search

macadmins / nudge

A tool for encouraging the installation of macOS security updates.
Apache License 2.0
1.03k stars 187 forks source link

Non-CVE update does not adhere to standardMinorupdateSLA #633

Closed sjbarkey closed 1 month ago

sjbarkey commented 1 month ago

With the release of macOS 14.6.1 and 13.6.9, which do not contain CVE, we are seeing Nudge prompts that allow 27 days to update instead of the 3 days configured for standardMinorupdateSLA.

I have tried changing the standardMinorupdateSLA to a different value, which did not work, and confirmed my cached version of the SOFA JSON is showing the new update and a valid releaseDate.

Below is the screenshot of the Nudge window: Screenshot 2024-08-07 at 4 25 46 PM

Below is our config pushed via Jamf:

<plist version="1.0">
  <dict>
    <key>optionalFeatures</key>
    <dict>
      <key>acceptableCameraUsage</key>
      <true/>
      <key>acceptableScreenSharingUsage</key>
      <true/>
      <key>aggressiveUserFullScreenExperience</key>
      <false/>
      <key>attemptToCheckForSupportedDevice</key>
      <false/>
      <key>attemptToFetchMajorUpgrade</key>
      <false/>
      <key>enforceMinorUpdates</key>
      <true/>
      <key>refreshSOFAFeedTime</key>
      <integer>1800</integer>
    </dict>
    <key>osVersionRequirements</key>
    <array>
      <dict>
        <key>aboutUpdateURL</key>
        <string>https://kb.ucdavis.edu/?id=8509</string>
        <key>activelyExploitedCVEsMinorUpdateSLA</key>
        <integer>3</integer>
        <key>nonActivelyExploitedCVEsMinorUpdateSLA</key>
        <integer>3</integer>
        <key>requiredMinimumOSVersion</key>
        <string>latest-minor</string>
        <key>standardMinorupdateSLA</key>
        <integer>3</integer>
        <key>targetedOSVersionsRule</key>
        <string>12</string>
      </dict>
      <dict>
        <key>aboutUpdateURL</key>
        <string>https://kb.ucdavis.edu/?id=8509</string>
        <key>activelyExploitedCVEsMinorUpdateSLA</key>
        <integer>3</integer>
        <key>nonActivelyExploitedCVEsMinorUpdateSLA</key>
        <integer>3</integer>
        <key>requiredMinimumOSVersion</key>
        <string>latest-minor</string>
        <key>standardMinorupdateSLA</key>
        <integer>3</integer>
        <key>targetedOSVersionsRule</key>
        <string>13</string>
      </dict>
      <dict>
        <key>aboutUpdateURL</key>
        <string>https://kb.ucdavis.edu/?id=8509</string>
        <key>activelyExploitedCVEsMinorUpdateSLA</key>
        <integer>3</integer>
        <key>nonActivelyExploitedCVEsMinorUpdateSLA</key>
        <integer>3</integer>
        <key>requiredMinimumOSVersion</key>
        <string>latest-minor</string>
        <key>standardMinorupdateSLA</key>
        <integer>3</integer>
        <key>targetedOSVersionsRule</key>
        <string>14</string>
      </dict>
    </array>
    <key>userExperience</key>
    <dict>
      <key>allowedDeferrals</key>
      <integer>20</integer>
      <key>allowedDeferralsUntilForcedSecondaryQuitButton</key>
      <integer>10</integer>
      <key>nudgeMinorUpdateEventLaunchDelay</key>
      <integer>0</integer>
      <key>randomDelay</key>
      <false/>
    </dict>
    <key>userInterface</key>
    <dict>
      <key>requiredInstallationDisplayFormat</key>
      <string>yyyy-MM-dd</string>
      <key>showRequiredDate</key>
      <true/>
      <key>updateElements</key>
      <array>
        <dict>
          <key>_language</key>
          <string>en</string>
          <key>mainContentSubHeader</key>
          <string>Updates can take around 15-90 minutes to complete.</string>
          <key>mainContentText</key>
          <string>Apple has released a macOS update for your machine, which includes numerous security improvements and enhancements.\n\nPer UC and UC Davis policies, updates must be applied promptly to quickly reduce risk.\n\nTo update your machine:\n    1) Save all of your work\n    2) Click the 'Update Device' button\n    3) Follow the provided steps\n\nIf you have any questions or concerns, please contact your local IT Department.\n\nFor more information, click the 'More info' link in the lower-left corner.</string>
          <key>mainHeader</key>
          <string>Your device requires a security update</string>
          <key>subHeader</key>
          <string>A friendly reminder from your local IT Department</string>
        </dict>
      </array>
    </dict>
  </dict>
</plist>
klssland commented 1 month ago

Also seeing a similar experience

sjbarkey commented 1 month ago

I noticed that the key is pushed as standardMinorupdateSLA but should be standardMinorUpdateSLA (Note the capital U).

When testing with correct case, the issue appears to be resolved.

sjbarkey commented 1 month ago

My Jamf Schema was pulled from https://github.com/macadmins/nudge/blob/main/Schema/jamf/com.github.macadmins.Nudge.json, which also needs to be updated as well.

erikng commented 1 month ago

PRs welcome. :)

erikng commented 1 month ago

Fixed on main.