With Addigy's new implementation of System Updates via MDM, update functionality now relies heavily on the MDM connectivity of devices. The MDM connection can sometimes be interrupted, preventing the update from proceeding. This article aims to provide useful pieces of information and troubleshooting steps to help smooth out your updates.
Generally speaking, our MDM Watchdog will always try to remediate a few issues discussed in this article, but there may be times when manual intervention is required.
Devices are not Updating / Updates are not Showing As Available for a Device:
Macs:
When it comes to macOS, we have an abundance of facts and scripts to help detect and remediate devices that are having issues with updating.
The first step would be to verify that the device is eligible for MDM updates by referencing our "MDM Update Eligibility" device fact. As the name implies, it checks to make sure a device is able to perform updates via MDM based on the requirements defined here.
Once you have verified the device is eligible for this feature, the next step would be to ensure the device is successfully communicating with MDM. The following article goes over how to leverage a couple of device facts and commands to ensure a proper MDM connection:
MDM Client Is Unresponsive and Remediation - Addigy MDM Watchdog
Outside of the "kickstart softwareupdates" command in the above article, the following command has also been seen to remediate the behavior of updates not showing as available:
mv /Library/Receipts/InstallHistory.plist /Library/Receipts/InstallHistory.plist.old
If the devices certainly have an active MDM Connection and deferrals are being leveraged, it is possible that an application is blocking the update from restarting the device to apply an update.
Side note, make sure to also check out the general troubleshooting checklist at the bottom of this article.
iPhones and iPads:
If a device is incapable of checking in with MDM even when it is physically unlocked, currently, the only known remediation steps are to restart or re-enroll the device.
An update occurred when it was not supposed to:
When this happens, there are a few important things to account for:
- Did the device update or upgrade?
- There are conditions for upgrades where it will not leverage the deferral prompts configured, they will instead use the "default" install option as highlighted in the Policy > Updates tab. Thus, if a device was upgraded and it did not leverage the deferral prompts for permission, that would be expected.
- Was the update/upgrade initiated by Addigy?
- To check if an update/upgrade was initiated by Addigy, simply check out the GoLive > Events page and search for any
Schedulecommand around the time of the update. Alternatively, you can view the update history in GoLive > (OS version text):OSUpdate
- To check if an update/upgrade was initiated by Addigy, simply check out the GoLive > Events page and search for any
- Were there any update restrictions via the "Restrictions" MDM profile or the macOS upgrade blocker?
- If a Restrictions MDM profile is in place with settings to ignore updates, is the update older or newer than the deferral days configured? This profile only allows for a maximum of 90 days to ignore an update, and if an update/upgrade is older than 90 days, the profile will not be able to hide it any longer.
- If neither were present and a device was updated, it's possible the device updated itself or the end user initiated the update.
If you are having trouble with pinpointing the cause, please, do not hesitate to submit a ticket with us and share all relevant information.
Available Update Status: "There are currently no updates available":
You may see this message in the update status even though the device is on an outdated OS version. This may be because the built-in macOS software update utility is not working as expected. This mechanism is responsible for identifying, downloading, and installing all updates.
As a remediation step, leverage our Kickstart Software Updates community script. This should kickstart the "softwareupdate" process, allowing the device to poll for updates.
Another cause could be that the OS version is not compatible with the machine.
"Undetermined" Message in the "Status" box of GoLive > Updates:
Sometimes the status of an MDM Software Update can be "Undetermined" if the device has not queried for updates in a while or if a product code varies slightly between commands. In most situations, performing the task will function normally and the Undetermined status will change once an update is in process. To get additional information from the device about updates, our API can be used to gather additional information about the updates and install them.
General Troubleshooting Checklist:
Does your deployment window allow the update to download and install within a reasonable timeframe?
Depending on the update and network speed/stability, the download and installation process can take longer than expected. This is particularly relevant for schedules with a deployment window of 2 hours or less.
Was the device online for an extended period during the deployment window?
This requires some scanning through the Apple Install log to see the times when the device was executing processes.
Is the device still within the deferral count?
The deferral amount configured in the policy does not equal the maximum amount of days an update will take to install. Deferrals serve as a function of how many chances a device is given to update, assuming it successfully initiates a prompt. If a device is in a state where the update cannot be received, it will not prompt and thus will not count as a deferral.
Does the device have an Apple Silicon processor and was it enrolled manually via Device Enrollment? If so, does the device have the proper Secure Boot settings?
Manually-enrolled Apple Silicon devices require "Reduced Security Mode" and "Allow remote management of kernel extensions and automatic software updates" to be enabled for MDM updates.