Deployment Rings….in Jamf Pro

, ,

If you have any experience as a Sys Admin and the image above gives you PTSD, don’t worry, me too! The implementation of deployment rings though is a great model to copy.

Deployment Rings allow an administrator to separate computers into groups for the purpose of deploying software at different intervals in a deployment timeframe. Deployment rings reduce the risk of issues derived from the deployment of new software or updates by implementing a gradual deployment to specific groups of Admins, Power Users, Standard Users, or similar groups. 

Workflow for implementing Deployment Rings in Jamf Pro will include:

-Creating a computer extension attribute to identify and assign computers to different deployment rings

-Creating Smart Computer Groups to gather our computers into their respective deployment rings

-Create base configuration profiles for handling Apple Software Updates in a deployment ring model 

Create Extension Attribute:

To manually create this extension attribute, navigate to: Jamf Pro > Settings > Computer Management – Management Framework > Extension Attributes

-Click +New
-Set display name: Deployment Ring
-Set description: Used to move computers into different software deployment update rings.
-Data Type: String
-Inventory Display: General
-Input Type: Pop-up Menu
-Recon Display: Extension Attributes
-Pop-Up Menu Choices: 1, 2, and 3
Save.

The EA can also be found, downloaded, and uploaded into Jamf Pro from here: Software Deployment Update Ring.xml

Creating Smart Computer Groups:

We will need a Smart Computer Group for each ring implemented in our Jamf Pro. To create a new Smart Computer for Ring 1, navigate to Jamf Pro > Computers > Smart Computer Groups > +New

-Set display name: Deployment Rings – Ring 1
-Criteria: Deployment Ring
-Operator: Is
-Value: 1

For Ring 2, the same steps will be needed, but the value will be 2. 

For Ring 3, we will need to add an additional criterion to the Smart Group. For Ring 3, we will need to the following criteria: 

Criteria: Deployment Ring
Operator: Is
Value: 3
AND/OR: or
Criteria: Deployment Ring
Operator: is
Value: 

This will ensure that any computer with a “3” value or a blank value will be added to the Ring 3 group. 

I would also suggest creating an additional Smart Group for each Deployment Ring group that has an additional criterion for ‘Number of Software Updates’ > 0 and naming these groups like ‘Deployment Rings – Ring 1 – Apple Updates Available’. 

Also, these Smart Computer groups can be found in XML format here: Jamf Pro Smart Groups

Creating Base Configuration Profiles for Apple Software Updates:

A configuration profile will be created for and scoped to each of our deployment rings. This configuration profile will hand the deferment of Apple Software Updates. For this example, these configuration profiles will handle updates with the following deferments:

Ring 1 – 1 day
Ring 2 – 14 days
Ring 3 – 21 days

This means that the Apple Updates will not show up on the client computer until the deferment period is past, e.g. Apple released macOS 12.4 on 5.16.2022 and it will not be available to ring 3 until 6.6.2022. 

To create each configuration profile, navigate to: Jamf Pro > Configuration Profiles > +New

Set Display Name: Apple Software Updates – Ring 1
Description: Configuration profile used for setting deferral period of Apple software updates for Deployment Ring 1
Category: Software Updates
Level: Computer Level
Distribution Method: Install Automatically
Software Update payload:
           -Automatically install macOS updates
            -Automatically install app updates from the App Store
            -Automatically check for updates
Automatically download new updates when available
-Automatically install configuration data
-Automatically install system data files and security updates
Application & Custom Settings payload:
Choose to upload and click +Add
Preference Domain: com.apple.applicationaccess
Copy and paste the following Property List:

<plist>
	<dict>
		<key>enforcedSoftwareUpdateDelay</key>
		<integer>1</integer>
		<key>enforcedSoftwareUpdateMajorOSDeferredInstallDelay</key>
		<integer>1</integer>
		<key>enforcedSoftwareUpdateMinorOSDeferredInstallDelay</key>
		<integer>1</integer>
		<key>enforcedSoftwareUpdateNonOSDeferredInstallDelay</key>
		<integer>1</integer>
		<key>forceDelayedAppSoftwareUpdates</key>
		<false/>
		<key>forceDelayedMajorSoftwareUpdates</key>
		<false/>
		<key>forceDelayedSoftwareUpdates</key>
		<false/>
	</dict>
</plist>

This will need to be repeated for Ring 2 and 3, changing the values in the property list to set the appropriate values. 

Each profile will also need to be scoped to the appropriate Smart Group. When a computer’s extension attribute value is changed for Deployment Ring, it will gain membership to the appropriate Smart Group and will receive the appropriate Configuration Profile for handling Apple Software Updates. 

Below is a quick video demo of the deferment of software updates with the use of configuration profiles:

Thanks for checking it out!

Leave a Reply

Blog at WordPress.com.

Discover more from Tech IT Out

Subscribe now to keep reading and get access to the full archive.

Continue reading