Configuration of patch policies - avogel-mac/Patch-Helper GitHub Wiki

Preparation

First of all, you should activate all the titles for which you want to use Patch Helper.

Follow Jamf's instructions to add more Patch Softwaretitels.

After adding the desired titles in Patch Management, you can create Smart Groups by using the values from Patch Reporting to build a group that serves as an Exclusion, for example, to determine which devices have already installed the latest version or are already advanced.

After the desired smart groups have been created, you can start creating the desired policies.

API User and Privilege Set

When the script is executed, it first reads out the policies that are stopped on the script. See also: Function of the script

In order to do this, we need an API roles and clients. To create an API role and client in Jamf Pro, please follow the official documentation provided by Jamf:

Jamf Pro Documentation – API Roles and Clients

This user needs the following permissions in Jamf Pro

  • Computers read

Patch Policies

Create your policies as you like. To have a better overview, which policies are offered in the Self Service and which are only used to update a MacBook, I have set a category "Patch Management" in this category only the policies are executed, which are only meant for patching. However, this is not necessary and only serves for my overview.

Follow Jamf's instructions to create Categories

In your policy can then be anything, how you want to update your application. This is the advantage because to update an application, you can use:

  • a script to download and install an application such as the Installomator from - Armin Briegel - @scriptingosx

  • a self-made package with the Composer or a package that you have loaded in the Admin console e.g. Adobe

  • or a package that must run both an application and a script.

It doesn't matter what the content of the policy is, the main thing is that you know what the policy should do at the end of the day.

Make sure that one of your patch policies that will patch your application has its display name set correctly. This will then be displayed to the user in the Patch Helper script.

As trigger select the "Custom" and enter the value patch_app_updates. You can of course use another value, but then you have to adjust it in the script.

If you have created your policies desired policies, it might look like this:

As I said, it can look like this, but it doesn't have to. Of course, you can also assign the same custom trigger to the policy you use in Self Service.