Archive
Deploying Apple software update deferrals using Blueprints in Jamf Pro
As part of the software testing cycle, Mac admins may choose to delay making Apple’s macOS updates generally available to their fleet while they’re testing to make sure all the software used on their organization’s Macs works correctly on new versions of macOS. To assist with this, Apple has made available deferral settings for Apple’s Software Update on macOS, where you can choose to defer the following for up to 90 days:
- Major OS upgrades: An upgrade is a major macOS release with a new name (for example, macOS Sequoia 15 to macOS Tahoe 26).
- Minor OS updates: An update is a minor release within the same macOS version, such as Tahoe 26.0 to 26.2.
- Non-OS updates: These are software updates provided by Apple that are not covered by the prior two categories.
For those who need to know when deferral periods end, Apple has them available for the current shipping OS via the link below:
https://support.apple.com/guide/deployment/about-software-updates-depc4c80847a/web (see the Software release dates section.)
One example of a deferral choice is delaying the release of a new major version of macOS. In this scenario, a Mac admin may want to delay release because mandatory security software for their environment has not yet been certified by the software vendor as being compatible with the new version of macOS. You can use Blueprints in Jamf Pro to distribute these tokens, using the Software Update Settings component in Blueprints.
Let’s take a look on how to deploy deferral settings using using the following software update configuration as an example:
- What’s deferred: Major OS upgrades
- How long: 90 days
For more details, please see below the jump.
Enabling a standard user account to access the unified system log on macOS using the log command line tool
As part of my work, I occasionally need to pull information from the unified system log, either directly on a Mac or from a sysdiagnose file, using the log command line tool. However, I also prefer to run as a standard user account most of the time and use privilege elevation tools like SAP’s Privileges or the privilege elevation functionality built into Jamf’s Self Service+ tool to get admin privileges when needed.
The combination of the two sometimes means I get halted while working because the log command line tool needs an account with admin privileges to run when it is getting log information from the unified system log on the Mac I’m using. Using the log command line tool doesn’t require root privileges or require admin authorization, but it needs to be run by a user with admin rights.
Note: This requirement for admin privileges does not appear to be coming from the log command line tool itself, but instead is coming from the unified system log. The reason I’m saying this is that accessing logs using the log tool from a sysdiagnose file does not require admin privileges. If any readers have more information about this topic, please let me know in the comments.
This has been an occasional annoyance because I get pulled briefly out of my focus while working in order to elevate my account’s privileges and then go back to my work. However, I was able to develop a solution for this issue using the sudo command line tool. For more details, please see below the jump.
Additional roles in Apple Business Manager or Apple School Manager with option to administer AppleSeed for IT program
As a follow-up to my previous post on using Apple Business Manager to enroll in the AppleSeed for IT program, my colleague Mark let me know that in addition to the Administrator role, it appears there are two other roles which can administer the AppleSeed for IT program for an organization.
Note: One of those roles is exclusive to Apple School Manager, so for Apple Business Manager there is only one other role in addition to the Administrator role which can administer the AppleSeed for IT program.
- People Manager role (available in Apple Business Manager and Apple School Manager):
If you look in the People Manager role in either Apple Business Manager and Apple School Manager, there is an Administer AppleSeed for IT checkbox option.
This option is disabled by default, but it is the same checkbox option which is checked for the Administrator role, which in turn allows the Administrator role to administer the AppleSeed for IT program for an organization.
- Site Manager role (available only in Apple School Manager):
If you look in the Site Manager role in Apple School Manager, there likewise is an Administer AppleSeed for IT checkbox option. This option is enabled by default, so it looks like the Site Manager role in Apple School Manager by default has the same ability as the Administrator role to administer the AppleSeed for IT program for an organization.
Deploying Apple beta program tokens using Blueprints in Jamf Pro
As discussed in a previous post, Apple provides tokens which allow devices to be enrolled in Apple’s beta programs without the need for the user to sign in with an Apple Account on the device.
You can use Blueprints in Jamf Pro to distribute these tokens, using the Software Update Settings component in Blueprints. Let’s see how this works using the following software update configuration as an example:
- Macs are enrolled in the macOS Tahoe beta program.
- Macs cannot opt out of participating in the macOS Tahoe beta program.
For more details, please see below the jump.
Obtaining Apple beta program tokens
As discussed in an earlier post, you can sign up for Apple’s AppleSeed for IT program using a user with the Administrator role in Apple Business Manager or Apple School Manager and subsequently obtain tokens which allow devices to be enrolled in Apple’s beta programs without the need for the user to sign in with an Apple Account on the device.
Apple has documentation available on how to obtain these tokens using an API call to the following endpoint:
https://mdmenrollment.apple.com/os-beta-enrollment/tokens
However, the documentation does not include the specifics on how to set up the API call or the necessary OAuth authentication for it. Fortunately, the folks at HCS Technology Group have published a technical article showing how to obtain the necessary tokens using the following:
- An ADE token from your organization’s Apple Business Manager or Apple School Manager instance.
- The getBetaTokens script written by the folks from Microsoft.
For more details, please see below the jump.
Signing up for AppleSeed for IT using Apple Business Manager
Apple’s AppleSeed for IT program is designed to help enterprise and education customers test beta versions of Apple’s software.
To assist with making it easier to test these beta versions on devices, it’s possible for a user with the Administrator role in Apple Business Manager or Apple School Manager to accept the AppleSeed program’s terms and conditions on behalf of their organization. In turn, this will enable devices to be enrolled in Apple’s beta programs without the need for the user to sign in with an Apple Account on the device. For more details on how to do this, please see below the jump.
Der Flounder 
Recent Comments