Super 3.0-b6 Enhancement Request

[DarthMJH]

Thank you for the previous update with the deferment typo.

I have a couple more questions

When installing Super via Unix executable script natively in JAMF, we get the error "Startup validation failed", however if we copy the contents locally and run push and install a script from JAMF to run the same super.unix command, it installs successfully.

I have noticed on the Software update failed dialog it shows "The system will not restart right now, but you will be no later when the software ........

I believe the no has truncated notified.

We have a requirement to update Mac's in a BETA, UAT and Prod method, so the BETA hosts are updated first, then UAT and lastly prod. We cannot think of a way of do this as there is no scheduled start date option. We only want BETA to see the notication on Day 1, UAT on Day 3 and Prod on Day 5. Is there anyway to schedule the binary in this manor, or can you recommend a way of implementing this?

Many thanks

[wakco]

This is actually a duplicate request to "#23 Ignore updates for a period of time".

You might be able to use different config profiles on the 2 delayed groups to delay updates for the 3 and 5 days respectively, as mentioned in #23.

[DarthMJH]

Thanks for the prompt response and idea of trying to use the ignore updates for a period of time.

I have tried that and found the following:

I've set the ignore updates for 90 days for everything. I have a Mac running 12.6.2 that needs the latest Safari Update. Once I apply the ignore updates I cannot see it available at all in software updates.

But when running Super I get prompted to update and the title in the notifier just says: MacOS Requires Restart

In the super log file it shows:

Deferred Yes but no Date is shown

=== OS Update Item === Product Key: 012-74032 Title: Safari Version: 16.2 ((null)) Deferred: YES (Date: ) Tags:
Mac OS update: no Major OS Update: no

Whereas on Ventura it gives a date

=== OS Update Item === Product Key: 012-92138 Title: macOS Ventura Version: 13.0 ((null)) Deferred: YES (Date: 22 Jan 2023 at 07:00)

This is the download location.

{ AllowsInstallLater = 1; AppIdentifiersToClose = ( "com.apple.Safari.SafariQuickLookPreview", "com.apple.Safari" ); DownloadSize = 134051519; HumanReadableName = Safari; HumanReadableNameLocale = "en-GB"; IsConfigDataUpdate = 0; IsCritical = 0; IsFirmwareUpdate = 0; MetadataURL = "https://swcdn.apple.com/content/downloads/56/51/012-74032-A_9J5DGEGRED/y2js2pclu7syop1z68wtptdnaddeog4u7f/Safari16.2MontereyAuto.smd"; ProductKey = "012-74032"; RequiresBootstrapToken = 0; RestartRequired = 0; Version = "16.2"; },

It doesn't seem to download and prep like I have seen before with other updates super just prompts immediately to restart or defer.

Blocking Major updates works as it does not try to update to Ventura which is great.

And thought I would give you another typo, but this time in the verbose logging. Error: Download of software udpates failed to start after....... updates is spelt wrong.

[Macjutsu]

@wakco is correct that the scheduling of updates is a feature request.

As for the issues you are seeing where the installer is failing or the update isn't behaving as expected... you need to examine the super.log. This is the only way anyone can start to troubleshoot super, myself included.

[wakco]

@DarthMJH "We only want BETA to see the notication on Day 1, UAT on Day 3 and Prod on Day 5."

So why would you then set both ignore updates to 90 days, when you only want 3 or 5 days? (Well actually 2 and 4 days).

[DarthMJH]

@DarthMJH "We only want BETA to see the notication on Day 1, UAT on Day 3 and Prod on Day 5."

So why would you then set both ignore updates to 90 days, when you only want 3 or 5 days? (Well actually 2 and 4 days).

It was only a test to see if the updates would download via Super. If it worked I would have created to config profiles for the correct days.

[DarthMJH]

super.log attached as requested super.log

[Macjutsu]

You have force restart enabled. You probably don't actually want that setting...

Per the Wiki: https://github.com/Macjutsu/super/wiki/Update-Options#force-system-restart

[DarthMJH]

Thanks for the advice. I have turned off force update. I have managed to get the delay software updates working on the Mac it is a little flaky (not super) , not sure what Apple are doing. however when the mac decides to apply the policy, super then only applies what is allowed on that device. So it does work. Unfortunately we are beholden to Apple in get deferred udpates working 100% all the time.

Any thoughts on this When installing Super via Unix executable script natively in JAMF, we get the error "Startup validation failed", however if we copy the contents locally and run push and install a script from JAMF to run the same super.unix command, it installs successfully ? I assume you will need a log file to see what is happening? If so I will see what I can do. Thanks again for your assistance

[Macjutsu]

Yes... there will be a specific error in the super.log

[DarthMJH]

We are so close now. The install script via JAMF is now working for both Intel and M1. On an M1 when we start super with this command super --jamf-account='superapi' --jamf-password='password' it downloads the update and displays the deferral window. When we defer (for 2 minutes as a test) we can see in the logs everything is fine, no errors shown. The last line of the verbose log says FunctiondeleteJamfProServerToken: JAMF Pro API token successfully invalidated. We wait 2 minutes and the pop up does not appear. In the log file it says: credential Error: Can not use MDM workflow because this computers Bootstrap is not escrowed credentialERROR: TRUE Warning: MacOS update/upgrade enforcement on Apple Silicon computers requires authentication credentials

I have looked in keychain and the Super MDM account has the correct password.

I have also run: sudo profiles status -type bootstraptoken And get the response: profiles: Bootstrap Token is supported on server: YES profiles: Bootstrap Token escrowed on server: NO

I believe the install and initial run works as we are passing the password, however after the deferral the password is cleared, so super cannot rerun.

Intels are fine as the password is not required.

[wakco]

To fix the Bootstrap Token, While recent versions of Jamf Pro are supposed to escrow the Bootstrap Token automatically, it's not always perfect, so I've always used the profiles install -type bootstraptoken command to make sure of it (I use an expect script and a temporary admin account during setup to make sure a few things like this are properly handled as part of the enrolment process).

[Macjutsu]

And there it is... bootstrap token...

So there is a legitimate super bug you found... it should actually error out sooner so you get it in the Jamf Pro Policy log.

However, @wakco is correct... this is an issue between macOS and the MDM. There isn't anything super can do to resolve this problem. Even the solution @wakco uses is a only possible due to his custom enrollment workflow that includes a temporary admin account.

[DarthMJH]

Thank you @wakco and @Macjutsu your help has been invaluable. We will look into creating a script like you have created. Have you created a blog about this by any chance ? Also last thing about Super is on the M1's when running Verbose mode, the password is visible, but it says not logged. However we can see it in the log file and in JAMF. Where is it not logged ?

[Macjutsu]

It will not be logged to the local super.log... but... it is written standard out (aka "echo"), so if Jamf runs the script it will be collected by Jamf.

The assumption is that you only use --verbose-mode when testing locally on the computer.

[wakco]

@DarthMJH A blog, no, hadn't thought about it, but as I am in the process of re-vamping my works entire approach, I'll consider it, there are some things we are still doing that are kinda dated, such as still binding to AD, and preferring the latest macOS version -1 (so 12 Monterey for this year), due to software that doesn't keep up to date with the latest version. This however is going off topic for Super, so if I create one, I'll let you know.

[Macjutsu]

Please test the latest beta: https://github.com/Macjutsu/super/releases/tag/v3.0-b7

[Macjutsu]

This bug I noted earlier about reporting the bootstrap token earlier is resolved in the latest beta: https://github.com/Macjutsu/super/releases/tag/v3.0-b8