empayre/fleet
14
0
Fork 0
mirror of https://github.com/empayre/fleet.git synced 2024-11-06 08:55:24 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
86daf97425
fleet/docs/Using Fleet/MDM-macOS-updates.md
Eric 8fb22579ea
Reorganize Fleet documentation (#12871) 
Closes: #12611

Changes:
- Added three new documentation sections `/docs/get-started/`,
`/docs/configuration` and `/docs/rest api/`
- Updated folder names: `/docs/Using-Fleet/` » `/docs/Using Fleet` and
`/docs/deploying` » `/docs/deploy/`
- Moved `/docs/using-fleet/process-events.md` to `/articles` and updated
the meta tags to change it into a guide.
- Added support for a new meta tag: `navSection`. This meta tag is used
to organize pages in the sidebar navigation on fleetdm.com/docs
- Moved `docs/using-fleet/application-security.md` and
`docs/using-fleet/security-audits.md` to the security handbook.
- Moved `docs/deploying/load-testing.md` and
`docs/deploying/debugging.md` to the engineering handbook.
- Moved the following files/folders:
- `docs/using-fleet/configuration-files/` »
`docs/configuration/configuration-files/`
- `docs/deploying/configuration.md` »
`docs/configuration/fleet-server-configuration.md`
    -  `docs/using-fleet/rest-api.md` » `docs/rest-api/rest-api.md`
- `docs/using-fleet/monitoring-fleet.md` » `docs/deploy/rest-api.md`
- Updated filenames:
- `docs/using-fleet/permissions.md` »
`docs/using-fleet/manage-access.md`
- `docs/using-fleet/adding-hosts.md` »
`docs/using-fleet/enroll-hosts.md`
    -  `docs/using-fleet/teams.md` » `docs/using-fleet/segment-hosts.md`
- `docs/using-fleet/fleet-ctl-agent-updates.md` »
`docs/using-fleet/update-agents.md`
- `docs/using-fleet/chromeos.md` »
`docs/using-fleet/enroll-chromebooks.md`
- Updated the generated markdown in `server/fleet/gen_activity_doc.go`
and `server/service/osquery_utils/gen_queries_doc.go`
- Updated the navigation sidebar and mobile dropdown links on docs pages
to group pages by their `navSection` meta tag.
- Updated fleetdm.com/docs not to show pages in the `docs/contributing/`
folder in the sidebar navigation
- Added redirects for docs pages that have moved.

.

---------

Co-authored-by: Mike Thomas <mthomas@fleetdm.com>
Co-authored-by: Rachael Shaw <r@rachael.wtf>
2023-07-27 17:40:01 -05:00

7.0 KiB
Raw Blame History

macOS updates

End user macOS update reminders via Nudge

Available in Fleet Premium

End users can be reminded and encouraged to update macOS (via Nudge).

Nudge window

A Fleet admin can set a minimum version and deadline for Fleet-enrolled hosts. If an end user's machine is below the minimum version, the Nudge window above will periodically appear to encourage them to upgrade. The end user has the option to defer the update, but as the deadline approaches, the Nudge window appears more frequently.

When the end user machine is below the minimum version, Nudge applies the following behavior:

> 1 day before deadline < 1 day before deadline past deadline
Nudge window frequency Once a day at 8pm GMT Once every 2 hours Immediately on login
End user can defer
Nudge window is dismissable

How to set up

To set the macOS updates settings in the UI, visit the Controls section and then select the macOS updates tab.

To set the macOS updates settings via CLI, use the configurations listed here.

Requirements

  • Fleet Premium or Ultimate
  • Fleetd with Fleet Desktop enabled

End user experience

After the user clicks "update" in the Nudge window, they will be taken to the standard Apple software update screen:

Apple software update screen on macOS 12

Here, the user would follow Apple's standard two-step process for macOS updates:

  1. Download the macOS update. This occurs in the background and does not interrupt the end user's work.
  2. Initiate the update which does prevent the end user from using the host for a time.

On Intel Macs, Fleet triggers step 1 (downloading the macOS update) programmatically when a new version is available. This way, when the user arrives on the software update screen, they only need to initiate step 2.

On Macs with Apple Silicon (e.g. M1), downloading the macOS update may require end user action. Apple doesn't support downloading the update programmatically on Macs with Apple silicon.

Step 2 (installing the update) always requires end user action.

Known issues

Apple Rapid Security Responses (RSRs)

Currently, end user macOS update reminders via Nudge don't support RSR versions (ex. "13.4.1 (a)").

You can use custom MDM commands in Fleet to trigger built-in macOS update reminders for RSRs. Learn how here.

Mac is up to date

Sometimes after the end user clicks "update" on the Nudge window, the end user's Mac will say that macOS is up to date when it isn't. This known issue can create a frustrating experience for the end user. Ask the end user to follow the steps below to troubleshoot:

  1. From the Apple menu in the top left corner of your screen, select System Settings or System Preferences.

  2. In the search bar, type "Software Update." Select Software Update.

  3. Type "Command (⌘)-R" to check for updates. If you see an available update, select Restart Now to update.

  4. If you still don't see an available update, from the Apple menu in the top left corner of your screen, select Restart... to restart your Mac.

  5. After your Mac restarts, from the Apple menu in the top left corner of your screen, select System Settings or System Preferences.

  6. In the search bar, type "Software Update." Select Software Update and select Restart Now to update.

End user macOS update via built-in macOS notifications

Built-in macOS update reminders are available in Fleet Free and Fleet Premium.

To trigger these reminders, we will do the following steps:

  1. Force a macOS update scan

  2. List available macOS updates

  3. Trigger macOS update reminder

Step 1: force a macOS update scan

Use the request payload below when running a custom MDM command with Fleet. Documentation on how to run a custom command is here.

Request payload:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Command</key>
    <dict>
        <key>ForceUpdateScan</key>
        <true/>
        <key>RequestType</key>
        <string>ScheduleOSUpdateScan</string>
    </dict>
</dict>
</plist>

Step 2: list available macOS updates

  1. Run another custom MDM command using the request payload below.

Request payload:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Command</key>
    <dict>
        <key>RequestType</key>
        <string>AvailableOSUpdates</string>
    </dict>
</dict>
</plist>
  1. Copy the ProductKey from the command's results. Documentation on how to view a command's results is here.

Example product key: MSU_UPDATE_22F770820d_patch_13.4.1_rsr

Step 3: trigger macOS update reminder

Run another custom MDM command using the request payload below. Replace the product key with your product key.

This payload will trigger the "Install ASAP" behavior which displays a macOS notification with a 60 seconds timer before the Mac automatically restarts. The end user can dismiss the timer. To trigger different behavior, update the InstallAction. Options are documented by Apple here.

Request payload:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Command</key>
    <dict>
        <key>RequestType</key>
        <string>ScheduleOSUpdate</string>
        <key>Updates</key>
        <array>
            <dict>
                <key>InstallAction</key>
                <string>InstallASAP</string>
                <key>ProductKey</key>
                <string>MSU_UPDATE_22F770820d_patch_13.4.1_rsr</string>
            </dict>
        </array>
    </dict>
</dict>
</plist>