Mac Admin: How we use Nudge to get our users to update macOS

MacOS updates can be painful.

Apple does what Microsoft doesn’t: Put out updates that are well tested.

They conversely don’t do what Microsoft (or linux) does: Make deploying updates seamless.

That last bit matters most since users aren’t really enthusiastic about rebooting their machines and staring at a black screen with a loading bar to finish.

Enter, Nudge. A cool tool that gets users enthusiastic about updating or else.

The concept is simple, deploy an agent that notifies the user of an available update, and then force them to do it if they ignore it for too long and the deadline lapses.

How have we deployed it?

  • We grab the latest NudgeSuite PKG file from their github repo, and deploy it via MDM.
  • Create a .mobileconfig file, and deploy that via MDM.

[Update 2023/05/15]

I’ve gone ahead and thrown my configuration files up on github for anyone to use!

Option One:

Use the full .mobileconfig file that I have configured. You can update it yourself by replacing the strings beneath the requiredInstallationDate and requiredMinimumOSVersion keys.

Link to config file

Option Two:

Use the web.mobileconfig file that I’ve configured. If deployed on your macs, it will source changes from this JSON file in the same github directory. This is good since you don’t have to worry about any failures of your MDM to send a new config policy to your endpoints (really helpful since it seems MDMs drop off in functionality on endpoints after two weeks of inactivity).

Link to config file

I keep both files up to date and align them with Essential Eight guildelines (two weeks for a standard update, three days for a critical update).

Key takeaways if you’re going to use my file.

  • “acceptableCameraUsage” and “acceptableScreenSharingUsage” are set to “true”, as I don’t want users to receive the notification if they’re on a video call or meeting.
  • I also deploy custom icons and screenshots because I had free time to style, if they can’t be found because you don’t have the files, they’ll default to what nudge uses (shown on their github page).
  • The notification is scheduled to go off every 30 minutes at the top and bottom of each hour via the launchdaemon file from the PKG deployment. I don’t bother changing this, it works well.

Here’s how our deployment looks:

alt text

Here are the MDM settings we use on Mosyle for deploying either profile/mobileconfig file:

alt text

The settings for the PKG file deployment:

alt text alt text

Notice, we grab the PKG direct from Github. It’s a good idea to cut down on the amount of work you have to do to upkeep a PKG if it’s already publicly hosted

Rules of thumb:

  • Give your users enough time to update, we use two week periods (or three days if there’s a massive bug being actively exploited).
  • Always check code before deploying.
  • Actively communicate to your users the change you’re trying to push outside of the notification, people will freak out over random popups.