Set & Forget managed software updates blueprints now available in Jamf Pro

Now that "set and forget" managed software updates blueprints are available in Jamf Pro I thought I'd throw something together to show what it looks like and discuss some of the high level logic behind how the calculations and deployments happen once configured.

Previously, the Software Updates blueprint has contained specific date and time targets for enforcing software updates, and required a specific Target OS version to apply to the device or computer.

With the new "set and forget" managed software update feature a new "Enforcement type" toggle appears. The toggle has two options:

Latest OS version 🆕
Specific OS version and time

Specific OS version and time contains the previous configuration options shown above, where an admin can select a target date and time to enforce and apply a software update. Latest OS version is the new option, shown below, that sets up deadlines on a rolling cadence based on days after release and a set time to enforce after the deferral period expires.

With this new option admins can set an ongoing enforcement model with a specific number of days and a time of day to enforce the update at the end of the deadline. This is a convenient alternative to manually updating and redeploying the blueprint for each target OS version.

Because some organizations will require more granular controls the option to set a target OS version and specific date are still available in the Specific OS version and time toggle.

Watch the Jamf Pro Blueprints Release Notes page on the Jamf Learning Hub to stay informed of new Blueprint and related functionality in Jamf Pro.

How the logic works behind this new feature

I'll keep this very high level, but here is what I know about how this feature works at the time of release.

The current iteration of this feature uses LATEST_ANY for determining the target OS version for a given computer or device.

Eligible OS versions per model type are sourced from Apple’s GDMF service. Once a new version is released and the feed is updated it takes approximately four hours for the management server (Jamf Pro in this example) to calculate and re/deploy the declaration for the new deadline.

The deadline logic based on the release date and model eligibility in Apple's software update feed works something like this:

enforcement_date = $PostingDate + blueprint_configured_delay

If a computer or device receives a deadline declaration beyond the amount of days specified for the deadline based on the above logic that update will be enforced immediately on the day it is delivered and at the time specified in the blueprint.

If a new version of an OS is released before the arrival of a previous deadline the management service (Jamf Pro in this example) will recalculate and redeploy the new deadline even if the previous one has yet to be enforced.

User experience & notification frequency

On a computer in scope of a managed software update declaration the details of the required OS version and deadline are visible by navigating to System Settings > Device Management > MDM Profile and checking the Device Declarations.

It's helpful to note that the computer will only show a declaration for a required software update when the device is eligible for an update and has yet to reach the deadline or install the required update. Once the computer has updated and is no longer eligible for an update the declaration will clear from the management settings. The next time Apple releases an update Jamf Pro will calculate the new requirements and deploy a new required software update declaration with the new deadline.

Once the OS update is staged on the computer notifications will appear in Notification Center.

Depending on the set deadline in the blueprint settings the frequency of notifications may vary. Apple has this documented in the Apple Platform Deployment guide.

Source: Apple

Hovering over the notification will display an Options button where the end user can decide to Install (now) or Install Tonight.

Simply clicking on the notification will pull up System Settings to the Software Update pane where more details about the required update and the deadline are visible.