Sierra Updates

llitz123
Contributor III

I realized that Sierra forces clients to update incremental system updates which can take a while.
I'm trying to find the best way to run said updates using a policy.
Our users don't use Self Service so it needs to be automated.
Ive seen a lot of great suggestions in the forum, I'm just having some issues.
In testing I can force the Management Action to show up with the wording I want. Yet the entire install happens in the background so I'm concerned users will open apps and try and do work during the longer updates - screwing up the updates. Is there a way to lock the screen or put a progress bar on the screen during updates?
Once the management action is complete, the Restart message is at default "This computer will reboot in 5 minutes...". Is there a place to set this? I have delay set to 1 in the Restart Options payload with a description set in the User Interaction Restart Message field.

It looks like I have to monitor Apple Updates for updates and manually run the policy when I want the updates to run - removing any updates I don't need/want to push. How do you get informed when an update is available to enable the policy?
Thanks for any assistance.34bbd393d894401c98003c8d7500a732

15 REPLIES 15

kendalljjohnson
Contributor II

Check out this script.

I used most of it, including the jamfhelper pop up while updates are running, to get really close to my end goal of allowing user deferments and a pop up that appears while the updates are occurring.

jyergatian
Contributor

We use a bash script to check (and install) software updates via policy which runs weekly. Feel free to take a peek using the link below and I'm happy to answer questions should you have any.

https://github.com/macfanatic-ca/macOS_scripts/blob/master/install_SoftwareUpdates_AlwaysRestart.sh

thoule
Valued Contributor II

Here's a tool I wrote to enforce updates on user's computers nicely. Apple OS updates are 'required' at 11:30PM of the day after they were first seen by the computer. https://github.com/tmhoule/AppUpdates

marklamont
Contributor III

We have a fully managed change controlled system that allows us to deploy patches, both Apple and other vendors, to our machines with all the patches cached prior to any user interaction. It is based upon patchoo which may be suitable for your environment.
Unfortunately it didn't fit ours because of several reasons, both technical and political, but with a bit of tinkering you can control both which updates are applied and when to suit your own environment and requirements.

llitz123
Contributor III

I appreciate all the replies. Some of this is above my knowledge level so I'll have to invest some time in researching and testing which will work best in our environment.
I'll post back when I need help or when done.
Thank you.

llitz123
Contributor III

@kendalljjohnson I'm testing the script you suggested. Not sure if you can help or if I should post in the script thread you linked, yet I'll try here first.
What I would like is to have the Managed Software Update window pre-filled with no user interaction, yet the ability to still defer.
So far in my testing I have been unable to make this happen by editing this section:

##  Set the forceEnableUpdates flag below to 'yes' (or any value) to enable it. This option will change the
##  checkbox display to show updates as enabled and non-selectable to the user, meaning they will be forced to
##  an "on" state for all. Leaving this value blank will retain the original functionality, allowing the end
##  user to select the updates they would like to install.

if [[ "$deferralsLeft" -eq 0 ]]; then
    echo "0 deferrals remaining. Updates will be installed now"
    forceEnableUpdates="Yes"
else
    echo "You have $deferralsLeft deferrals remaining"
    forceEnableUpdates=""
fi

I can get the Managed Software Update window pre-filled yet there is no option for defer.
Also even without the "defer" button, if I quit the Managed Software Update window the deferralCount drops by one.
Any help is greatly appreciated.

kendalljjohnson
Contributor II

@llitz123 I actually adapted the script that was marked as the solution, by acdesigntech, not mm2270's script that is discussed more towards the bottom of the thread.

I looked into using his for a while but didn't want the check box options for my users to pick and choose, and we currently don't deploy CocoaDialog.

mm2270 has his script posted on his GitHub and is a pretty active user on JAMF Nation so you might get a direct response from him if you reach out.

llitz123
Contributor III

@kendalljjohnson Ah. I'll take another look and/or reach out to mm2270.
Thanks.

llitz123
Contributor III

The options I'm testing seem to be a bit above my tech level and will take some time to test.
I'll try and find something more basic for my needs.
Thanks everyone for your input.

llitz123
Contributor III

@kendalljjohnson Would it be possible to get a copy of your script to play around with? I'm not great at scripting yet would like to contrast my options. If thats an option and it's easier, you can send to my email: llitz at hlcommission dot org
Thanks.

kendalljjohnson
Contributor II

Definitely. Credit to @acdesigntech for providing the original script in the previously linked post, to which I simply adapted specifics for our desired use case.

#!/bin/sh

# Function to call when software updates require a restart
fRunUpdates ()
{

    ## Once the user OKs the updates or they run automatically, reset the timer to 2
    echo "2" > /Library/Application Support/JAMF/.SoftwareUpdateTimer.txt

    ##JamfHelper window that stays open until update process completes
    /Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType utility -windowPosition ur -lockhud -heading 'Updates in Progress' -description 'Apple Software updates are running in the background. Please do not shut down or put your computer to sleep at this time. You will soon be prompted to restart.' -icon /System/Library/CoreServices/Software Update.app/Contents/Resources/SoftwareUpdate.icns > /dev/null 2>&1 &

    /usr/sbin/softwareupdate -ia

    # kill the jamfHelper
    sleep 5

    kill -9 $(ps axc | awk '/jamfHelper$/{print $1}')

    #prompt for reboot with 3hr timer
    PROMPT=`/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType utility -lockhud -heading "Restart Required" -description "Updates have installed that require a restart. Please save your work and click restart or you will be forced to restart when the timer runs out." -icon /System/Library/CoreServices/Software Update.app/Contents/Resources/SoftwareUpdate.icns -timeout 10800 -countdown -button1 "Restart Now"`
    echo "result $PROMPT"
    if [ "$PROMPT" == "0" ];
        then
        # continue script after restart command so the exit 0 command is still sent and captured by JAMF
        /sbin/shutdown -r now &

        exit 0
    fi

    exit 0
}



######### Set variables for the script ############

## Set up the software update time if it does not exist already
if [ ! -e /Library/Application Support/JAMF/.SoftwareUpdateTimer.txt ]; then
    echo "2" > /Library/Application Support/JAMF/.SoftwareUpdateTimer.txt
fi

## Get the timer value
Timer=`cat /Library/Application Support/JAMF/.SoftwareUpdateTimer.txt`

## Get the currently logged in user, if any. Also check for updates that require a restart and ones that do not.
UpdatesNoRestart=`softwareupdate -l | grep recommended | grep -v restart`
RestartRequired=`softwareupdate -l | grep restart | grep -v '*' | cut -d , -f 1`
LoggedInUser=`who | grep console | awk '{print $1}'`

################ End Variable Set ################

## If there are no system updates, quit
if [ "$UpdatesNoRestart" == "" -a "$RestartRequired" == "" ]; then
    echo "No updates at this time"
    exit 0
fi

## If we get to this point and beyond, there are updates.

## if there is no one logged in, just run the updates
if [ "$LoggedInUser" == "" ]; then
    echo "Installing updates since no one is logged in."

    /usr/sbin/softwareupdate -ia

# continue script after restart command so the exit 0 command is still sent and captured by JAMF
    /sbin/shutdown -r now &


    exit 0
else
    ## someone is logged in. prompt if any updates require a restart ONLY IF the update timer has not reached zero
    if [ "$RestartRequired" != "" ]; then

        ## If someone is logged in and they have not canceled 2 times already, prompt them to install updates that require a restart and state how many more times they can press 'cancel' before updates run automatically.
        if [ $Timer -gt 0 ]; then

            HELPER=`/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType utility -icon /System/Library/CoreServices/Software Update.app/Contents/Resources/SoftwareUpdate.icns -heading "Software Updates Available" -description "Apple Software Updates are available that require a restart. You are able to defer this process $Timer more times before this computer will automatically install them." -button1 "Update Now" -button2 "Defer ($Timer)" -cancelButton 2`
            echo "jamf helper result was $HELPER";
            ## If they click Install Updates then run the updates
            if [ "$HELPER" == "0" ]; then
                echo "User chose to install now"
                fRunUpdates


            else
            ## If no, then reduce the timer by 1. The script will run again the next day
                let CurrTimer=$Timer-1
                echo "User chose to defer"
                echo "$CurrTimer" > /Library/Application Support/JAMF/.SoftwareUpdateTimer.txt
                exit 0
            fi
        else

            ## If Timer is already 0, run the updates automatically, the user has been warned!
            echo "User has run out of deferrals and will be forced to update and restart"
            fRunUpdates
        fi
    fi
fi

## Install updates that do not require a restart
if [ "$UpdatesNoRestart" != "" ]; then

  if [ $Timer -gt 0 ]; then

      HELPER=`/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType utility -icon /System/Library/CoreServices/Software Update.app/Contents/Resources/SoftwareUpdate.icns -heading "Software Updates Available" -description "Apple Software Updates are available that do not require a restart. You are able to defer this process $Timer more times before this computer will automatically install them." -button1 "Update Now" -button2 "Defer ($Timer)" -cancelButton 2`
      echo "jamf helper result was $HELPER";
      ## If they click Install Updates then run the updates
      if [ "$HELPER" == "0" ]; then
          echo "User chose to install now"
              /Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType utility -windowPosition ur -lockhud -heading 'Updates in Progress' -description 'Apple Software updates are running in the background. Please do not shut down or put your computer to sleep until this window disappears.' -icon /System/Library/CoreServices/Software Update.app/Contents/Resources/SoftwareUpdate.icns > /dev/null 2>&1 &

              /usr/sbin/softwareupdate -ia

              kill -9 $(ps axc | awk '/jamfHelper$/{print $1}')

              exit 0

      else
      ## If no, then reduce the timer by 1. The script will run again the next day
          let CurrTimer=$Timer-1
          echo "User chose to defer"
          echo "$CurrTimer" > /Library/Application Support/JAMF/.SoftwareUpdateTimer.txt
          exit 0
      fi
  else

      ## If Timer is already 0, run the updates automatically, the user has been warned!
      echo "Updates available that do not require restart and will be performed"
          /Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType utility -windowPosition ur -lockhud -heading 'Updates in Progress' -description 'Apple Software updates are running in the background. Please do not shut down or put your computer to sleep until this window disappears.' -icon /System/Library/CoreServices/Software Update.app/Contents/Resources/SoftwareUpdate.icns > /dev/null 2>&1 &

          /usr/sbin/softwareupdate -ia

          kill -9 $(ps axc | awk '/jamfHelper$/{print $1}')

          exit 0
  fi
fi

llitz123
Contributor III

Thank you! Perpetual testing resumes!

nberanger
Contributor

Hi @llitz123

Did you ever get this working? I'm also trying to find some way to automate updates within the current OS. I don't want to automate updates to a new os, ie 10.12 to 10.13. I am more wanting to just be able to force security updates and such.

Thanks!

allanmedina
New Contributor

@kendalljjohnson
Thanks so much for posting the script you shared above. It is very helpful and easier to understand even for newbie in scripting like me. One more question, though. Where do you adjust the waiting time for the next "Software Update Reminder" to re-appear once the user chose to "defer"?

TIA. Cheers!

Allan

kendalljjohnson
Contributor II

@allanmedina, glad you found it helpful!

The waiting time is dependent on when you have the script run within your Jamf policy (ongoing, once every day, once a week, once a month). I use the once a day option, meaning if their computer checks in every day the update is forced to run within three days. Hope that helps!