Recent changes to the Mac platform, such as the move to Apple silicon and the appearance of macOS Big Sur, have introduced major differences to how IT departments are able to manage macOS software updates. Many admins have never had to enforce updates using mobile device management (MDM) commands before, so they are forced to search for new software update workflows.
Mark Buffington, senior consulting engineer at Jamf, uses this JNUC 2022 session to survey the current state of the field with macOS Ventura expected to drop soon. He explains different Jamf MDM commands and workflows for enforcing and authorizing macOS updates, with an eye to helping admins understand what their options are and what pathway is most likely to be successful for their organization.
What’s in, what’s out?
With macOS Big Sur and later versions of the OS, certain legacy technology stacks and methods are obsolete for managing macOS upgrades. These include:
- Self-hosted update servers
- Standalone update packages
- Catch-all “standard” software update policy options
- Updates on Apple silicon without authorization by a “volume owner”
Instead, admins have access to the following options:
- Profile-based deferrals of up to 90 days
- Manual “softwareupdate -iaR” policies available for Intel Macs
- Full installers can still be deployed
Additionally, MDM updates are required for enforcing and authorizing updates on Apple silicon. If you want to truly enforce an update and have it take place without authentication, authorization or passing a password, you must use an MDM update. This is conducted programmatically by means of a Bootstrap Token, which macOS escrows to Jamf Pro.
Balancing security with the user experience
The real challenge facing IT admins is how to strike the ideal balance between security and a good experience for end users. You must decide whether to allow for different deferral options, or whether you want to cut down on end-user downtime by having Macs download the update before triggering an install. Alternatively, you can set up a workflow for periodically reminding users to perform the update themselves, allowing them to integrate it into their work schedule.
Some methods available to IT admins include:
- Deploying a full installer and using a policy that leverages the “startosinstall” command-line tool
- Directing users to perform the update on their own with the Nudge app
- Employing a hybrid method of directing end users to perform the update but using an MDM command as a backup if enforcement is needed
Even if you choose not to use MDM to perform updates, it is important to understand how MDM updates work and admins can use them.
Build an OS update workflow
Performing a software update via MDM is truly a matter of putting together a workflow, not using a single command to do everything. There are several commands that will be part of any workflow:
- This is a bit different from what you would find if you were performing an update from the Mac’s System Preferences; instead of seeing only the latest available update, you will see all versions that are more recent than the version installed.
- This is where you determine the specific version to update to.
- InstallAction determines what specific behavior is followed.
In Jamf Pro, you can find the following install actions:
- InstallLater + (in macOS Monterey) MaxUserDeferrals
- InstallASAP (aka “Download & Install”)
- InstallForceRestart (This command is available through the Jamf Pro API, but it can cause data loss because end users won’t be prompted to save a file if the application doesn’t auto-save. Needless to say, it’s an option that should be used with caution.)
Using these, you can put together an MDM update pathway that looks like this:
- Choose a macOS version to install
- Determine whether the update is major or minor
- Choose your target group based on the above
- Choose a preferred, compatible install action
- Start the workflow by sending MDM commands
Buffington provides some additional detail in the presentation about how to distinguish major and minor updates and how you need to construct workflows for them.
Where to find workflows and options for managed macOS updates
There are a few different places within Jamf Pro where you can find the commands you need:
- Management Commands in the computer inventory record
- These are one-click commands that will automatically select the latest, non-major update available
- There are two install actions available: DownloadOnly or InstallASAP
- Mass Action Commands
- These are more granular functions that let you choose the target version between “Latest available” or “Specific version”
- Three install actions are available: DownloadOnly, InstallLater or InstallASAP
- API endpoints
- Classic API (limited)
- Jamf Pro API (full-featured)
Final thoughts on managing macOS updates
The session concludes with a look at user experience examples, differentiating between “Download & Install” and “Download & Install Later” policies.
In conclusion, Buffington notes that macOS updates continue to evolve but all roads lead to MDM when it comes to enforcement. Admins should always approach managed updates with the user experience in mind, and it’s advised that you continue to provide feedback to both Apple and Jamf about how you prefer to manage updates.
Have market trends, Apple updates and Jamf news delivered directly to your inbox.