/super

S.U.P.E.R.M.A.N. optimizes the macOS software update experience.

Primary LanguageShellApache License 2.0Apache-2.0

S.U.P.E.R.M.A.N.

Software Update Policy Enforcement (with) Recursive Messaging And Notification

S.U.P.E.R.M.A.N. optimizes the macOS software update experience.

by Kevin M. White

Introduction

S.U.P.E.R.M.A.N. (or just super) is an open source script that provides administrators with a comprehensive workflow to encourage and enforce macOS software updates for both Intel and Apple Silicon computers. Deployed via a single script, super creates a background agent (aka LaunchDaemon) that ensures macOS software updates are applied with the least user interference possible. Further, super can also enforce macOS software updates with options for customizable deferrals and deadlines. In other words, super makes the macOS update experience better for both users and administrators alike.

Version 2.x Compatibility

There are so many new features in super 2.x that any existing scripts, Configuration Profiles, or other workflows designed for super 1.x are not compatible with super 2.x. Plese review the change log and sudo super --help!

Features and Options

  • Fully automated (no user authentication required) macOS software update workflow for both Intel and Apple Silicon computers.
  • Customizable software update dialogs and notifications via IBM Notifier.
  • Minimizes user downtime by automatically installing non-restart Apple software updates (Safari, Xcode, etc.) without prompting the user.
  • Minimizes user downtime by automatically downloading and preparing system updates before interrupting the user to restart.
  • Automatic deferral option for user Focus, Do Not Disturb, and screen sleep assertions (presentations, meetings, etc).
  • A variety of enforcement options including maximum deferral counts, maximum deferral days, and date deadlines.
  • Background agent (LaunchDaemon) works independently of management (MDM) service.
  • Automatic installation of all required items and dependencies.
  • Configurable via interactive command line super or MDM managed preference.
  • Substantial validation and logging including both testing and verbose modes.
  • For computers managed via Jamf Pro, automatic inventory and policy check-in as soon as possible after computer restarts.
  • For computers managed via Jamf Pro, option to run policies prior to system update restart.
  • For computers managed via Jamf Pro, option to run policies without Apple software updates and still take advantage of dialogs, notifications, deferrals, and deadline workflows.

Screenshots

Update dialog with multiple deadlines and pop-up deferral choice

Example update dialog

Restart notification

Example restart notification

Requirements

Mac computers with Intel:

Validated on macOS 10.14 and later. Earlier versions of macOS may work, but have not been validated.

Mac computers with Apple Silicon:

Mac computers with Apple Silicon require additional authorization (beyond root privileges) to update automatically without user interaction. Without this additional authorization, S.U.P.E.R.M.A.N. can not enforce macOS software updates on Apple Silicon! This authorization is possible via three methods:

  • An existing local account
  • An automatically created local service account
  • A Jamf Pro API account

macOS Monterey Notification Fix:

On macOS Monterey all super workflows leveraging softwareupdate (the default for Intel, and optional for Apple Silicon) hangs during downloads due to an issue where the softwareupdate process fails to generate a system notification when it's run via a LaunchDaemon. The workaround is to deploy a Configuration Profile that disables the built-in alerts and notifications for softwareupdate via the Bundle ID: _system_center_:com.apple.softwareupdatenotification. This has the dual benefit of also preventing system notification collisions with super generated notifications.

Example Configuration Profile to disable softwareupdate alerts and notifications

Apple Silicon Authorization Requirement Details

Apple Silicon softwareupdate via an existing local account:

  • Any version of macOS for Apple Silicon (macOS 11.0 or later).
  • You must provide credentials for an existing local (standard or admin) user account who already has volume ownership permissions. User accounts created during Setup Assistant that have logged in at least once have volume ownership permissions. For more information see the Apple Platform Deployment guide.
  • The provided credentials are used to authenticate the softwareupdate command.
  • The provided credentials are stored in the System Keychain and can be viewed by other admin users.

Apple Silicon softwareupdate via an automatically created local service account:

  • Any version of macOS for Apple Silicon (macOS 11.0 or later).
  • You must provide credentials for an existing local admin user account who already has volume ownership permissions. User accounts created during Setup Assistant that have logged in at least once have volume ownership permissions. For more information see the Apple Platform Deployment guide.
  • The provided admin credentials are used to automatically generate a new local service account. This service account provides authentication for the softwareupdate command.
  • The creation of the service account triggers a system security dialog unless you also deploy a PPPC Configuration Profile granting "SystemPolicySysAdminFiles" to either com.apple.Terminal or /usr/local/jamf/bin/jamf and com.jamf.management.Jamf.
  • The admin credentials you provide are never saved to disk, but the local service account credentials are stored in the System Keychain and can be viewed by other admin users.
  • The local service account is not an admin and can not log into the Mac, but if FileVault is enabled, this account is visible at startup and can unlock the drive.

Apple Silicon MDM update command via Jamf Pro API:

  • macOS 11.5 or later and Jamf Pro 10.35 or later.
  • Jamf Pro must have the bootstrap token escrowed for the computer. This is the default behavior for Jamf Pro via any enrollment method for Apple Silicon computers.
  • You must provide credentials that can authorize macOS software update MDM commands via the Jamf Pro API.
  • The Jamf Pro API credentials you provide are stored in the System Keychain and can be viewed by other admin users.
  • The default Jamf Pro privileges required for this account are "Jamf Pro Server Objects > Computers > Create & Read" and "Jamf Pro Server Actions > Send Computer Remote Command to Download and Install macOS Update".
  • You can significantly reduce the security risk of this account by removing the "Computers > Read" privilege requirement. However, this requires deploying a custom Configuration Profile for the preference domain com.macjutsu.super containing the following: <key>JamfProID</key> <string>$JSSID</string>

If multiple valid authorization methods are provided, the priority order is as follows: an existing local account, the local service account, and finally the Jamf Pro API credentials.

Installation

Version 2.x Compatibility

There are so many new features in super 2.x that any existing scripts, Configuration Profiles, or other workflows designed for super 1.x are not compatible with super 2.x. Plese review the change log and sudo super --help!

To install and run locally:

  1. Make sure the S.U.P.E.R.M.A.N. script (named just super) has appropriate execute permissions and then run it like any other local management script: sudo /wherever/the/heck/you/downloaded/super --usage
  2. The super script automatically installs itself (and various other accoutrements) anytime it's ran from outside its working folder, which is defaulted to /Library/Management/super.
  3. There's no step three. After self-installation, super automatically restarts itself using your previously specified options. Further, depending on your options, super may create a LaunchDeamon to keep itself running.

To deploy via Jamf Pro:

  1. Create a new Policy adding the super script as-is, you don't need to modify it for most workflows.
  2. If you only want to install super for testing, then use a single script Parameter Value of --usage. Alternately, you can specify multiple super options in the script Parameter Value fields, but only one option per field. Thus, you are limited to a total of 8 options with this method. Consider using a Configuration Profile for setting more options.
  3. There's "basically" no step three (besides running the Policy). When run via Jamf Pro super automatically installs itself (and various other accoutrements) and then restarts itself using the options from the Parameter Values. Further, depending on your options, super may create a LaunchDeamon to keep itself running.

General Usage

Wiki coming soon! No, really! I was just waiting to finalize super 2.x... Until then use: sudo super --help

You can also join the conversation at the Mac Admins Foundation Slack in channel super.