Jamf Pro - Installing and patching third-party software
Select third-party software updates are automatically downloaded, packaged, and added to Jamf Pro for easy deployment. These packages are found under the EPM-Apps category and are available for all departments to use.
The following third-party programs are available for automated patching in Jamf Pro:
- Adobe Acrobat Reader
- Citrix Receiver
- Citrix Workspace
- Google Chrome
- Microsoft Excel
- Microsoft OneDrive
- Microsoft OneNote
- Microsoft Outlook
- Microsoft PowerPoint
- Microsoft Word
- Oracle Java 8
- Spirion (formerly known as Identity Finder)
- VMware Fusion
You can find the latest packages for these program in the JSS under the EPM-Apps group. Version numbers are included in the package name, and at least the last 3 versions (usually more) are kept available in case bugs are discovered in newer versions.
If there is any other third-party software you'd like to include in automatic updates, contact email@example.com.
Deploying updates to existing software on machines
There are three main options to deploy patches to machines in your environment. Which option is best for you depends on how much control you want versus how much you want to be automated. The three main method are EUC-managed patching, calling EUC's custom triggers, and setting up your own patching policies from scratch. These three methods are all detailed below.
The EUC (End User Computing) team maintains policies to update software to the latest supported version. If a user has installed an even newer version (for example, a beta release of a future release) then it will be left alone. Applications will not be patched while they are running, to prevent interrupting the user's work.
Machines opted into EUC-managed patching will check for updates once per day. By default, all of the supported applications listed above will be patched. However, if you would prefer not to patch an individual application, it can be excluded for your site.
Any site can opt into using the EUC patching policies; please contact firstname.lastname@example.org if you'd like them to manage your site's patching.
For more information, see Jamf Pro - EUC managed third-party patching.
Deploying updates with EUC's custom triggers
You can run the same patching policies explained above from the command line, or your own Jamf policies, by entering sudo jamf policy -event euc-patch. This trigger will patch applications just like the EUC-managed method detailed above. These policies will check if the software is installed and outdated, and update it if it is not currently running.
The advantage to calling this trigger yourself is that you can choose to call it on any schedule you like, instead of (or in addition to) the default once per day of EUC-managed patching.
Here is an example of a custom policy you can create to call the euc-patch trigger to update all supported apps at startup:
- Create a new policy. Under the General payload, set the trigger to Startup, and the frequency to "Ongoing*.
- Scroll down to the Files and Process payload, click Configure, and enter "sudo jamf policy -event euc-patch" in the Execute Command field.
- Under the Scope tab, set the scope to All Computers (or whatever subset of computers you prefer).
Once configured, you never need to update this policy! It will always update to the latest versions approved by the EUC team. You can safely scope this to All Computers, because it will only install each update on machines that already have the application installed. So, for example, it won't install Skype on computers that don't already have Skype.
Both Firefox ESR and mainline Firefox are supported. Computers that have mainline installed will get the latest mainline version, while computers that have ESR installed will get the latest ESR.
Similarly, both Office 2016 and Office 2019 are supported. Machines with Office 2016 will be updated to the latest versions of the 2016 apps, and will not be upgraded to 2019 automatically. If you'd like to upgrade to Office 2019, see http://kb.mit.edu/confluence/display/istcontrib/Jamf+Pro+-+Installing+and+updating+Microsoft+Office
If you'd like to patch only certain applications, you can use these per-application custom triggers:
Just like the main euc-patch trigger, these per-application patch triggers will check if an application is installed, outdated, and not currently running before installing the latest approved version.
Creating your own set of patching policies.
If you prefer to maintain full control of patching, you can create your own policies leveraging the same scripts and packages as the EUC team. Here is an example of two policies you could create to patch Outlook to the latest version:
First, create a policy to install the latest version.
- Create a new policy.
- In the General section, set the trigger to Custom, and enter a unique custom event name, e.g. <your site>-install-outlook.
- Set the execution frequency to Ongoing.
- Go to the Packages payload at the left and click Configure.
- Add the latest version of Outlook you want to deploy.
- Go to the Scope tag and select All Computers.
Second, create a patching policy. This will run a script to determine if a machine should install your latest Outlook version, and then call the custom trigger you specified in the last policy.
- Create a new policy.
- Set the trigger to e.g. Startup (or whatever you prefer)
- Set the execution frequency to Ongoing.
- Go to the Scripts payload and click Configure.
- Add the script "EPM-Thirdparty-Patch".
- Under Parameter Values, set the custom event to the one you specified above, e.g. <your site>-install-outlook.
- Set the app version number to the version you added to your first policy. e.g. 16.16.7
Microsoft's package names do not contain the same version number as the applications. Be sure you enter the version number as it appears in the Finder's Get Info window when the application is installed.
- Set the application path to /Applications/Microsoft Outlook.app.
- Go to the Scope tab and select All Computers (or whatever subset you prefer).
Installing on new machines
If you want to install the latest version of one of these programs on new machines, instead of only updating existing installations, you can use custom triggers to install individual packages. These will always install the latest version supported by the EUC team, regardless of whether the software is already installed or running. The following triggers are available:
euc-install-crowdstrike (note: only available for installation, not for patching)
euc-install-firefox (note: installs Firefox ESR)
For convenience, there are two additional triggers to install the entire Office suite along with serialization and the Microsoft AutoUpdate app. These are suitable for upgrading from 2016 to 2019 or downgrading from 2019 to 2016, or performing clean installs of either.
There is a similar set of policies and triggers for testing new application versions before they are approved for general deployment. New releases will be in the testing track for at least a week before being approved for general deployment. If you'd like to have some of your computers set to install updates from the testing track, please contact email@example.com.
Custom triggers for testing:
|Patch Policies (for updating existing installs)||Install Policies (for installing on new machines)|
Have Questions or Still Need Help?
If you have any questions, please contact firstname.lastname@example.org.