Feature request: Relative time (or Grace time)

[llauren]

If a computer comes on line after having been on vacation for a long time, passing an OS update deadline, Nudge would go crazy and pester the poor user to install that OS update now.

This is rather unkind. In the spirit of how Jumpcloud handles updates, i propose Nudge to have an additional way of specifying when an update needs to be applied, namely "X amount of time after you see this message", eg "in two weeks time".

Failing that, i propose the feature of a Grace time, which might also solve the problem. If a computer is already past deadline when it first encounters the Nudge-imposed deadline, allow for a configurable span of time until the update must be applied. So, two weeks ago, but since you weren't here at that time, do it within a week from now.

[flammable]

I think what you're describing could be solved with Nudge's grace periods - see the userExperience section, specifically the allowGracePeriods, gracePeriodInstallDelay, gracePeriodLaunchDelay, and gracePeriodPath keys.

[llauren]

Thank you. I shall study the scrolls.

[llauren]

As i see it, the grace options outlined above will be relevant to newly installed (DEP'd) computers, but not for people who come back from a vacation, unless we can identify a gracePeriodPath which can point to when the computer was last on line before now.

[flammable]

Sorry, I missed the "vacation" part in your initial message - I think you're correct. Handling users who return from vacation has come up in the MacAdmins Slack channel, but I think the reasoning for continuing to nudge those users is that you'd want the computer up to date anyway.

Like, a user receiving a brand new machine (with an outdated OS) is a different situation than a user taking vacation for a couple of weeks.

As you mentioned, I'm not sure if there's a good way to tell if a user has been on vacation, either. If they shut down the computer vs. put it to sleep, is there a way Nudge can tell it hasn't been used? What if it's a desktop Mac, and was left powered on and awake the whole time?

[llauren]

There is no way to solve all the problems at the same time, but we can try to solve some of the problems, a few at a time.

If we think about this from Nudge's perspective, Nudge might wake up and realise we're past an update window. If so, have a look back in history to see whether it's been a while since we last bothered the user. If so, give the user a configurable amount of grace time. This could be possible by examining the /var/log/Nudge.log log file or some other persistent mechanism (i'm freewheeling here, but for the sake of the discussion, let's call it /Library/Nudge/lastrun.log). If there's no log of any kind, we can assume Nudge hasn't run, so grace time can be given if needed (and we feel particularly graceful).

Sure, the enterprising user may delete the log file and be given another day or three of update time, but that's probably not the end of the world. That user could just as easily edit the Nudge config file, if it's local.

[jamesfkane]

Just commenting to +1 a desire for this functionality. Currently we're working on ingesting leave/sabbatical info from our HRIS to use as exclusions for a given Nudge campaign, but something like @llauren mentioned would greatly simplify this and we wouldn't have to wait for the next macOS update/Nudge campaign to get those excluded devices compliant.

[bradtchapman]

+1 for this. It would be nice to give users a grace period.

Can't Nudge determine its own previous launch time? If it was more than X number of days ago, and a new set of update criteria is found, then give the user more time.

[erikng]

I've been giving this some thought off and on for a bit and I am ultimately deciding against developing this feature.

Can't Nudge determine its own previous launch time?

It possibly could if I start writing this type of information in a plist, but since Nudge is a user ran process, by proxy, the user can always use this against the organization to get unlimited delays in nudge events. I am broadly against designing this type of mechanism and since Nudge doesn't have a PrivilegedHelper (and may never unless I can make time to learn how to do it securely), I would have to build another tool on top of Nudge to facilitate this.

Beyond this, my organization has a hard stance that even people on vacation must update their devices prior to regaining access to critical services.

For companies wanting to do something like this, I too would recommend you implement some logic within the gracePeriodPath and a custom script. Prior to Nudge installing, you can check to see if this a new device (similar to how I do it with the out of box path of /private/var/db/.AppleSetupDone) and write a different path, that your company owns - most importantly protected via root to require explicit user intent - you can choose when to update it and on what conditions. You can periodically recreate this file x amount of days with a script that utilizes your custom SLA for people on vacation. When they get back, this script will recreate the file and Nudge will honor it.

It sounds somewhat complex, but this is what you all are effectively asking me to build but without root access to protect this against abuse.