Skip to content

11 UEX Integration With msupdate

Jump to bottom
Ayla Abbott edited this page Feb 16, 2020 · 2 revisions

Update Microsoft applications for Mac by using msupdate & UEX

Be sure to read the full Wiki and the Important Considerations section before testing.

Microsoft AutoUpdate contains lots of already native powerful features for keeping apps up-to-date. Features such as Setting a deadline, or as an alternative, Deploying from the App Store.

The key things that it doesn't have are, Presentation Delay, and Custom Branding. Thus, msupdate integration with UEX was born!

Thankfully Microsoft AutoUpdate supports msupdate a CLI for checking for and managing updates.

Requirements

  • Microsoft AutoUpdate 3.18 and later
  • UEX v5.0 and later

How does it work?

  1. Using the msupdate application in Microsoft AutoUpdate.app Uex will check what updates are available
  2. msupdate -f p will give the CDN URL for the pkg
  3. The PKG is downloaed then moved to /Library/Application Support/JAMF/Waiting Room/
  4. If that application is running then UEX is set to block that app and then present the appropriate UEX window.
  5. Once the user runs it then then normal PKG install process occurs and the 00-uexblockagent-jss keeps the app from running

How to set it up?

  • Setup a basic UEX Recipe for each application:
    • Microsoft Word (check=word)
    • Microsoft Excel (check=excel)
    • Microsoft PowerPoint (check=powerpoint)
    • Microsoft Outlook (check=outlook)
    • Microsoft OneNote (check=onenote)
    • Microsoft OneDrive (check=onedrive)
    • Company Portal (check=companyportal)
    • Microsoft Teams (check=teams)
    • Skype for Business (check=sfb)
    • Microsoft Edge (check=edge)
  • Scope to all computers
  • Set it to trigger by custom event
    • The custom event name could be something like word_update, excel_update, powerpoint_update... you get the point
  • Use the 00-UEX-Jamf-Interaction-no-grep script
    • Vendor;AppName;Version=Microsoft;Microsoft Updates;1.0
    • Checks=msupdate $associatedCheckForApp
      • Examples: msupdate word, msupdate excel, or msupdate powerpoint
      • If you also add ssavail then check out the Self Service Use case below
      • You can also add compliance to force updates for pesky/busy/non-compliant people. 😜 Check out 05-Compliance-Policies
    • Apps to Quit or Block= leave blank
    • InstallDuration - Must be integer=5
      • This is set automatically to 10 if theres an updated found
    • MaxDefer=1
    • Packages separated by ;= leave blank
    • Trigger Names separated by ;= set this to the custom event name for this policy

Other Apps

  • Microsoft AutoUpdate
    • This updates automatically whenever there is an update every time a msupdate UEX policy run.

Not supported...Yet

  • Microsoft Remote Desktop
  • Microsoft Defender ATP

Deploying Microsoft updates

  • Use a seperate policy with the 00-UEX-Deploy-via-Trigger script to trigger them.
    • Note: you can string all the custom event names in here within the parameter Trigger names separated by semi-colon
    • Example: word_update;excel_update;powerpoint_update
  • Run this policy at check-in, once every week
  • Scope to all computers

Check out the section [03-How-to-Deploy-UEX-Policies]((https://github.com/green-philodendron/Jamf-Interaction-Toolkit/wiki/03-How-to-Deploy-UEX-Policies)

Self Service Use Case

No admin rights are required to use the Microsoft AutoUpdate.app. So rather than using individual self service polices you can create a Self Service Policy to just open /Library/Application Support/Microsoft/MAU2.0/Microsoft AutoUpdate.app.

This is the script I use to open things with policies. jamf-open-file-with-parameter

Important Considerations

Do not manage the HowToCheck setting with a Configuration Profile

If you decide to deploy updates by using your software distribution tools, you should configure Microsoft AutoUpdate to manually check for software updates. Reference

Microsoft AutoUpdate takes full control if set to Automatic which means that checking for updates usign the msupdate CLI is limited. For this reason, UEX sets this setting to manual with defaults write com.microsoft.autoupdate2 HowToCheck Manual then back to your preferred setting when done.

You can set this in defaultMsauSetting found in the Jamf Interaction Configuration section in 00-UEX-Jamf-Interaction-no-grep.sh

Why can't I just do them all in one Policy or with msupdate natively?

UEX was written to handle things granularly on a per application basis therefore having each application update on separate UEX policy makes sense. The native msupdate also uses a queuing feature to make the updates run as seamlessly as possible in the background and with the Notification Center but that doesn't play nicely when you want the update to happen right away. This is why using the PKG is still the best current option.

🌈 Documentation is not my forté. If you would like to contribute please write me on MacAdmins slack @cubandave

Clone this wiki locally