Update Inventory (Immediately) After macOS Update

This is related to my previous post Re-enabling Jamf Connect Login after an in-place macOS Upgrade, but without the Jamf Connect part.

When a macOS update or upgrade is performed, often times Jamf Pro will not recognize the update until up to 24 hours later. Depending on how often computers are set to update inventory, it could be even longer.

If you happen to have policies or configuration profiles scoped to devices based on their OS version this delay in inventory information would also delay those actions. Or perhaps a security update has come out and you want to know which devices remain vulnerable. A delay in reporting means you do not have timely information to ensure your mac fleet is protected.

Ensuring Jamf Pro updates inventory immediately after a macOS update can be done rather simply by having Jamf Pro run a script on startup.

The first requirement is to ensure you have the Jamf startup script enabled. Navigate to Settings > Computer Management > Check-In and ensure that the boxes for Create startup script and Check for policies triggered by startup are checked. This ensures our script will run each time the computer boots. (If not using Jamf Pro, consider creating your own LaunchDaemon here.)

Next we upload our script to Jamf Pro. The (below) script performs the following actions:

  1. Gets the current local operating system build.
  2. Checks if there is an existing local plist file for the macOS build version, and creates it if needed.
  3. If the current OS version matches the local plist we assume the OS was not updated, exit with status 0.
  4. If the current OS version does not match the the local plist, we assume the OS was updated, and perform an inventory update.
  5. Update the macOS build in the local plist with the new build version.
#!/bin/sh
# Location of macOS Build plist for comparison
# Subsitute your org name for anyOrg, or place in another location
buildPlist="/usr/local/anyOrg/macOSBuild.plist"
# Get the local os build version
# Using build version accounts for supplimental updates as well as dot updates and os upgrades
localOS=$( /usr/bin/sw_vers | awk '/BuildVersion/{print $2}' )
# If the macOS Buld plist key does not exist, create it and write the local os into it
if ! /usr/libexec/PlistBuddy -c 'print "macOSBuild"' $buildPlist &> /dev/null; then
echo "macOS Build plist does not exist. Creating now…"
defaults write $buildPlist macOSBuild $localOS
else
echo "macOS Build plist already exists. Skipping creation…"
fi
# Get the os from the macOS build plist now that we have ensured it exists
plistOS=$( defaults read $buildPlist macOSBuild )
# If the local OS does not match the plist OS do some maintainance
if [[ $localOS != $plistOS ]]; then
echo "macOS was updated. Performing maintenance now…"
# Update inventory
echo "Updating inventory…"
/usr/local/bin/jamf recon
# Update the local plist file
echo "Updating plist with new OS build version…"
defaults write $buildPlist macOSBuild $localOS
else
echo "macOS was not updated. Nothing to do here."
fi

With this script uploaded to Jamf Pro, the last step is to create a policy that runs it. Note that I have named the policy and the script “macOS Update Maintenance” feel free to name them as you see fit.

  • General
  • Name: macOS Update Maintenance
  • Trigger: Startup
  • Frequency: Ongoing
  • Scripts
  • Select script uploaded previously.
  • Scope
  • Targets: All Managed Clients or All Computers

Now each time one of our Jamf Pro managed macs boots, it will run this script. The script will determine if the macOS build version has changed, then optionally perform a recon so that our inventory records are updated immediately!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s