Keeping Macs up to date in a Jamf Pro environment can be a challenge—especially when dealing with complex OS versioning, smart group-based rollouts, and risk-aware decisions based on security vulnerabilities. This blog post walks through how I automated the entire process using PowerShell, Jamf Pro’s API, the SOFA feed, and an Azure Automation Runbook.
Overview
Using the SOFA feed, CVE data from NVD, and the Jamf Pro API, these scripts:
- Parse available software updates for iOS/iPadOS or macOS
- Evaluate CVE severity and assign custom deadlines
- Scope updates by Smart Group, with deferral logic and override support
- Prevent unintended major OS upgrades
- Automatically create Declarative Device Management Software Update Plans via the Jamf Pro API
Prerequisites
Before using the scripts, make sure you have:
- A Jamf Pro environment
- Jamf API Client ID and Secret with appropriate permissions
- Azure Automation Account
- Devices enrolled with membership to smart groups in Jamf Pro for testing
Key Features
ProcessGroup – Handles devices in Smart Groups, applies version logic and deadlines
Create-UpdatePlan – Calls Jamf API to create a plan for a device
Check-CVESeverity – Assigns deadline days based on CVE severity data (critical, high, etc.)
Azure Runbook Ready – Designed for unattended, scheduled runs
Example Workflow
- Jamf Pro Smart Groups are used to define deployment rings (Alpha, Beta, Release)
- Runbook triggers at scheduled intervals (i.e., daily or weekly)
- Script:
- Pulls the latest SOFA json feed
- Matches applicable version for devices in Smart Groups
- Skips devices if deferral dates haven’t passed
- Evaluates security severity
- Creates Software Update Plans only if needed
Getting Started
Create an Automation Account
- Sign in to the Azure Portal
- From the top menu, select + Create a resource
- Under Categories, select IT & Management Tools, and then select Automation (If Automation is not listed, you can search for it in the Search Services and Marketplace bar)
- On the Basics tab, provide the essential information for your Automation account. After completing this tab, you can choose to further customize your Automation account by setting options on the other tabs, or you can select Review + create to accept the default options and proceed with creating the account. (For more information: https://learn.microsoft.com/en-us/azure/automation/quickstarts/create-azure-automation-account-portal)
Create a Runbook
- Within your Automation account page, under Process Automation, select Runbooks
- Select + Create a runbook
- Give your runbook a name
- From the Runbook type drop-down menu, select PowerShell
- From the Runtime version drop-down, select 7.2
- (Optional) Add a description for your runbook
- Select Review + create
Create a Jamf Pro API Role and Client
Since we are going to utilize the Jamf Pro API, it may be useful to create a dedicated API Role and Client for our purpose here. To create an API Role and Client, within Jamf Pro:
- Navigate to Settings > System > API Roles and clients
- Select + New in the top-right corner to create a new API Role
- Give your API Role a name and assign the following privileges:
- For macOS:
- Read Smart Computer Groups
- Update Managed Software Updates
- Read Computers
- Delete Managed Software Updates
- Send Computer Remote Command to Download and Install OS X Update
- Read Managed Software Updates
- Create Managed Software Updates
- For iOS:
- Send Mobile Device Remote Command to Download and Install iOS Update
- Read Smart Mobile Device Groups
- Update Managed Software Updates
- Read Mobile Devices
- Delete Managed Software Updates
- Read Managed Software Updates
- Create Managed Software Updates
- For macOS:
- And Save
- Next, click on the API Clients tab and select + New in the top-right corner to create a new API Client
- Give your API Client a name
- Assign your API Role that you just created, and select to enable your API Client. Take note of your API client ID and secret. You will not be able to retrieve the secret again.
Scripts
The scripts can be found in GitHub: Apple Auto-Patch and Azure Runbooks
Setting up variables
Some important variables that should be set up include:
- Jamf Pro API Variables
- client_id, secret, and URI
- NVD API Variables (A request for a NVD api key is free)
- apiKey
- Jamf Pro Smart Group IDs and Software Update Deferral Days
- Add the Smart Group IDs of the groups you want to target for DDM software updates
- For Deferral Days, the name of the deferral days should match the group names defined in the Group IDs variables section
- Jamf Pro Group Version Type Overrides
- If you want to override a version type for a specific group, define that group and version type here
- Software Update Variables
- updateAction
- versionType
- (Optional) Deadline Days
- In the
Check-CVESeverityfunction, you can change the values for adding deadline days based on the severity of CVEs addressed in the updates.
- In the
- $targetDeadline
- In the default configuration state, the script will make the default deadline time be 06:00 PM for the user (trying to avoid normal business hours). Change this to fit your needs. Pro tip: There are two mentions of $targetDeadline in the iOS/iPadOS script and one mention in the macOS script
$targetDeadline = (Get-Date $bestMatch.ReleaseDate).AddDays($SWUDeferralDays + $bestMatch.DeadlineDays).Date.AddHours(18).ToUniversalTime()Once the script is uploaded into your Runbook, you can link it to a schedule for running and you’ll be on your way to a more secure and automated environment!
One response to “Automating Apple OS DDM Software Updates in Jamf Pro Using Azure Runbooks”
[…] https://techitout.xyz/2025/04/24/automating-apple-os-ddm-software-updates-in-jamf-pro-using-azure-ru… […]