Jon.Black
macadmin

How we use Nudge to get our users to update macOS

Jon Black 4 min read
How we use Nudge to get our users to update macOS

MacOS updates can be painful.

[Updated 2023/05/15]

Apple does what Microsoft doesn't: Put out updates that are well tested.

They conversely don't do what Microsoft (or linux) does: Make deploying updates seamless.

That last bit matters most since users aren't really enthusiastic about rebooting their machines and staring at a black screen with a loading bar to finish.

Enter, Nudge. A cool tool that gets users enthusiastic about updating or else.

GitHub - macadmins/nudge: A tool for encouraging the installation of macOS security updates.
A tool for encouraging the installation of macOS security updates. - GitHub - macadmins/nudge: A tool for encouraging the installation of macOS security updates.
GitHubmacadmins

The concept is simple, deploy an agent that notifies the user of an available update, and then force them to do it if they ignore it for too long and the deadline lapses.

How have we deployed it?

  • We grab the latest NudgeSuite PKG file from their github repo, and deploy it via MDM.
  • Create a .mobileconfig file, and deploy that via MDM.

[Update 2023/05/15]

I've gone ahead and thrown my configuration files up on github for anyone to use!

There are two options.

Option One:

Use the full .mobileconfig file that I have configured. You can update it yourself by replacing the strings beneath the requiredInstallationDate and requiredMinimumOSVersion keys.

Pub-Files/nudge-macos.mobileconfig at main · BiosPlus/Pub-Files
Contribute to BiosPlus/Pub-Files development by creating an account on GitHub.
GitHubBiosPlus

Option Two:

Use the web.mobileconfig file that I've configured. If deployed on your macs, it will source changes from this JSON file in the same github directory. This is good since you don't have to worry about any failures of your MDM to send a new config policy to your endpoints (really helpfuil since it seems MDMs drop off in functionality on endpoints after two weeks of inactivity).

Pub-Files/nudge-macos-web.mobileconfig at main · BiosPlus/Pub-Files
Contribute to BiosPlus/Pub-Files development by creating an account on GitHub.
GitHubBiosPlus

I keep both files up to date and align them with Essential Eight guildelines (two weeks for a standard update, three days for a critical update).

Key takeaways if you're going to use my file.

  • "acceptableCameraUsage" and "acceptableScreenSharingUsage" are set to "true", as I don't want users to receive the notification if they're on a video call or meeting.
  • I also deploy custom icons and screenshots because I had free time to style, if they can't be found because you don't have the files, they'll default to what nudge uses (shown on their github page).
  • The notification is scheduled to go off every 30 minutes at the top and bottom of each hour via the launchdaemon file from the PKG deployment. I don't bother changing this, it works well.

Here's how our deployment looks:

Here are the MDM settings we use on Mosyle for deploying either profile/mobileconfig file:

Be sure to hit the checkbox to enable it :) 

The settings for the PKG file deployment:

Notice, we grab the PKG direct from Github. It's a good idea to cut down on the amount of work you have to do to upkeep a PKG if it's already publicly hosted

Rules of thumb:

  • Give your users enough time to update, we use two week periods (or three days if there's a massive bug being actively exploited).
  • Always check code before deploying.
  • Actively communicate to your users the change you're trying to push outside of the notification, people will freak out over random popups.
Share
About the author

Jon Black

View all
More from Jon.Black

Great! You’ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to Jon.Black.

Your link has expired.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.