![]() Fortunately, it’s also possible to configure additional sources of patch definitions, either local or from third parties. JAMF (the company behind JAMF Pro) offers a web service with a basic set of titles, but of course, that doesn’t cover all our core applications. The first thing the system needs is the so-called definition of the title 1 including dates, versions, OS requirements, etc. The Mac Management Platform in use in Zalando, called JAMF Pro, provides Patch Management functionalities that are great at detecting the patch level of devices and deploying the appropriate versions however, getting this functionality to work properly has the following requirements. Automate, as much as possible, all these tasks.Keep detailed information about the patch levels of key applications.Test them and then deploy to our users as soon as possible after their release.Procure patches and updates in a proactive way.The report and the patch were not a challenge in themselves - this was already part of what we were doing with core applications such as Google Chrome, or Chat - but the process was nothing more than a set of manual and repetitive chores that could be streamlined. However, in July 2019, when a vulnerability was discovered in Zoom (long before becoming the mainstream video conference app during the COVID-19 pandemic), Information Security requested the immediate deployment of the latest patch to every device that had the app installed and a report of the progress of this task. If the window is closed, the countdown still runs.At the time of this writing, we have a universe of Mac applications - that are identified and version-inventoried - within the fleet of little over 3,000 Mac devices in Zalando from which a subset - selected either by their importance, frequency of updates or size of the install base - are part of a so-called software lifecycle. Once they run out of days/postpones they will see a different pop up stating that the updates will be installed and gives them a countdown of 15 minutes to save their work. The pop up also tells them they can update any time from the Apple Menu > System Prefs > System Update. They can either postpone the update up to 5 times (which works out to 5 days as the policy runs every day), or choose Update - which opens the System Update pref pane. For updates that require a reboot, the user will see a pop up that tells them they have important OS updates to install. If the pending updates do not require a reboot, they are installed in the background. These policies are simply scoped to All Managed Computers. The Self Service policies are all set up to leverage Installomator to grab the latest version. If they postpone, the policy will run again the next day.įor policies using AutoPKG, the updates are done with the log in trigger, so the install is done when the software is not running.įolks can also use Self Service to install the latest versions of these apps as well. Here they can either postpone, or Quit and Update. If the app is running, they get a pop up window stating ‘App Name’ needs to be updated. The user gets a Notification Centre pop up that the software has been updated. Scope > Smart group ‘Pending Apple Updates’įor policies that use Installomator, if the app is not running it is updated in the background.Payload > Script ‘ AppleSoftwareUpdate.sh’ configured to allow 5 postponements.Scope > Smart group ‘App name - Out of Date’.AutoPKG in use > Install Package payload > Latest PKG automatically imported via JSS Importer.Installomator in use > Script Payload > Installomator > Parameter 4 set as the app label.Trigger - Check In (Installomator) or Login (AutoPKG).Policies - ‘App name - Scripted Update PUSH’ or ‘App name - AutoPKG Update PUSH’ denotes what method the app is being updated by, and that it is being pushed out. This needs to be manually managed, but it’s pretty easy with Jamf and email notifications for new versions of software. Annoyingly, Jamf does not allow you to use ‘Latest Version’ as the value (can only be used by Jamf Patch Management policies), so we just select the latest version number as the value. Smart Groups - we use the Patch Management Software Title attribute to build smart groups for ‘App Name - Out of Date’. We use this just to gather data on installed versions. ![]() ![]() Patch Management - we have all of our apps added to Jamf Patch management, using Community Patch for any apps that are not provided by Jamf.
0 Comments
Leave a Reply. |