either postpone the update up to 5 times (which works out to 5 days as the policy runs every day), or choose Update — which opens the System Update pref pane. The pop up also tells them they can update any time from the Apple Menu > System Prefs > System Update.

Once they run out of days/postpones they will see a different pop up stating that the updates will be installed and gives them a countdown of 15 minutes to save their work. If the window is closed, the countdown still runs.

Summary

A row of computer application icons, with the mouse cursor pointing at the Mail application.

A very important step in all of this — communicating it to your users! The pop ups can be a bit jarring for some folks. They may think it’s a dodgy website popping up. Send out comms to everyone before the policies go live explaining what they are doing and, most importantly, what they look like.

Quite a bit of stuff to set up initially and a lot of trial and error. It’s so great that the Mac Admin community is so sharing and supportive and provides all the bits for you to put together.

So, other than updating the smart groups for 3rd party apps, our patching is all done automagically!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store