Versions Compared

Old Version 4

changes.mady.by.user Don Loflin

Saved on

compared with

New Version 5

changes.mady.by.user Don Loflin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

SUPER aka S.U.P.E.R.M.A.N is a script for fully-automating macOS updates. It provides uses IBM Notifier 3.x (which it auto-installs) to provide customizable popup notices similar to like Nudge, and automates the macOS update procedure similar to using Nudge with NudgeHelper.
 

 
 
SUPER has some advantages over Nudge+NudgeHelper - for instance, the user never sees the macOS Updates dialog, and , by default it is configured so that once they've entered their password oncefor updating one time, they won't have to enter it again.  
 
It has some disadvantages as well - for instance, it's not possible to have SUPER only come up if macOS is not a specific minor version, unlike Nudge.  If a new minor version of macOS is released, SUPER will detect it and prompt for updates.

SUPER can limit updates to the major version number (ie 13) but not a specific minor version (ie 13.2.1).  S
 
 be configured with different types of deadlines for installing updates:

  • Date deferral - the user may defer updates until the date is reached
  • Days deferral - the user may defer updates for N days
  • Count deferral - the user may defer N times, no matter how many days that takes 

It minimizes user downtime by downloading and preparing macOS updates before prompting the user to update.

When it first prompts it will look like this:
 
Image Added
 
(If the deadline is close, the "Defer" time will be the time until the deadline, otherwise it will be the number of minutes configured in the "Default Deferral Timer" option)
 
 
If you click on Restart, on an Apple Silicon Mac you'll get the user auth dialog:
 
Image Added
 
NOTE: the password will get saved in the user's keychain - next time the Mac needs updates, the user will not be prompted!
 
 
IF you enter the wrong password twice it will abort, and you'll get the error dialog:
 
Image Added
 
 
Once you've entered your password (or immediately on an Intel Mac) you'll see the restart message:
 
Image Added


...


For testing SUPER you will need several configuration profiles in your site (where "SITE" below should be your sitename, e.g ENGR, MECH, COFA, etc)
 

...

 
You should create a smart group for your test systems:
 
SITE - SUPER macos update targets
 
Create two polices to add the 'accessory' files to be displayed, and to run SUPER itself:
 
SITE - Add SUPER Accessory Files

  • This uses script ENGR GLOBAL - Add Accessory HTML for SUPER which takes 2 parameters for the HTML to use for the 'macosupdate' and 'macosuserauth' accessory displays used by SUPER
  • Give it a custom trigger such as SITE-add-super-files

SITE - Run SUPER for macos updates

  • This used uses script ENGR GLOBAL - SUPER v4 macOS UpdatesUpdates which is SUPER v4.0.3 from https://github.com/Macjutsu/super
  • Scope both polices to your SITE - SUPER macos update targets group
  • Add a custom trigger SITE-run-super

 
Create a policy to remote remove both Nudge & NudgeHelper from your target systems:
 
SITE - Remove Nudge & NudgeHelper

  • Scope this to your SITE - SUPER macos update targets group
  • Add a custom trigger SITE-remove-nudge-for-super 


To switch a Mac to SUPER for macOS updates, create a policy using the script "GLOBAL - Run Policy Triggers" 

SITE -  Switch to SUPER for MacOS Updates

  • This will run SITE-remove-nudge-for-super, SITE-add-super-files, and SITE-add-super
  • Scope it your SITE - SUPER macos update targets group


 
To start testing,

  1. Add your SITE - SUPER macos update targets group to your SITE - Exceptions - Nudge group - to ensure they don't also run Nudge.
    • If you don't have such a group, ask EPM to create it - OR, set the Exception - Nudge EA for each computer.
  2. Set your SITE - Remove Nudge & NudgeHelper policy to Enabled, Run Once Per ComputerOngoing (do not set Recurring Check-in)
  3. Set your SITE - Add SUPER Accessory Files policy to Enabled, Run Once Per ComputerOngoing (do not set Recurring Check-in)
  4. Set your SITE - Run SUPER for macOS updates policies to Enabled, Recurring Check-in, Run Once Per WeekWait for
  5. SUPER to open - or run Set your SITE - Switch to SUPER for MacOS Updates policy to Enabled, Recurring Check-in, Run Once Per Computer
  6. Run "sudo jamf policy" if you want to kick things off or just wait for the policies to run.

 
 
Once the polices run, Nudge & NudgeHelper will be removed, then SUPER will be installed, and the dialog accessory html files used by SUPER will be copied to /usr/local/epm
 
After the policies have run, you can wait for SUPER to prompt, or run "sudo super" in Terminal to have it come up. You could also change your "SITE - Run SUPER for macos updates" policy to be available from Self Service and run it that waySUPER might take a while before it prompts - it will check for any minor updates and pre-download them before it prompts.
 
SUPER auto-installs a LaunchDaemon to run itself at the interval you specify in the configuration file - running the policy weekly just ensures that it gets reinstalled if the user removes it - or if a new version of SUPER is uploaded to Jamf (script ENGR - SUPER v4 macOS Updates)
 
When it first prompts it will look like this:
 
Image Removed
 
(If the deadline is close, the "Defer" time will be the time until the deadline)
 
 
If you click on Restart, on an Apple Silicon Mac you'll get the user auth dialog:
 
Image Removed
 
NOTE: the password will get saved in the user's keychain - next time the Mac needs updates, the user will not be prompted!
 
 
You can enter the wrong password twice to abort if you want to keep testing, and you'll get the error dialog:
 
Image Removed
 
 
Once you've entered your password (or immediately on an Intel Mac) you'll see the restart message:
 
Image Removed
 
 

...


The Configuration Profile for SUPER has a schema loaded to make it pretty easy to adjust settings:
 

 
 
You will need to Add Properties if you want to try a count-deferral or date-deferral instead of a number-of-days-deferral.
 
There may still be some options that need to be added to the schema - if you find one missing let me know. I've extended it already quite a bit & plan to submit it to the SUPER github.
 
It's also possible to turn off updates, or set a "Zero Date" for the # days, if you want it to happen sooner, or want to put off updates for a long time.
 
That may be important, e.g in the case of updates that turn out to break things. Because of that possibility it will be best to create separate config profiles for each major MacOS version, like we do with Nudge - so we can turn off the particular version's upgrades if needed.