Script: macOS Update Engine

What is the macOS Updates Engine?

The macOS Updates Engine is comprised of two separate shell script workflows supporting both Major and Minor macOS updates. Our two update engines both incorporate Mac-friendly open source projects such as IBM Notifier which is utilized for user-facing notifications and alerts, and also Nudge which is utilized for final enforcement.

The update scripts are uploaded to the customer’s MDM and run via policy on a set daily schedule. The icon assets are also installed by MDM from a .pkg file. The files installed by the assets .pkg file are referenced and called from the scripts. Both scripts have settings that can be customized and set within the script itself for different runtime options and corporate branding.

1. Minor Update Script:
   Set an automated amount of days after a minor “dot” macOS update is released to enforce its installation. A separate Amazon Lamda function checks for the latest macOS versions every hour, which is saved to a DynamoDB database. The minor script is stored and run in the customer MDM on a daily schedule as a policy or command for targeted Macs. When the minor script is run, it will perform an API call to the Black Glove database to retrieve the latest macOS version numbers and release dates. While running, the minor script will perform date calculations and provide a daily countdown notification to the user starting five days out from the set enforcement date. The minor script will then initiate full-screen Nudge with configurable settings on or after the enforcement date. The minor script additionally supports an optional enrollment period for a set amount of days (intended for new enrollments or refreshed Macs), where pending macOS updates will not be enforced during the initial enrollment period.

2. Major Update Script:
   Set a future date to enforce upgrading a major macOS release by. The Major script supports upgrading a Mac to either macOS 11 Big Sur, 12 Monterey, 13 Ventura, or 14 Sonoma. The major script is stored and run in the customer MDM on a daily schedule as a policy or command for targeted Macs. The script will provide daily countdown notification and reminders to the user, and initiate full-screen Nudge on or after the enforcement date.

   For older 10.14 and 10.15 Macs, IBM Notifier will be used for final enforcement instead of Nudge. IBM Notifier enforcement is a pop-up that can be closed by the user, but will reappear every 24 hours when the major script runs again. IBM Notifier enforcement has a 30-minute timer countdown until automatic activation. If the optional startosinstall setting is configured, the major upgrade can be initiated automatically and silently. The timer can be reduced to a short time combined with startosinstall to perform enforced automated upgrades.

Super Enforce Feature (Jamf Pro only):

Both the Major and Minor Update Engines also support a feature called Super Enforce - when the Major and Minor scripts are configured in Jamf Pro with a minimally credentialed Jamf Pro username and password. Super Enforce allows for a set amount of days separate of regular enforcement that Jamf will send the force update MDM command, which will automatically restart and update a Mac without user intervention. This feature can be recommended for latent users, or unattended Macs.

Amazon Lamda Function:

A python Amazon Lamda Function runs every hour, which checks the official Apple GDMF page at https://gdmf.apple.com/v2/pmv for new macOS versions. If a newer macOS version is found, it is written to a specific DynamoDB location that is specifically obtained by the Minor Engine shell script. Three of the latest macOS release versions are stored and processed.

macOS Update Engine Code Examples:

macOS Update Engine Minor and Major .plist configuration files incorporating third-party Nudge settings as well:

Minor macOS Update Engine enrollment notification upon device deployment:

Daily countdown notifications:

Final enforcement with full-screen Nudge:

Countdown notifications for Major macOS versions begin at 30-days from final enforcement:

Final enforcement for Major macOS Upgrades

For macOS versions prior to 11.0 Big Sur, IBM Notifier is used for Final Enforcement with a 30-minute countdown to an automated "startosinstall" command:

Sample runtime log, stored in MDM:

Full Confluence technical documentation: 

Composer .pkg composition:

Simplicity is prerequisite for reliability.