Access Keys:
Skip to content (Access Key - 0)

Jamf Pro - Installing and patching third-party software

Select third-party software updates are automatically downloaded, packaged, and added to Jamf Pro for easy deployment. These packages are found under the EPM-Apps category and are available for all departments to use.

Supported Software

The following third-party programs are available for automated patching in Jamf Pro:

  • Adobe Acrobat Reader
  • Citrix Receiver
  • Citrix Workspace
  • Dropbox
  • Firefox
  • Google Chrome
  • Microsoft Excel
  • Microsoft OneDrive
  • Microsoft OneNote
  • Microsoft Outlook
  • Microsoft PowerPoint
  • Microsoft Word
  • Oracle Java 8
  • Skype
  • Slack
  • Spirion (formerly known as Identity Finder)
  • VLC
  • VMware Fusion
  • Zoom

You can find the latest packages for these program in the JSS under the EPM-Apps group. Version numbers are included in the package name, and at least the last 3 versions (usually more) are kept available in case bugs are discovered in newer versions.

If there is any other third-party software you'd like to include in automatic updates, contact

Deploying updates to existing software on machines

There are three main options to deploy patches to machines in your environment. Which option is best for you depends on how much control you want versus how much you want to be automated. The three main method are EUC-managed patching, calling EUC's custom triggers, and setting up your own patching policies from scratch. These three methods are all detailed below.

EUC-managed patching

The EUC (End User Computing) team maintains policies to update software to the latest supported version. If a user has installed an even newer version (for example, a beta release of a future release) then it will be left alone. Applications will not be patched while they are running, to prevent interrupting the user's work.

Machines opted into EUC-managed patching will check for updates once per day. By default, all of the supported applications listed above will be patched. However, if you would prefer not to patch an individual application, it can be excluded for your site.

Any site can opt into using the EUC patching policies; please contact if you'd like them to manage your site's patching.

For more information, see Jamf Pro - EUC managed third-party patching.

Deploying updates with EUC's custom triggers

You can run the same patching policies explained above from the command line, or your own Jamf policies, by entering sudo jamf policy -event euc-patch. This trigger will patch applications just like the EUC-managed method detailed above. These policies will check if the software is installed and outdated, and update it if it is not currently running.

The advantage to calling this trigger yourself is that you can choose to call it on any schedule you like, instead of (or in addition to) the default once per day of EUC-managed patching.

Here is an example of a custom policy you can create to call the euc-patch trigger to update all supported apps at startup:

  1. Create a new policy. Under the General payload, set the trigger to Startup, and the frequency to "Ongoing*.
  2. Scroll down to the Files and Process payload, click Configure, and enter "sudo jamf policy -event euc-patch" in the Execute Command field.
  3. Under the Scope tab, set the scope to All Computers (or whatever subset of computers you prefer).

Once configured, you never need to update this policy! It will always update to the latest versions approved by the EUC team. You can safely scope this to All Computers, because it will only install each update on machines that already have the application installed. So, for example, it won't install Skype on computers that don't already have Skype.

Both Firefox ESR and mainline Firefox are supported. Computers that have mainline installed will get the latest mainline version, while computers that have ESR installed will get the latest ESR.

Similarly, both Office 2016 and Office 2019 are supported. Machines with Office 2016 will be updated to the latest versions of the 2016 apps, and will not be upgraded to 2019 automatically. If you'd like to upgrade to Office 2019, see

If you'd like to patch only certain applications, you can use these per-application custom triggers:


Just like the main euc-patch trigger, these per-application patch triggers will check if an application is installed, outdated, and not currently running before installing the latest approved version.

Creating your own set of patching policies.

If you prefer to maintain full control of patching, you can create your own policies leveraging the same scripts and packages as the EUC team. Here is an example of two policies you could create to patch Outlook to the latest version:

First, create a policy to install the latest version.

  1. Create a new policy.
  2. In the General section, set the trigger to Custom, and enter a unique custom event name, e.g. <your site>-install-outlook.
  3. Set the execution frequency to Ongoing.
  4. Go to the Packages payload at the left and click Configure.
  5. Add the latest version of Outlook you want to deploy.
  6. Go to the Scope tag and select All Computers.

Second, create a patching policy. This will run a script to determine if a machine should install your latest Outlook version, and then call the custom trigger you specified in the last policy.

  1. Create a new policy.
  2. Set the trigger to e.g. Startup (or whatever you prefer)
  3. Set the execution frequency to Ongoing.
  4. Go to the Scripts payload and click Configure.
  5. Add the script "EPM-Thirdparty-Patch".
  6. Under Parameter Values, set the custom event to the one you specified above, e.g. <your site>-install-outlook.
  7. Set the app version number to the version you added to your first policy. e.g. 16.16.7
    Microsoft's package names do not contain the same version number as the applications. Be sure you enter the version number as it appears in the Finder's Get Info window when the application is installed.
  8. Set the application path to /Applications/Microsoft
  9. Go to the Scope tab and select All Computers (or whatever subset you prefer).

Installing on new machines

If you want to install the latest version of one of these programs on new machines, instead of only updating existing installations, you can use custom triggers to install individual packages. These will always install the latest version supported by the EUC team, regardless of whether the software is already installed or running. The following triggers are available:

euc-install-crashplan (note: only available for installation, not patching, since it updates itself)
euc-install-crowdstrike (note: only available for installation, not patching, since it updates itself)
euc-install-firefox (note: installs Firefox ESR)
euc-install-globalprotect (note: only available for installation, not patching, since it updates itself)
euc-install-sophoscentral (note: only available for installation, not patching, since it updates itself)

For convenience, there are additional triggers to install the entire Office suite along with serialization and the Microsoft AutoUpdate app. These are suitable for upgrading from 2016 to 2019 or downgrading from 2019 to 2016, or performing clean installs of either.


Testing track

There is a similar set of policies and triggers for testing new application versions before they are approved for general deployment. New releases will be in the testing track for at least a week before being approved for general deployment. If you'd like to have some of your computers set to install updates from the testing track, please contact

Custom triggers for testing:

Patch Policies (for updating existing installs) Install Policies (for installing on new machines)
euc-test-patch-acrobatreader euc-test-install-acrobatreader
euc-test-patch-chrome euc-test-install-chrome
euc-test-patch-citrixreceiver euc-test-install-citrixreceiver
euc-test-patch-citrix euc-test-install-citrix
euc-test-patch-dropbox euc-test-install-dropbox
euc-test-patch-excel euc-test-install-excel-2016
euc-test-patch-firefox euc-test-install-firefox
euc-test-patch-java euc-test-install-java
euc-test-patch-onedrive euc-test-install-onedrive
euc-test-patch-onenote euc-test-install-onenote-2016
euc-test-patch-outlook euc-test-install-outlook-2016
euc-test-patch-powerpoint euc-test-install-powerpoint-2016
euc-test-patch-skype euc-test-install-skype
euc-test-patch-vlc euc-test-install-vlc
euc-test-patch-word euc-test-install-word-2016
euc-test-install-slack euc-test-install-slack
euc-test-install-vmware euc-test-install-vmware
euc-test-install-zoom euc-test-install-zoom

See Also

Have Questions or Still Need Help?

If you have any questions, please contact

IS&T Contributions

Documentation and information provided by IS&T staff members

Last Modified:

October 16, 2023

Get Help

Request help
from the Help Desk
Report a security incident
to the Security Team
c-jamf c-jamf Delete
patching patching Delete
third third Delete
party party Delete
mac mac Delete
macos macos Delete
casper casper Delete
jamf jamf Delete
endpoint endpoint Delete
management management Delete
euc euc Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.
This product/service is:
Easy to use
Difficult to use

This article is:
Adaptavist Theme Builder (4.2.3) Powered by Atlassian Confluence 3.5.13, the Enterprise Wiki