Nudge for macOS Software Updates (macOS Script)
What
Nudge is a tool designed for macOS Big Sur 11 and later. It is a multi-linguistic application offering custom user deferrals, strongly encouraging macOSusers updates.to self update macOS.
This macOS application helps users stay up-to-date with software updates and security patches installed.patches. It is a lightweight and simple application that runs in the background andtask which periodically checks for updates. OnceBased itupon detectsa pre-defined, minimum update configuration, on detection the administrative’s configured settings for a minimum update, it displays a notification to the user, urging them to update the software package. Ituser is availablenotified, here:requesting they update.
Nudge Download: GitHub - macadmins/nudge: A tool for encouraging the installation of macOS security updates.
When/Why
Keeping software up-to-date is essential for any system's security and smooth functioning. However, it can be a daunting task to manually track software updates, especially when multiple software packages are installed on the device. That's where Nudge comes into the picture. It automates the software update checking and notification process, making it easier for users to stay on top of updates.
Nudge also helps to address security vulnerabilities in software packages, which malicious actors can exploit to gain unauthorized access to the device or steal sensitive data. By promptly updating software packages, users can significantly reduce the risk of such security incidents.
Moreover, Nudge helps improve the system's overall performance by updating software packages with bug fixes and other improvements. Outdated software can be a major cause of system crashes, lagging, and other performance issues, which can be avoided by updating software packages regularly.
How
Note,
Nudgefor willmajor onlysoftware workupdates, onan macOSAdministrator Bigpassword Sur 11 and later. Nudge has two main objects that mustmay be configuredrequired. In this case, an alternate approach to beupgrade useful in production: a LaunchAgent and a Configuration. Nudge configurationdevices could be achievedconsidered, usingas eitherhighlighted ofin the followingKB: two primary methods:
Configuration Profile
OR
JSON file
Nudge functionality: Rather than trying to install updates via the macOS built-inUpgrades softwareupdatebinary, Nudge prompts users to install updates via Apple approved/tested methods: System Preferences > Software Update and major application upgrades via the standalone macOS installer (Ex: Install macOS Monterey.app). This method does require the use of admin password. If your end users have administrative access Nudge is an excellent alternative approved by Apple’s methods.
Erasing
Prior to macOS 11, Software Updates werecould pulledbe frominstalled either through Apple's catalogue (not MDM App Store) through FileWave. To achieve this, the client will overwrite the currentlegacy Software Update plistcatalogues whilstor runningusing andMDM. thenConsider revertusing the legacy updates for these devices; Nudge should not be required.
How
Nudge has two main components for installation;
- Installation PKG
- Configuration file
In Thisthis example, configuration will likelybe conflictdefined withusing anya NudgeJSON process, causing Nudge to fail if the two occur at the same time. You can however get around this.file.
ThereThe isprovided aFileset clientincludes:
- Example
couldConfiguration - Scripted
pushed with Superpref to disable non MDM updates, but easier still, if you disable Legacy Apple Software Updates entirely from the FileWave Central > Preferences > Software Updates tab. This will allow clients not request to attempt non-MDM checks anymore.
Worth noting, that every Model Update, Inventory, Verify, the fwcld client process overwrites this file, since it needs to report which updates are appropriate, so this isn't a casemethod oftheyinstallation - Scripted
onlyuninstallation
you
associated
Setting Up Nudge with FileWave
Installing Nudge
Nudge has provided a script that can be used to install the latest Nudge suite package. Below is the script contents, also included is logging for the FileWave client:
Install Nudge script
#!/bin/bash
# Writing details to the FileWave Client Log
exec 1>>/var/log/fwcld.log
exec 2>>/var/log/fwcld.log
# Variables
nudgeLatestURL="https://github.com/macadmins/nudge/releases/latest/"
versionUrl=$(curl "${nudgeLatestURL}" -s -L -I -o /dev/null -w '%{url_effective}')
versionNumber=$(printf "%s" "${versionUrl[@]}" | sed 's@.*/@@' | sed 's/%20/-/g')
versionNumber=${versionNumber:1}
downloadUrl="https://github.com/macadmins/nudge/releases/download/v$versionNumber/Nudge_Suite-$versionNumber.pkg"
header="$(curl -sI "$downloadUrl" | tr -d '\r')"
pkgName=$(printf "%s" "${downloadUrl[@]}" | sed 's@.*/@@' | sed 's/%20/-/g')
pkgPath="/tmp/$pkgName"
# Download files
/usr/bin/curl -L -o "$pkgPath" "$downloadUrl"
# Install PKGs
sudo installer -pkg $pkgPath -target /
# Delete PKGs
sudo /bin/rm "$pkgPath"
exit 0
You may download the Nudge Installation Fileset here: Nudge Installation.fileset.zip
The Fileset contents should be similar as shown below. This Fileset includes both the installation and uninstallation scripts.
Custom Field
Checking the version of Nudge you have installed on your devices can be helpful as newer features are added. Download the Custom Field Nudge below and import into Assistants > Custom Fields > Import. This will display the version installed on your devices.
FileWave Custom Fieldsm Nudge.customfields.zip
Configuration Profile
You may copy the complete example default config profile from GitHub Nudge - Getting Started: Configuration Profile. For this KB article, we have copied and removed the extra configuration settings to include only the basic items needed for Nudge to function.
Configuration Profile metadata
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDescription</key>
<string>Configures all Nudge preferences</string>
<key>PayloadDisplayName</key>
<string>Nudge Preferences</string>
<key>PayloadIdentifier</key>
<string>com.github.macadmins.Nudge.preferences</string>
<key>PayloadOrganization</key>
<string></string>
<key>PayloadType</key>
<string>com.github.macadmins.Nudge</string>
<key>PayloadUUID</key>
<string>CA02957C-7472-446B-9F77-3E0414405556</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>osVersionRequirements</key>
<array>
<dict>
<key>requiredInstallationDate</key>
<date>2023-05-30T04:00:00Z</date>
<key>requiredMinimumOSVersion</key>
<string>13.3.1</string>
</dict>
</array>
</dict>
</array>
<key>PayloadDescription</key>
<string>Configures Nudge application</string>
<key>PayloadDisplayName</key>
<string>Nudge Preferences</string>
<key>PayloadIdentifier</key>
<string>com.github.macadmins.Nudge.FileWave</string>
<key>PayloadOrganization</key>
<string>Nudge</string>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>2F54F734-132D-4539-B583-F1DCF23DB5EB</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
You may copy the above for the basic functions for Nudge and paste into a text editor, such as Atom, Notepad ++, etc. To configure, please note lines 26 and 28. These need to be modified based on your desired:
-
requiredInstallationDate:
2023-05-30T04:00:00Z, May, 30 2023 at 12:00AM EST -
requiredMinimumVersion:
13.3.1, i.e. macOS 13.3.1 (Ventura)
Save the file, any name desired, as long as you save with the extension, .mobileconfig. Next import into FileWave Admin; drag and drop the .mobileconfig into FileWave Central Admin.
When you open the profile within FileWave, there will be no payload regarding the Nudge configurations displayed.
JSON File
You may copy the complete example JSON configuration file from GitHub Nudge - Getting Started: JSON Configuration File. Below is the JSON config file that we will use.
JSON File metadata
{
"optionalFeatures": {
"acceptableApplicationBundleIDs": [],
"acceptableAssertionUsage": false,
"acceptableCameraUsage": false,
"acceptableScreenSharingUsage": false,
"aggressiveUserExperience": true,
"aggressiveUserFullScreenExperience": true,
"asynchronousSoftwareUpdate": true,
"attemptToBlockApplicationLaunches": false,
"attemptToFetchMajorUpgrade": true,
"blockedApplicationBundleIDs": [],
"enforceMinorUpdates": true,
"terminateApplicationsOnLaunch": false
},
"osVersionRequirements": [
{
"aboutUpdateURL_disabled": "https://support.apple.com/en-us/HT211896#macos1121",
"aboutUpdateURLs": [
{
"_language": "en",
"aboutUpdateURL": "https://support.apple.com/en-us/HT211896#macos1121"
},
{
"_language": "es",
"aboutUpdateURL": "https://support.apple.com/es-es/HT211896"
},
{
"_language": "fr",
"aboutUpdateURL": "https://support.apple.com/fr-fr/HT211896"
},
{
"_language": "de",
"aboutUpdateURL": "https://support.apple.com/de-de/HT211896"
}
],
"actionButtonPath": "munki://updates",
"majorUpgradeAppPath": "/Applications/Install macOS Big Sur.app",
"requiredInstallationDate": "2021-08-28T00:00:00Z",
"requiredMinimumOSVersion": "11.5.2",
"targetedOSVersionsRule": "default"
}
],
"userExperience": {
"allowGracePeriods": false,
"allowLaterDeferralButton": true,
"allowUserQuitDeferrals": true,
"allowedDeferrals": 1000000,
"allowedDeferralsUntilForcedSecondaryQuitButton": 14,
"approachingRefreshCycle": 6000,
"approachingWindowTime": 72,
"calendarDeferralUnit": "imminentWindowTime",
"elapsedRefreshCycle": 300,
"gracePeriodInstallDelay": 23,
"gracePeriodLaunchDelay": 1,
"gracePeriodPath": "/private/var/db/.AppleSetupDone",
"imminentRefreshCycle": 600,
"imminentWindowTime": 24,
"initialRefreshCycle": 18000,
"launchAgentIdentifier": "com.github.macadmins.Nudge",
"loadLaunchAgent": false,
"maxRandomDelayInSeconds": 1200,
"noTimers": false,
"nudgeRefreshCycle": 60,
"randomDelay": false
},
"userInterface": {
"actionButtonPath": "munki://updates",
"fallbackLanguage": "en",
"forceFallbackLanguage": false,
"forceScreenShotIcon": false,
"iconDarkPath": "/somewhere/logoDark.png",
"iconLightPath": "/somewhere/logoLight.png",
"screenShotDarkPath": "/somewhere/screenShotDark.png",
"screenShotLightPath": "/somewhere/screenShotLight.png",
"showDeferralCount": true,
"simpleMode": false,
"singleQuitButton": false,
"updateElements": [
{
"_language": "en",
"actionButtonText": "Update Device",
"customDeferralButtonText": "Custom",
"customDeferralDropdownText": "Defer",
"informationButtonText": "More Info",
"mainContentHeader": "Your device will restart during this update",
"mainContentNote": "Important Notes",
"mainContentSubHeader": "Updates can take around 30 minutes to complete",
"mainContentText": "A fully up-to-date device is required to ensure that IT can accurately protect your device.\n\nIf you do not update your device, you may lose access to some items necessary for your day-to-day tasks.\n\nTo begin the update, simply click on the Update Device button and follow the provided steps.",
"mainHeader": "Your device requires a security update",
"oneDayDeferralButtonText": "One Day",
"oneHourDeferralButtonText": "One Hour",
"primaryQuitButtonText": "Later",
"secondaryQuitButtonText": "I understand",
"subHeader": "A friendly reminder from your local IT team"
},
{
"_language": "es",
"actionButtonText": "Actualizar dispositivo",
"informationButtonText": "Más información",
"mainContentHeader": "Su dispositivo se reiniciará durante esta actualización",
"mainContentNote": "Notas importantes",
"mainContentSubHeader": "Las actualizaciones pueden tardar unos 30 minutos en completarse",
"mainContentText": "Se requiere un dispositivo completamente actualizado para garantizar que IT pueda proteger su dispositivo con precisión.\n\nSi no actualiza su dispositivo, es posible que pierda el acceso a algunos elementos necesarios para sus tareas diarias.\n\nPara comenzar la actualización, simplemente haga clic en el botón Actualizar dispositivo y siga los pasos proporcionados.",
"mainHeader": "Tu dispositivo requiere una actualización de seguridad",
"primaryQuitButtonText": "Más tarde",
"secondaryQuitButtonText": "Entiendo",
"subHeader": "Un recordatorio amistoso de su equipo de IT local"
},
{
"_language": "fr",
"actionButtonText": "Mettre à jour l'appareil",
"informationButtonText": "Plus d'informations",
"mainContentHeader": "Votre appareil redémarrera pendant cette mise à jour",
"mainContentNote": "Notes Importantes",
"mainContentSubHeader": "Les mises à jour peuvent prendre environ 30 minutes.",
"mainContentText": "Un appareil entièrement à jour est nécessaire pour garantir que le service informatique puisse protéger votre appareil efficacement.\n\n Si vous ne mettez pas à jour votre appareil, vous risquez de perdre l'accès à certains outils nécessaires à vos tâches quotidiennes.\n\nPour commencer la mise à jour, cliquez simplement sur le bouton Mettre à jour le périphérique et suivez les étapes fournies.",
"mainHeader": "Votre appareil nécessite une mise à jour de sécurité.",
"primaryQuitButtonText": "Plus tard",
"secondaryQuitButtonText": "Je comprends",
"subHeader": "Un rappel amical de votre équipe informatique locale"
},
{
"_language": "de",
"actionButtonText": "Gerät aktualisieren",
"informationButtonText": "Mehr Informationen",
"mainContentHeader": "Ihr Gerät wird während dieses Updates neu gestartet",
"mainContentNote": "Wichtige Hinweise",
"mainContentSubHeader": "Aktualisierungen können ca. 30 Minuten dauern.",
"mainContentText": "Ein vollständig aktualisiertes Gerät ist erforderlich, um sicherzustellen, dass die IT-Abteilung Ihr Gerät effektiv schützen kann.\n\nWenn Sie Ihr Gerät nicht aktualisieren, verlieren Sie möglicherweise den Zugriff auf einige Werkzeuge, die Sie für Ihre täglichen Aufgaben benötigen.\n\nUm das Update zu starten, klicken Sie auf die Schaltfläche Gerät aktualisieren und befolgen Sie die angegebenen Schritte.",
"mainHeader": "Ihr Gerät benötigt ein Sicherheitsupdate",
"primaryQuitButtonText": "Später",
"secondaryQuitButtonText": "Ich verstehe",
"subHeader": "Eine freundliche Erinnerung von Ihrem IT-Team"
}
]
}
}
You may copy the above for the optional languages and feature functions for Nudge and paste into a text editor, such as Atom, Notepad ++, etc. This is the example tester JSON file from the example assets page. To configure, please note lines 39 and 40. These need to be modified based on your desired:
-
requiredInstallationDate:
2023-05-30T04:00:00Z, May, 30 2023 at 12:00AM EST -
requiredMinimumVersion:
13.3.1, i.e. macOS 13.3.1 (Ventura)
Deployment
Once you have the Install Nudge Fileset and .mobileconifg profile uploaded into FileWave Admin, you are ready for deployment. As always, grab a few macOS devices and assign them for testing. This will confirm the installation and settings are properly configured for your production environment. After testing has been completed, you are ready for mass deployment.
For the JSON file you will move the JSON file into the /Library/Preferences folder. The LaunchAgent is looking for the domain "com.github.macadmins.Nudge.json", confirm that no misspellings are made for the default run times, every 30 minutes.
User End Experience
After installing both Nudge and the profile with your configurations, the end user will be prompted with a dialogue window with information regarding the update for the device. This includes:
-
Your configured Required OS Version
-
The devices' Current OS Version
-
Days Remaining To Update
-
How many Deferred Counts
-
Important Notes explaining the process and any other details.
Example Fileset with logo
Here is an example fileset with customized logo and wording for your company/organization. Always test to a few devices before mass deployment.
Related Content
Digging Deeper
Customizing Nudge to meet your needs:
With Nudge, there are many more optional features and configurations that may be applied to meet your production environment. You may review these features here: optionalFeatures · macadmins/nudge Wiki · GitHub.
Apple’s Rapid Security Responses:
Nudge has placed a feature-request to be added. For more information regarding, you may review the progress here: Add support for Rapid Security Response updates.