check_for_updates Function, if deferred skip?

[master-vodawagner]

Question: If a user defers the prompt, it appears the LD will run through the check_for_updates function during its interval run.

Is there anyway to skip the check_for_updates function if the user deferment is still active? I just don't see the need to query softwareupdate if the prompt was deferred.

LOGGING Tue Nov 2 15:27:26 GMT 2021: Start of preinstall script... Tue Nov 2 15:27:26 GMT 2021: Killing any active jamfHelper notifications... Tue Nov 2 15:27:26 GMT 2021: End of preinstall script... Tue Nov 2 15:27:27 GMT 2021: Starting install-or-defer.sh. Performing validation and error checking... Tue Nov 2 15:27:27 GMT 2021: Validation and error checking passed. Starting main process... Tue Nov 2 15:27:27 GMT 2021: Max deferral time undefined, or not set to a positive integer. Using default value. Tue Nov 2 15:27:27 GMT 2021: Maximum deferral time: 03d:00h:00m:00s Tue Nov 2 15:27:27 GMT 2021: Checking for pending system updates... Tue Nov 2 15:31:44 GMT 2021: Update requires a restart / shutdown... Tue Nov 2 15:31:44 GMT 2021: Deferral deadline: 2021-11-05 15:31:44 Tue Nov 2 15:31:44 GMT 2021: Time remaining: 03d:00h:00m:00s Tue Nov 2 15:31:44 GMT 2021: Prompting to install updates now or defer... Tue Nov 2 15:31:48 GMT 2021: User clicked Defer after 00d:00h:00m:04s. Tue Nov 2 15:31:48 GMT 2021: Next prompt will appear after 2021-11-02 18:31:48. Tue Nov 2 15:51:48 GMT 2021: Starting install-or-defer.sh. Performing validation and error checking... Tue Nov 2 15:51:49 GMT 2021: Validation and error checking passed. Starting main process... Tue Nov 2 15:51:49 GMT 2021: Max deferral time undefined, or not set to a positive integer. Using default value. Tue Nov 2 15:51:49 GMT 2021: Maximum deferral time: 03d:00h:00m:00s Tue Nov 2 15:51:49 GMT 2021: Checking for pending system updates... Tue Nov 2 15:56:13 GMT 2021: Update requires a restart / shutdown... Tue Nov 2 15:56:13 GMT 2021: Deferral deadline: 2021-11-05 15:31:44 Tue Nov 2 15:56:13 GMT 2021: Time remaining: 02d:23h:35m:31s Tue Nov 2 15:56:13 GMT 2021: The next prompt is deferred until after 2021-11-02 18:31:48.

[mpanighetti]

The script is set up to perform an update check every time it runs, ahead of user alerting. This was added awhile back to allow the script to exit and self-destruct if the user ran updates between deferrals, so that they wouldn't get a false-positive alert. My intent was to exit as early as possible to minimize script functions and to get the script and LaunchDaemon off the system the moment it's no longer needed, but it wouldn't be difficult to move the check_for_updates function run later in the script, like right after the deferral interval check. Just need to make sure it happens ahead of user-facing popups, since those use the update check output to list the pending updates.

Feel free to give that change a try in your own script, and if you think it would be beneficial, I'd be happy to review it in a pull request. Thanks for the feedback!

[master-vodawagner]

Valid point, and its best to keep that. Trying to determine how to prevent the caching of the same update everytime the script is ran by the LD when its deferred.

[master-vodawagner]

Created a fork for you, been running that code for a week and looks to be working fine. I have run into issues raised in ID68 but I believe that is unrelated to the fork of code.

[mpanighetti]

Thanks for testing that out! It just occurred to me that I specifically moved check_for_updates before deadline calculation to avoid an issue where the caching step was taking so long that it would run down the deferral clock a bit (noted here). For that reason I'd probably prefer not to shift check_for_updates back down again.

It actually might be better to just take out the caching step entirely. It probably doesn't save the user a great deal of time in the long run, and it's not doable on Apple Silicon anyway so it would standardize the script workflow a bit across multiple architectures.

[master-vodawagner]

That is another valid option

[pmac789]

hey @mpanighetti, I try your script today in my Jamf environment, if I'm correct the script suppose to give a pop-up every 4 hour as a reminder, not sure if I'm doing it wrong, but seem to not work for me. btw, I'm not a script guru or anything, but I found another script that would authenticated a pop-up for user to enter there password for software update if the machine is an M1. would be cool if you can incorporate that into your current defer script. also, do you have a working script for major os update defer? I know that moving from Big Sur to Monterey now required authentication from user.

Pulls the current logged in user and their UID

currUser=$(ls -l /dev/console | awk '{print $3}') currUserUID=$(id -u "$currUser")

fvPass=$(

Prompts the user to input their FileVault password using Applescript. This password is used for a SecureToken into the startosinstall.

/bin/launchctl asuser "$currUserUID" sudo -iu "$currUser" /usr/bin/osascript <<APPLESCRIPT set validatedPass to false repeat while (validatedPass = false) -- Prompt the user to enter their filevault password display dialog "Enter your macOS password to start the macOS upgrade" with icon file "System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:FileVaultIcon.icns" default answer "" buttons {"Continue"} with text and hidden answer default button "Continue" set fvPass to (text returned of result) display dialog "Re-enter your macOS password to verify it was entered correctly" with text and hidden answer buttons {"Continue"} with icon file "System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:FileVaultIcon.icns" default answer "" default button "Continue" if text returned of result is equal to fvPass then set validatedPass to true fvPass else display dialog "The passwords you have entered do not match. Please enter matching passwords." with title "FileVault Password Validation Failed" buttons {"Re-Enter Password"} default button "Re-Enter Password" with icon file messageIcon end if end repeat APPLESCRIPT )

echo $fvPass | /Applications/Install\ macOS\ Monterey.app/Contents/Resources/startosinstall --agreetolicense --forcequitapps --nointeraction --user $currUser --stdinpass exit 0
fi

[mpanighetti]

I try your script today in my Jamf environment, if I'm correct the script suppose to give a pop-up every 4 hour as a reminder, not sure if I'm doing it wrong, but seem to not work for me. btw, I'm not a script guru or anything, but I found another script that would authenticated a pop-up for user to enter there password for software update if the machine is an M1. would be cool if you can incorporate that into your current defer script.

Hey @pmac789! I'd suggest submitting a separate issue if your feature request is unrelated to the current issue. I'll also point out that your example is for an authenticated major macOS upgrade using startosinstall, which is outside of the scope of this script; Install or Defer specifically enforces security updates for the current installed version of macOS.

also, do you have a working script for major os update defer? I know that moving from Big Sur to Monterey now required authentication from user.

This functionality is natively supported via MDM profiles and is also outside of the scope of Install or Defer. Jamf wrote an article on this topic, and Apple's support for update deferral is documented here.

[mpanighetti]

@master-vodawagner This removal was pretty straightforward, apologies for not getting to it sooner. Change is in #69 pending merge.

[mpanighetti]

Caching has been removed in #69, which will speed up script reruns while checking for updates.

[pmac789]

Thank you for getting back. I do have a script that I currently use now for Minor Os upgrade that would prompt user to authenticate. maybe this can help add in to your currently for Monterey upgrade

Pulls the current logged in user and their UID

currUser=$(ls -l /dev/console | awk '{print $3}')

currUserUID=$(id -u "$currUser")

fvPass=$(

Prompts the user to input their FileVault password using Applescript.

This password is used for a SecureToken into the startosinstall.

/bin/launchctl asuser "$currUserUID" sudo -iu "$currUser" /usr/bin/osascript <<APPLESCRIPT

set validatedPass to false

repeat while (validatedPass = false)

-- Prompt the user to enter their filevault password

display dialog "Enter your macOS password to start the macOS upgrade" with icon file "System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:FileVaultIcon.icns" default answer "" buttons {"Continue"} with text and hidden answer default button "Continue"

set fvPass to (text returned of result)

display dialog "Re-enter your macOS password to verify it was entered correctly" with text and hidden answer buttons {"Continue"} with icon file "System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:FileVaultIcon.icns" default answer "" default button "Continue"

if text returned of result is equal to fvPass then

set validatedPass to true

fvPass

else

display dialog "The passwords you have entered do not match. Please enter matching passwords." with title "FileVault Password Validation Failed" buttons {"Re-Enter Password"} default button "Re-Enter Password" with icon file messageIcon

end if

end repeat

APPLESCRIPT

)

echo $fvPass | sudo /usr/sbin/softwareupdate -iaR

exit 0

fi

On Thu, Jan 13, 2022 at 4:05 PM Mario Panighetti @.***> wrote:

Caching has been removed in #69 https://github.com/mpanighetti/install-or-defer/pull/69, which will speed up script reruns while checking for updates.

— Reply to this email directly, view it on GitHub https://github.com/mpanighetti/install-or-defer/issues/67#issuecomment-1012628648, or unsubscribe https://github.com/notifications/unsubscribe-auth/AWSIZAL3HHXRYKFXG7V4EZLUV5SEHANCNFSM5HG3MNVQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

You are receiving this because you were mentioned.Message ID: @.***>