Software Update Policy Enforcement (with) Recursive Messaging And Notification — just in case you wanted to know what the acronym meant.
Huge shoutout to Kevin M. White (https://github.com/Macjutsu) for his application super. Super allows Mac Admins to have a workflow to both encourage and enforce macOS software updates for both Intel and Silicon Macs. In my experience with super, it is a perfect balance between straight up MDM commands to send updates to computers and Nudge (used to annoy the end-user into processing software updates).
super was designed to handle multiple different workflows depending on the administrator’s needs. Kevin’s 5400+ line bash script has multiple workflows for processing the updates whether your computers are Intel or Silicon, whether you want to use API authentication or local authentication, whether you want to immediately scan and run updates or wait to install updates at a separate time, whether you want to upgrade to the latest OS or upgrade to the latest version of the current OS, superman has you covered. I will be going through how to get a basic S.U.P.E.R.M.A.N. implementation with Jamf Pro that will start to update/upgrade your computers.
The first thing you need is to look over the super wiki, located here: https://github.com/Macjutsu/super/wiki
Familiarize yourself with the different options that super provides and get a feel for what you will want to implement in your environment. This will be helpful when you start to create your configuration profiles and policies within Jamf Pro.
You will also need to grab the latest super script from: Macjutsu Github – Super. Click ‘Raw’, copy the contents of the script and add it to your Jamf Pro server (Jamf Pro > Settings > Computer Management > Scripts > +New).
In this write up, we will be utilizing the Jamf Pro API workflow for super. We will need to create a limited service account to make our API calls. Create a new Jamf Pro user with the following privileges:
- Jamf Pro Server Objects > Computers > Create
- Jamf Pro Server Actions > Send Computer Remote Command to Download and Install macOS Update
Next you will want to have a configuration profile that will manage your baseline settings for super. When parameters are passed to super through a policy, those parameters do not reset until the script is called again with –reset-super, any settings that are considered baseline, should be deployed with your configuration profile. Navigate to Jamf Pro > Computers > Configuration Profiles > New.
For the configuration profile, you will be adding a Application & Custom Settings payload and selecting the ‘upload’ option, configuring as:
- Preference Domain: com.macjutsu.super
- Property List:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>JamfProID</key> <string>$JSSID</string> <key>DisplayIcon</key> <string>/Library/TechItOut/TIOLogo.png</string> <key>DefaultDefer</key> <string>3600</string> <key>DisplayRedraw</key> <string>20</string> <key>DisplayTimeout</key> <string>300</string> <key>FocusCount</key> <string>3</string> <key>FocusDefer</key> <string>3600</string> <key>HardCount</key> <string>5</string> <key>MenuDefer</key> <string>300,1800,3600,86400</string> <key>RecheckDefer</key> <string>120</string> </dict> </plist>
Go ahead and scope this profile to the computers you want to target. Note: If you want your computers to upgrade to the latest OS supported by the hardware, include the following in your plist:
<key>AllowUpgrade</key> <true/>
Next we will create a new policy by going to Jamf Pro > Computers > Policies > New. I currently have this configured:
- General
- Display Name: Software Updates – S.U.P.E.R.M.A.N.
- Enabled = True
- Category: Software Updates
- Trigger: Recurring Check-in & Custom
- Execution Frequency: Once per computer
- Scripts
- Add the super script to your scripts payload
- Priority: After
- Parameter Values:
Parameter 4: --jamf-account=superapi Parameter 5: --jamf-password=secureP@ssword Parameter 6: --reset-super
It is a good idea to make sure that the scope of this policy includes computers that have a bootstrap token escrowed in Jamf Pro, this will ensure that super and utilize the API to send managed macOS software update commands without prompting the user for credentials.
Once you have all this in place, you are ready to test your workflow. To recap:
- S.U.P.E.R.M.A.N. configuration profile will set managed settings for super on your computer
- S.U.P.E.R.M.A.N. policy will run the super script to install all dependancies and start looking for updates.
Lastly, get familiar with the logs for super. The logs will be found in /Library/Management/super. The logs are written well and you should be able to follow the process of what is happening on the computer. Start with super.log and install.log, and mdmCommand.log.
Thanks for checking it out and happy updating! Note: This is not the only workflow for super, but this will get you started, look over the wiki and other documentation to find options/workflows that will work in your environment.
Additional resources: