Using patch title policies + installers for different architectures

Here's a fun one. Let's say you have an application you need to patch in your environment (likely more than one, but stick with me here) and the vendor supplies two installer packages for its app depending on what architecture the device is running. So instead of having one universal build app and installer you can deploy to your entire fleet you have to find a way to deploy two and maintain two patch cycles for one app.

Let's also say you use patch title policies to patch apps like the hypothetical one above. As things currently stand a patch title definition list is one-for-one, meaning each version definition only supports one installer package. You manage a fleet of a few thousand devices with a split of Macs with Apple silicon and Intel-based Mac computers, and you need to patch the app on both types of macOS computers. Maybe that app is, I don't know, Github Desktop. 

Github Desktop patch title in Jamf Pro, with definitions.

Each definition can only have one package associated with it, so you have to decide:

• Should I pick one architecture to patch and leave the rest untouched?
• Do I come up with multiple patching processes depending on architecture?
• Should I build a custom meta package that includes each build and a way to determine which one to install on the target computers?
• What about a way to make a second patch title in Jamf Pro so each architecture has its own deployment?

As it turns out, if you have access to a Title Editor instance (check the link for requirements) there's an easy way to copy/subscribe to a Jamf-provided patch title in the Title Editor service to make yourself an easy-to-use (and automatically updated) duplicate patch title. With two patch titles you can then make a patch title for Macs with Apple silicon and Intel-based Mac computers.

The rundown is: add one patch title direct from the Jamf definitions, then add a second that is a subscription of the same patch title but added to your Title Editor instance. Make one patch title with a scope for Macs on Apple silicon, and the other patch title with a scope for Intel-based Mac computers. You'll still need to add a package to the definitions in each patch title, but you'll at least have a consistent way to patch both architectures without writing out a bespoke package, artisanal script/policy, or some other thing that will just create tech debt for you later.

Before I start I'll make sure I have two smart groups in Jamf Pro, one for each architecture. If these groups don't already exist, make one with the criteria of Architecture Type | is | arm64 for Macs with Apple silicon and Architecture Type | is | amd64 for Intel-based Mac computers.

Smart group for arm64/Macs with Apple silicon.

Smart group for amd64/Intel-based Mac computers.

Make sure the Title Editor you want to use for the secondary subscription is configured in Settings : Computer Management > Patch Management.

Adding a Title Editor server to Patch management settings in Jamf Pro.

With those groups defined, the patch titles can now be scoped appropriately based on architecture. To create the first group, navigate to the Patch Management page of a Jamf Pro server and click the + New button. From there, find the title you want to set up (in this example, Postman). Click the + button to add the patch title to the server.

Postman patch title from the Jamf patch title service.

Click Edit and change the Display Name in Software Title Settings to something (like Postman [Apple silicon] or whatever will be helpful for you to tell at a glance what architecture the patch title is configured for. Under Definition add the package for the architecture you want in scope of this particular patch title policy (in this example, a package built for arm64/Macs with Apple silicon).

Adding a package to a definition in a patch title.

Once those pieces are in place click Save, then create your patch policy by clicking the + New button on the Patch Policies tab.

You can configure your policy in a way that best fits your organization's requirements. In this example we'll publish the update in Self Service and scope it to our arm64 smart group.

Adding a new patch title for Postman using the definition just created.

Note that the patch policy scoping will automatically calculate what computers need the patch within the group you select, so the general smart group we made based on architecture type will automatically limit the deployment to only computers that need the update.

Patch policy scope set to the arm64 architecture smart group configured above.

Set the User Interaction (notification) settings to whatever you need (no screenshot for that here). Don't miss the Deadline and Grace Period settings at the bottom of this page if you have SLAs to maintain.

Now to rinse and repeat, but with another copy of the Postman patch title configured in a Title Editor instance. So pop over to your Title Editor, sign in, and click the New button. In the menu that appears select Subscribe.

Adding a new patch title in Title Editor.

Search the Global Patch Feed for the app you want to add (our example, Postman) and check the box to add the subscription to that title to the Title Editor.

Enabling a subscription to a Global Patch Feed patch title in Title Editor.

Head back to Jamf Pro : Computers > Patch Management and click the + New button again. You should now be able to filter and find the same app in a new patch title from the Global Patch Feed that was just added to Title Editor.

A second Postman patch title in the Title Editor server, listed in Jamf Pro.

Add this second patch title for the app to your list. Set this one up comparably to the first patch title, but change the name and scope for (in this instance) Intel-based Mac computers. Once you do you'll see two entries in your patch title list for the app, and the source will show that one is from the built-in Global Patch Feed and the other is a subscription to the Global Patch Feed in Title Editor.

Two patch titles for the same app, with naming and scoping based on architecture.

It's a bit Spider-man pointing but it works! This does requiring maintaining the definitions for each patch title, but chances are you are doing something along those lines anyway. Or maybe you're not and you're pretending Intel-based Mac computers are no longer in your fleet. But maybe you shouldn't?

Anyway, I hope someone finds this helpful! And then someday when everything is universal build or Intel-based Mac computers are entirely phased out we won't have as much to worry about. But until then intrepid Mac admins… good luck and have fun.