Software Updates, Part 3 - Remediation
There are a lot of different approaches you can take to remediating software update availability errors on your fleet, and many tools at your disposal.
Now that we've spent all this time and energy collecting information about the software update status of your Macs, it's time to decide what to do about it. There are a lot of different approaches you can take, and a lot of tools at your disposal.
First, should you find your devices in a state where the Software Update preference pane is misbehaving or your devices aren't detecting the newest available patches, we must start by geting the
softwareupdate binary behaving again.
Don't forget that you can press Command-R while the Software Update preference pane is loaded to refresh its status - sometimes that's enough. This is also a fun tip for users to encourage dabbling in self-remediation.
There seem to be a million reasons why the
softwareupdate binary/service can become unresponsive or stop delivering good results. Consider setting parts of this script to run on a regular basis as a recurring maintenance item and/or making the whole thing available to your users via Self Service. One quick note - Apple has recommended against running the kickstart command excessively, as it can cause problems during a reboot following a software update, so tread carefully:
As is tradition, for best results you should prompt the user to reboot before checking again. You can communicate this to the users in your documentation or via a popup when the script is run. Many users with older Macs may have reservations about rebooting regularly - best to break that taboo and build a culture where "turn it off and back on again" is the first thing folks do before reaching out for assistance.
Reset the receipts log
If the kickstart doesn't work, we've seen some positive results from flushing the receipts log. Given the valuable information in this file, we've opted to keep this remediation step separate from the recurring maintenance version of the kickstart. To play it safe, instead of removing the file, we can just rename it - this will create a new log file for the future, but you can still retain the previous information for forensic purposes:
MDM Software Update Management
The above remediation steps tend to have a decent success rate for getting your users' Macs in a place where they can run the update themselves. You can always leverage your MDM platform's capabilities to push the software updates out using MDM commands if you'd like to approach the situation in a more proactive fashion. Each platform will have different methods of deploying these (JAMF, Addigy, Kandji), but the restrictions/limitations are the same:
- Devices must be supervised via ADE, or...
- Manually-enrolled devices must have Boot Security set to "Reduced", with the checkbox "Allow remote management of kernel extensions and automatic software updates"checked
So long as either of the above is true, your Macs should be able to receive software update MDM commands.
Just serve the full installer
(╯ಠ_ಠ ）╯︵ ┻━┻
If you don't want to get involved with the
softwareupdate binary or MDM services at all, you can always go with full installers. By offering the full macOS installer to your users via a Self Service application, you can give them a simple, reliable, one-click method to get the Mac upgraded and done. It may not be sexy, it takes a little longer and requires a certain amount of free space (I usually recommend 50GB to be safe), but you can't argue with simplicity.
If you're reading this, chances are you're familiar with how long software updates have been a problem for Mac administration. All technical tools aside, educating your user base about updates and how to resolve these quandaries should be a top priority. You'll be improving the quality of their time with their devices while minimizing support desk traffic. How you approach this will look different for your company culture, but here are a few places to begin:
- Employee-facing knowledge base articles, including screenshots, gifs, and/or video
- Company-wide email notifications or campaigns (not too frequent)
- Customized notifications via your MDM platform, or something like Nudge
- Webinars or drop-in Zoom meetings where users can connect with technical contacts or other support desk leadership
Never underestimate how good it can feel for users to know they're supported but still be able to fix something themselves. Your users will come from many different backgrounds, and we've all worked with folks who consider themselves "non-technical". Being an ally to them and giving them the resources to start building up their own confidence can be life-changing, as corny as it may sound. Time and energy spent effectively educating your users will be worth it.