🔒 Patreon Special

IT Pros: exclusive shows await you on Patreon, focusing on the more challenging aspects of running your practice and working with clients and employees.

548: Interview With Chad Swarthout and Ryan Ball of Alectrona - Patch Management

/

Thank you to our VIP sponsors!

Topics:

-We are pleased to welcome back Chad Swarthout, founder & CEO of Alectrona. We also have the pleasure of welcoming Ryan Ball, Director of Engineering at Alectrona.

-Chad was on the show back in 2019

-We discuss the road Alectrona has taken since back in 2019.

-Chad had the insight to go fully remote and close his office prior to the pandemic of 2020.

-A majority of their clients have offsite employees as well.

-All of the clients Alectrona has taken on since the pandemic have been all over the country.

-Jerry wants to know more about how they acquire clients outside of their local area.

-They tend to try and meet with customers on a regular basis to keep in contact and be aware of what needs changes.

-Chad talks about how they found a need for patch management in many of their Jamf engagements.

-From there, Alectrona Patch was born

-Ryan gets into the details of how Alectrona Patch works, mainly by the use of a configuration profile.

-Multiple times a day, they system polls for product updates to have them ready for update deployment.

-They account for a variety of installer formats like DMGs, PKGs, and zip files.

-Alectrona Patch is meant to by deployed via MDM.

-Learn more at https://www.alectrona.com/patch

-Alectrona Patch is on a monthly consumption model. $2.50/Mac per month up to 199 Mac computers. For larger needs, reach out to their team for pricing.

-Monthly pricing is based on how many unique devices are reaching out to their content server.

-Ryan & Chad talks about the back end details of how the tool works.

-Joe wants to know if Dolly Drive is supported.

-Another tool that Alectrona offers is called Migrator

-Migration Assistant has caused issues in business environments so the Alectrona team wanted to create a replacement for offsite users to seamlessly migrate to a new computer.

-This also sped up the return rate for previous computers.

-Jerry wants to know about white labeling, which the Alectrona products can support.

-You can reach out to the team about Alectrona Patch by visiting their MacAdmins Slack channel.

Thank you to our Patron sponsors!

Configure Down Alerts for UniFi networks

/

UniFi has become an industry standard network platform and a popular choice among Apple Consultants. Surely you’ve heard us discuss our UniFi experiences on the podcast. In fact, we discussed the topic of down alerts for UniFi networks on episode #538: Welcome All Pings.

Why is this necessary?

UniFi offers solid options for built-in push notifications delivered to your mobile device or email, including for important events like when your network switches to backup internet or backup power, hits an LTE Data Limit, or detects a rogue client or access point for example.

But one very obvious omission is the ability to alert an admin when the network goes down. This prompts an equally obvious question: how is the network supposed to alert you when it’s down – when it’s down? That’s a fair question for a locally-hosted controller, but with Remote Access enabled, this shouldn’t be an issue since the UniFi controller shows in the UniFi Site Manager at unifi.ui.com. In fact, the Site Manager will indicate if a network is down and when last reported online. So why doesn’t it have an option to alert the admin?

In this post, I’ll provide instructions on how to configure down alerts to be sent by push notification and/or email when your UniFi network goes offline, using NameCheap for Dynamic DNS and UptimeRobot for monitoring.

Read on for the full instructions…

Read More

546: No Thyme for Reindeer Games

/

-Command Control Power has created an anonymous rates and plans survey. You can also learn more at our MacAdmins Slack channel. This will be a great way to better understand where your current rates, plans, and software stack stand in comparison with your fellow consultants. The survey can be filled out anonymously by anyone, regardless of Patreon status. We will discuss the results of this survey on an upcoming Patreon show. However, if you decide to participate in the survey, you can provide a contact email to receive results as well. We look forward to hearing from you!

Topics:

-Sam received an unprompted positive email from a customer.

-Jerry talks about a recent client loss.

-Joe is growing tired of clients that don’t engage on a regular basis and then need immediate help.

-Legacy clients that have personal contact information is still a danger zone. We need to learn to set boundaries.

-AirTags are on sale for the holidays.

-Joe recommends the KeySmart Smart Card as an AirTag alternative.

-He has also been dealing with bad or faulty ThunderBolt cables.

-We talk Instagram hacks and security processes of Meta

-Jerry has a client with an internal IT department that was a little too eager about Apple security updates that were not relevant to them.

-Dealing with the latest model specific macOS updates is a challenge with tools like Nudge.

Scheduled macOS software updates using MDM with good user communication

/

Skip to the end if you want to see the Instructions and Code…

Background

Apple’s Startup Disk security policy control for a Mac with Apple silicon article states that “remote management of […] automatic software updates” requires setting Security Policy to Reduced Security in Startup Security Utility using recoveryOS.

Addigy’s System Updates via MDM and DDM article explicitly states that Apple Silicon Macs require either ADE or Reduced Security Mode to allow System Updates via MDM or DDM.

Therefore, I haven’t relied on System Updates via MDM and DDM because most of my client Macs are user-enrolled (non-ADE), and I don’t want to walk individual users through booting to Recovery mode – which would be onerous at scale. And asking users to choose an option clearly labeled “Reduced Security” would prompt a nuanced discussion with certain clients about why we’re asking them to “reduce” their security when in fact our intention is to increase their security.

However, in my experience, MDM software updates seem to work fine – even for Macs that were not enrolled using ADE, and where you don’t need to have the client reboot into Recovery mode and change to Reduced Security.

The old method

I recently decided to learn more about System Updates via MDM and thoroughly test these workflows since my usual method relying on Nudge and the openToMoreInfo GUI scripting AppleScript app stopped working reliably. The first issue is that Nudge relies on the user navigating the Software Update window, skipping past the Sonoma Upgrade to find the “More Info” button under “Other updates available” subheading, then clicking Install Now, and Agree. Too many steps!

openToMoreInfo solved this fairly elegantly for awhile, but in Ventura and Sonoma, Apple made a change to the underlying GUI elements making the More Info “button” into a static text element which doesn’t respond to a GUI scripting “click” command, and appears to be specifically blocked from any kind of “synthetic click”. So we’re back to only being able to provide guidance to the user, telling them where to look and what to click. Not ideal.

That was less of an issue when we were able to defer the major upgrade using an MDM configuration profile. This would hide Sonoma from appearing in Software Update, so the only updates listed would be the minor updates we wanted the user to install. However, the maximum deferral is 90 days – which, based on the Sonoma release date, happens to be Christmas Day.

Since we can’t programmatically guide the user past the tempting Sonoma Upgrade with its pretty icon, and since Nudge inherently relies on using the Software Update window, this began to cause more problems than it solved. We were actively directing users into Software Update, making it more likely that they would begin an upgrade to Sonoma before we were ready to support it.

The new method

The new method leverages scheduled MDM software updates rather than using Nudge to guide the user to the Software Update window and seems to work well despite Apple’s guidance noted above.

I tested this on several user-enrolled (non-ADE) Macs with Full Security, and I was able to successfully push updates via MDM using GoLive > Updates > Download and/or Install:

  • Ventura 13.2 (VM): Updated to 13.6.3.

  • Ventura 13.6.1 (iMac 24-inch M1): Updated to 13.6.3. First prompt was awaiting user confirmation of Restart. Declined first restart prompt as a test, sent Download and/or Install again, saw countdown, let it restart on its own.

I also tested a few using using Policy > Updates > System Updates > Enable macOS Updates > Schedule Updates:

  • Monterey 12.6.3 (VM): Updated to 12.7.2.

  • Monterey 12.7.1 (iMac Retina 4K, 21.5-inch, 2019) – Mac at login window, no user logged in: Updated to 12.7.2.

  • Ventura 13.6.1 (iMac 24-inch M1) - Mac at Lock Screen with user logged in: Updated to 13.6.3.

  • Ventura 13.6.1 (MacBook Pro 13-inch M1) - MacBook Pro with user logged in, lid closed, with power adapter connected: Updated to 13.6.3.

So we have a functional workflow using scheduled macOS software updates via MDM, allowing Macs to update with minimal user interaction.

How to use the new method

Simply enable macOS Updates, set a maximum version, and schedule accordingly. See Addigy’s System Updates via MDM and DDM article for more instruction about how to enable and schedule this method.

User communication

What are some reasons that a Mac could fail to update using this method?

A couple of issues we can foresee would be when a laptop isn’t connected to power during the scheduled update window, or when a Mac doesn’t have enough space available to update.

We can handle those potential issues with good user communication:

Instructions:

  1. Create a Flex Policy, e.g. “macOS Software Updates Tuesday 7pm” and follow Addigy’s guidance to enable Scheduled System Updates via MDM and DDM. Specify a long enough scheduled update window, e.g. 4 hours.

  2. Create a Custom Fact in Addigy > Catalog called “Software Update Needed” of type Boolean. This reports TRUE if the current macOS version is less than the latest macOS update e.g. running 13.6.1 when 13.6.3 is released, and also saves the value (TRUE/FALSE) to a file on the Mac which the Scripts below can reference.

  3. Create a Script in Devices > Scripts > Manage called “Laptop on Battery Update Prompt”. This checks if Software Update Needed, and if so, checks if laptop is on battery, and prompts the user.

  4. Create a Script in Devices > Scripts > Manage called “Low Space Update Prompt”. This checks if Software Update Needed, and if so, checks if free space > 25GB, otherwise prompts the user.

  5. Create a Maintenance Item in Addigy > Catalog called “Update Checks 5pm Tuesday”, include both scripts above, and schedule accordingly.

  6. Add your Software Update Needed Custom Fact and Update Checks 5pm Tuesday Maintenance Item to your “macOS Software Updates Tuesday 7pm” Flex Policy.

  7. Optional: enable Microsoft Office updates scheduled for 5:15pm in the same Flex Policy – might as well prompt the user to quit Office apps if needed.

  8. Assign your Flex Policy to some test Macs, or use auto-assignment to add your Flex Policy to some of your existing test policies. Deploy the policy to ensure the Macs check in and run the Software Update Needed Custom Fact before the Maintenance Item runs your scripts ahead of the scheduled Software Update window. Adjust the schedules accordingly for testing purposes.

Code for Custom Fact & Scripts

Software Update Needed – Custom Fact
Based on work by Ross Matsuda | Sudoade 2023

#!/bin/bash

# by Joe Saponare, CommandControlPower.com: https://commandcontrolpower.com/podcast/2023/12/16/scheduled-macos-software-updates-using-mdm-with-good-user-communication

software_update_needed_file="/Library/Addigy/software_update_needed.txt"

### Define latest macOS versions
# Get list of OS versions
softwareupdatelist="$(curl -m 5 -sfL 'https://gdmf.apple.com/v2/pmv')"
# echo "$softwareupdatelist"

### Truncate list - leaving comments to explain function of each section
macOSonly=${softwareupdatelist#*macOS} #Strip out all content before first mention of "macOS"
  # macOStruncated="$(echo "$macOSonly" | tr , '\n' | grep "ProductVersion")" # Use commas for line breaks, remove all lines other than ProductVersion entries
  # macOStruncated1="$(echo "$macOStruncated" | sed '/iOS/q' | sed '$d')" #Remove all content after macOS versions listed
  # macOStruncated2="$(echo "$macOStruncated1" | awk -FProductVersion '{print $2}')" #Remove extraneous text
  # macOStruncated3="$(echo "$macOStruncated2" | sed 's/"//g' | sed 's/://g')" #Remove extraneous punctuation
speedTruncation="$(echo "$macOSonly" | tr , '\n' | grep "ProductVersion" | sed '/iOS/q' | sed '$d' | awk -FProductVersion '{print $2}' | sed 's/"//g' | sed 's/://g')"
 #echo " speed truncation output: $speedTruncation"

### Version Extractions
latest11="$(echo $speedTruncation | tr ' ' '\n' | grep 11)"
#echo "Big Sur: $latest11"
latest12="$(echo $speedTruncation | tr ' ' '\n' | grep 12)"
#echo "Monterey: $latest12"
latest13="$(echo $speedTruncation | tr ' ' '\n' | grep 13)"
#echo "Ventura: $latest13"
latest14="$(echo $speedTruncation | tr ' ' '\n' | grep 14)"
#echo "Ventura: $latest14"

# Get current OS
currentOS=$(sw_vers -productVersion)
currentOSMajor=$(echo $currentOS | awk -F. '{print $1}') # outputs 10, 11, 12, 13, 14

software_update_needed=""

if [[ $currentOSMajor = 14 ]]; then
  # macOS Sonoma (14) detected
  if [[ $currentOS = $latest14 ]]; then
    software_update_needed="FALSE"
  else
      software_update_needed="TRUE"
  fi
elif [[ $currentOSMajor = 13 ]]; then
  # macOS Ventura (13) detected
  if [[ $currentOS = $latest13 ]]; then
    software_update_needed="FALSE"
  else
      software_update_needed="TRUE"
  fi
elif [[ $currentOSMajor = 12 ]]; then
  # macOS Monterey (12) detected
  if [[ $currentOS = $latest12 ]]; then
    software_update_needed="FALSE"
  else
      software_update_needed="TRUE"
  fi
elif [[ $currentOSMajor = 11 ]]; then
  # macOS Monterey (11) detected
  if [[ $currentOS = $latest11 ]]; then
    software_update_needed="FALSE"
  else
      software_update_needed="TRUE"
  fi
else
  # if the system is not running macOS 11, 12, 13, or 14, then we assume no updates are needed
  software_update_needed="FALSE"
fi

echo $software_update_needed
echo $software_update_needed > $software_update_needed_file
exit 0

Laptop on Battery Update Prompt – Device Script

#!/bin/bash

# by Joe Saponare, CommandControlPower.com: https://commandcontrolpower.com/podcast/2023/12/16/scheduled-macos-software-updates-using-mdm-with-good-user-communication
# Known Limitations: no known limitations
# Requires Custom Fact "Software Update Needed" as noted in link above.

software_update_needed_file="/Library/Addigy/software_update_needed.txt"
software_update_needed=$(cat $software_update_needed_file)

#for testing:
#software_update_needed="TRUE"

[[ $(pmset -g ps|grep "AC Power") ]] && state="AC" || state="BATT"

model=$(sh /Library/Addigy/auditor-facts/scripts/device_model_name)

forefront="True"
title=$"🪫 Please connect to power"
description=$"Your ${model} needs to be connected to power to install scheduled updates.

Please connect your power adapter (charger) and leave your ${model} screen open."

# Get logged in user.
username=$(stat -f %Su /dev/console)

if [[ $software_update_needed == "TRUE" ]]; then
  echo "Software update needed: $software_update_needed."
    
    if [ "$state" == "BATT" ]; then
        echo "$model is on battery."

        if [ "$username" != "root" ]; then
        echo "User $username is logged in. Prompting user."

    if /Library/Addigy/macmanage/MacManage.app/Contents/MacOS/MacManage action=notify title="${title}" description="${description}" forefront="$forefront"; then
    echo "User $username clicked OK."
    exit 0
    fi
        else
        echo "No user is logged in. Unable to display prompt."
        fi
    elif [ "$state" == "AC" ]; then
        echo "$model is on AC power."
    fi
else
    echo "Software update needed: $software_update_needed."
fi

Low Space Update Prompt – Device Script

#!/bin/bash

# by Joe Saponare, CommandControlPower.com: https://commandcontrolpower.com/podcast/2023/12/16/scheduled-macos-software-updates-using-mdm-with-good-user-communication
# Known Limitations: no known limitations
# Requires Custom Fact "Software Update Needed" as noted in link above.

software_update_needed_file="/Library/Addigy/software_update_needed.txt"
software_update_needed=$(cat $software_update_needed_file)

#for testing:
#software_update_needed="TRUE"

model=$(sh /Library/Addigy/auditor-facts/scripts/device_model_name)
free_space=$(sh /Library/Addigy/auditor-facts/scripts/free_disk_space_gb)

#for testing:
#free_space=15

space_needed="30"

forefront="True"
title=$"🔻 Need more space to update"
description=$"Your ${model} needs more space to install scheduled updates.

Please free up at least ${space_needed} GB or contact us for help."

# Get logged in user.
username=$(stat -f %Su /dev/console)

if [[ $software_update_needed == "TRUE" ]]; then
    echo "Software update needed: $software_update_needed."
    if [ "$free_space" -le "$space_needed" ]; then
        echo "$model has $free_space GB which is less than $space_needed GB space needed."

        if [ "$username" != "root" ]; then
            echo "User $username is logged in. Prompting user."
            if /Library/Addigy/macmanage/MacManage.app/Contents/MacOS/MacManage action=notify title="${title}" description="${description}" forefront="$forefront"; then
                echo "User $username clicked OK."
                exit 0
            fi
        else
            echo "No user is logged in. Unable to display prompt."
        fi
    else
        echo "$model has $free_space GB free space. (Minimum $space_needed GB needed.)"
    fi
else
    echo "Software update needed: $software_update_needed."
fi