Skip to main content

Patch Management: Behind the Scenes

Watch this JNUC session in its entirety.

To say it was a packed house was an understatement. Well before Patch Management: Behind the Scenes started, it was standing room only. Watching from the the floor of Open Book, Jamf product experts, Bram Cohen, Jonathon Robinson and Shawn Eberle, dug deep into the world of automating the tedious, repetitive tasks involved with keeping third party software updated on Macs. By exploring common and advanced-use cases with people who tested, supported and wrote the code, they shared information around creating patches, preparing them for deployment and patch distribution.

Building the script
Running 24 hours a day, Jamf Pro (formerly Casper Suite) is searching for patch updates based on third-party information. How does Jamf Pro know a new patch is available? The curation process compares vendors’ artifacts to verify a new version of a software has been released. Once a new version is confirmed, the JSON is updated, which then creates a JIRA ticket. The patch curator (Shawn Eberle) is notified, which signals the beginning of the target response time – 48 hours.

Testing the update

There is a specific test process for each patch update. It goes something like this:

  • First, Jamf Pro verifies BundleShortVersionString and BundleIdentifier.
  • Next, the build script verifies the update gets posted and is readable from the S3 buckets.
  • From there, the build script verifies the installation on the required Operating Systems.
  • Once the reviewer (Jonny Robinson) has completed that work, the update ticket is passed to the release manager (John Miller) and then to your installation of Jamf Pro.

Deployment and security

A series of S3 buckets are in place to ensure the quality of the patch. Once the patch update moves from dev to the staging environment, Jamf signs the file with a certificate using OpenSSL. The release manager approves the update it goes to a third bucket: This is the URL that Jamf Pro needs to have open for patch management port 443.

Boom! Patch Management made easy!