Nudge for macOS Software Updates
What
Nudge is a tool designed for macOS Big Sur 11 and later. It is a multi-linguistic application offering custom user deferrals, strongly encouraging users to self update macOS.
This macOS application helps users stay up-to-date with software updates and security patches. It is a lightweight and simple background task which periodically checks for updates. Based upon a pre-defined, minimum update configuration, on detectiondetection, the user is notified, requesting they update.
Nudge Download:can be downloaded from the following link, however this KB includes a Fileset to handle the installation of Nudge:
GitHub - macadmins/nudge: A tool for encouraging the installation of macOS security updates.
When/Why
Keeping software up-to-date is essential for any system's security and smooth functioning. However, it can be a daunting task to manually track software updates, especially when multiple software packages are installed on the device. That's where Nudge comes into the picture. It automatescombines the automation of software update checking andwith notificationmanual process,user making it easier for usersintervention to stayensure ondevices topremain of updates.up-to-date.
With OS versions being kept current, Nudge also helps to addressavoid security vulnerabilities inand softwaremalicious, packages,unauthorised whichactivity maliciousall actorswhilst can exploit to gain unauthorized access to the device or steal sensitive data. By promptly updating software packages, users can significantly reduce the risk of such security incidents.
Moreover, Nudge helps improveimproving the system's overall performance by updating software packagesperformance, with bugOS fixesfeatures and otherbug improvements.fixes. OutdatedAll softwareof canwhich beshould maintain a majorbetter causeuser ofexperience systemwith crashes,greater lagging,productivity. and other performance issues, which can be avoided by updating software packages regularly.
Note, for major software updates, an Administrator password may be required. In this case, an alternate approach to upgrade devices could be considered, as highlighted in the KB: macOS Upgrades or Erasing
Prior to macOS 11, Software Updates could be installed either through Apple's legacy Software Update catalogues or using MDM. Consider using the legacy updates for these devices; Nudge should not be required.required in this instance.
How
Nudge has two main components for installation;
- Installation PKG
- Configuration file
In this example, configuration will be defined using a JSON file.
The provided Fileset includes:
- Example Configuration
- Scripted method of installation
- Scripted
uninstallationremoval when disassociated
Nudge Notifications.fileset.zip
Scripts
This example Fileset does not contain the installer. Instead, a script pulls the latest version from GitHub and instals that version. If a new version exists, the Fileset could be re-triggered with a reinstall Fileset, causing the software to update.
The uninstaller contains the necessary lines of code to remove each item installed when disassociated
Configuration
As suggested above, in this example Fileset is a JSON for Nudge configuration. There are two lines to immediately consider:
"requiredInstallationDate": "2023-12-28T00:00:00Z",
"requiredMinimumOSVersion": "12.7.1",| requiredInstallationDate | When reached the conditions of user notification are altered |
| requiredMinimumOSversion | If OS version is below this set value, the user will begin to receive notifications |
The frequency and handling of notifications both before and after the requiredInstallationDate are handled elsewhere with the JSON file. Unless otherwise noted, all other values are set as default.
Setting Up Nudge with FileWave
Installing Nudge
Nudge has provided a script that can be used to install the latest Nudge suite package. Below is the scriptcontents contents,of alsothe included is logging for the FileWave client:
Install Nudge script
#!/bin/bash
# Writing details to the FileWave Client Log
exec 1>>/var/log/fwcld.log
exec 2>>/var/log/fwcld.log
# Variables
nudgeLatestURL="https://github.com/macadmins/nudge/releases/latest/"
versionUrl=$(curl "${nudgeLatestURL}" -s -L -I -o /dev/null -w '%{url_effective}')
versionNumber=$(printf "%s" "${versionUrl[@]}" | sed 's@.*/@@' | sed 's/%20/-/g')
versionNumber=${versionNumber:1}
downloadUrl="https://github.com/macadmins/nudge/releases/download/v$versionNumber/Nudge_Suite-$versionNumber.pkg"
header="$(curl -sI "$downloadUrl" | tr -d '\r')"
pkgName=$(printf "%s" "${downloadUrl[@]}" | sed 's@.*/@@' | sed 's/%20/-/g')
pkgPath="/tmp/$pkgName"
# Download files
/usr/bin/curl -L -o "$pkgPath" "$downloadUrl"
# Install PKGs
sudo installer -pkg $pkgPath -target /
# Delete PKGs
sudo /bin/rm "$pkgPath"
exit 0
You may download the Nudge Installation Fileset here: Nudge Installation.fileset.zip
The Fileset contents should be similar as shown below. This Fileset includes both the installation and uninstallation scripts.
Custom Field
Checking the version of Nudge you have installed on your devices can be helpful as newer features are added. Download the Custom Field Nudge below and import into Assistants > Custom Fields > Import. This will display the version installed on your devices.
FileWave Custom Fieldsm Nudge.customfields.zip
Configuration Profile
You may copy the complete example default config profile from GitHub Nudge - Getting Started: Configuration Profile. For this KB article, we have copied and removed the extra configuration settings to include only the basic items needed for Nudge to function.
Configuration Profile metadata
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDescription</key>
<string>Configures all Nudge preferences</string>
<key>PayloadDisplayName</key>
<string>Nudge Preferences</string>
<key>PayloadIdentifier</key>
<string>com.github.macadmins.Nudge.preferences</string>
<key>PayloadOrganization</key>
<string></string>
<key>PayloadType</key>
<string>com.github.macadmins.Nudge</string>
<key>PayloadUUID</key>
<string>CA02957C-7472-446B-9F77-3E0414405556</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>osVersionRequirements</key>
<array>
<dict>
<key>requiredInstallationDate</key>
<date>2023-05-30T04:00:00Z</date>
<key>requiredMinimumOSVersion</key>
<string>13.3.1</string>
</dict>
</array>
</dict>
</array>
<key>PayloadDescription</key>
<string>Configures Nudge application</string>
<key>PayloadDisplayName</key>
<string>Nudge Preferences</string>
<key>PayloadIdentifier</key>
<string>com.github.macadmins.Nudge.FileWave</string>
<key>PayloadOrganization</key>
<string>Nudge</string>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>2F54F734-132D-4539-B583-F1DCF23DB5EB</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
You may copy the above for the basic functions for Nudge and paste into a text editor, such as Atom, Notepad ++, etc. To configure, please note lines 26 and 28. These need to be modified based on your desired:
requiredInstallationDate:2023-05-30T04:00:00Z, May, 30 2023 at 12:00AM ESTrequiredMinimumVersion:13.3.1, i.e. macOS 13.3.1 (Ventura)
Save the file, any name desired, as long as you save with the extension, .mobileconfig. Next import into FileWave Admin; drag and drop the .mobileconfig into FileWave Central Admin.
When you open the profile within FileWave, there will be no payload regarding the Nudge configurations displayed.
JSON File
You may copy the complete example JSON configuration file from GitHub Nudge - Getting Started: JSON Configuration File. Below is the JSON config file that we will use.
JSON File metadata
{
"optionalFeatures": {
"acceptableApplicationBundleIDs": [],
"acceptableAssertionUsage": false,
"acceptableCameraUsage": false,
"acceptableScreenSharingUsage": false,
"aggressiveUserExperience": true,
"aggressiveUserFullScreenExperience": true,
"asynchronousSoftwareUpdate": true,
"attemptToBlockApplicationLaunches": false,
"attemptToFetchMajorUpgrade": true,
"blockedApplicationBundleIDs": [],
"enforceMinorUpdates": true,
"terminateApplicationsOnLaunch": false
},
"osVersionRequirements": [
{
"aboutUpdateURL_disabled": "https://support.apple.com/en-us/HT211896#macos1121",
"aboutUpdateURLs": [
{
"_language": "en",
"aboutUpdateURL": "https://support.apple.com/en-us/HT211896#macos1121"
},
{
"_language": "es",
"aboutUpdateURL": "https://support.apple.com/es-es/HT211896"
},
{
"_language": "fr",
"aboutUpdateURL": "https://support.apple.com/fr-fr/HT211896"
},
{
"_language": "de",
"aboutUpdateURL": "https://support.apple.com/de-de/HT211896"
}
],
"actionButtonPath": "munki://updates",
"majorUpgradeAppPath": "/Applications/Install macOS Big Sur.app",
"requiredInstallationDate": "2021-08-2023-12-28T00:00:00Z",
"requiredMinimumOSVersion": "11.5.2"12.7.1",
"targetedOSVersionsRule": "default"
}
],
"userExperience": {
"allowGracePeriods": false,
"allowLaterDeferralButton": true,
"allowUserQuitDeferrals": true,
"allowedDeferrals": 1000000,
"allowedDeferralsUntilForcedSecondaryQuitButton": 14,
"approachingRefreshCycle": 6000,
"approachingWindowTime": 72,
"calendarDeferralUnit": "imminentWindowTime",
"elapsedRefreshCycle": 300,
"gracePeriodInstallDelay": 23,
"gracePeriodLaunchDelay": 1,
"gracePeriodPath": "/private/var/db/.AppleSetupDone",
"imminentRefreshCycle": 600,
"imminentWindowTime": 24,
"initialRefreshCycle": 18000,
"launchAgentIdentifier": "com.github.macadmins.Nudge",
"loadLaunchAgent": false,
"maxRandomDelayInSeconds": 1200,
"noTimers": false,
"nudgeRefreshCycle": 60,
"randomDelay": false
},
"userInterface": {
"actionButtonPath": "munki://updates",
"fallbackLanguage": "en",
"forceFallbackLanguage": false,
"forceScreenShotIcon": false,
"iconDarkPath": "/somewhere/logoDark.usr/local/etc/Nudge.logo.png",
"iconLightPath": "/somewhere/logoLight.usr/local/etc/Nudge.logo.png",
"screenShotDarkPath": "/somewhere/screenShotDark.png",
"screenShotLightPath": "/somewhere/screenShotLight.png",
"showDeferralCount": true,
"simpleMode": false,
"singleQuitButton": false,
"updateElements": [
{
"_language": "en",
"actionButtonText": "Update Device",
"customDeferralButtonText": "Custom",
"customDeferralDropdownText": "Defer",
"informationButtonText": "More Info",
"mainContentHeader": "Your device will restart during this update",
"mainContentNote": "Important Notes",
"mainContentSubHeader": "Updates can take around 30 minutes to complete",
"mainContentText": "A fully up-to-date device is required to ensure that IT can accurately protect your device.\n\nIf you do not update your device, you may lose access to some items necessary for your day-to-day tasks.\n\nTo begin the update, simply click on the Update Device button and follow the provided steps.",
"mainHeader": "Your device requires a security update",
"oneDayDeferralButtonText": "One Day",
"oneHourDeferralButtonText": "One Hour",
"primaryQuitButtonText": "Later",
"secondaryQuitButtonText": "I understand",
"subHeader": "A friendly reminder from your local IT team"
},
{
"_language": "es",
"actionButtonText": "Actualizar dispositivo",
"informationButtonText": "Más información",
"mainContentHeader": "Su dispositivo se reiniciará durante esta actualización",
"mainContentNote": "Notas importantes",
"mainContentSubHeader": "Las actualizaciones pueden tardar unos 30 minutos en completarse",
"mainContentText": "Se requiere un dispositivo completamente actualizado para garantizar que IT pueda proteger su dispositivo con precisión.\n\nSi no actualiza su dispositivo, es posible que pierda el acceso a algunos elementos necesarios para sus tareas diarias.\n\nPara comenzar la actualización, simplemente haga clic en el botón Actualizar dispositivo y siga los pasos proporcionados.",
"mainHeader": "Tu dispositivo requiere una actualización de seguridad",
"primaryQuitButtonText": "Más tarde",
"secondaryQuitButtonText": "Entiendo",
"subHeader": "Un recordatorio amistoso de su equipo de IT local"
},
{
"_language": "fr",
"actionButtonText": "Mettre à jour l'appareil",
"informationButtonText": "Plus d'informations",
"mainContentHeader": "Votre appareil redémarrera pendant cette mise à jour",
"mainContentNote": "Notes Importantes",
"mainContentSubHeader": "Les mises à jour peuvent prendre environ 30 minutes.",
"mainContentText": "Un appareil entièrement à jour est nécessaire pour garantir que le service informatique puisse protéger votre appareil efficacement.\n\n Si vous ne mettez pas à jour votre appareil, vous risquez de perdre l'accès à certains outils nécessaires à vos tâches quotidiennes.\n\nPour commencer la mise à jour, cliquez simplement sur le bouton Mettre à jour le périphérique et suivez les étapes fournies.",
"mainHeader": "Votre appareil nécessite une mise à jour de sécurité.",
"primaryQuitButtonText": "Plus tard",
"secondaryQuitButtonText": "Je comprends",
"subHeader": "Un rappel amical de votre équipe informatique locale"
},
{
"_language": "de",
"actionButtonText": "Gerät aktualisieren",
"informationButtonText": "Mehr Informationen",
"mainContentHeader": "Ihr Gerät wird während dieses Updates neu gestartet",
"mainContentNote": "Wichtige Hinweise",
"mainContentSubHeader": "Aktualisierungen können ca. 30 Minuten dauern.",
"mainContentText": "Ein vollständig aktualisiertes Gerät ist erforderlich, um sicherzustellen, dass die IT-Abteilung Ihr Gerät effektiv schützen kann.\n\nWenn Sie Ihr Gerät nicht aktualisieren, verlieren Sie möglicherweise den Zugriff auf einige Werkzeuge, die Sie für Ihre täglichen Aufgaben benötigen.\n\nUm das Update zu starten, klicken Sie auf die Schaltfläche Gerät aktualisieren und befolgen Sie die angegebenen Schritte.",
"mainHeader": "Ihr Gerät benötigt ein Sicherheitsupdate",
"primaryQuitButtonText": "Später",
"secondaryQuitButtonText": "Ich verstehe",
"subHeader": "Eine freundliche Erinnerung von Ihrem IT-Team"
}
]
}
}
Logo
YouAdditionally maywith copythe Fileset is a logo file: logo.png. This file is also being referenced by the above forJSON and will be seen by the optionaluser languageswhen andprompted. featureThe functionslogo forincluded Nudgein andthe pasteexample into a text editor, such as Atom, Notepad ++, etc. ThisFileset is the exampleFileWave testerLogo:
The fromlines defining the examplesourced assetslogo page.are:
configure,"iconDarkPath": please"/usr/local/etc/Nudge/logo.png",
note"iconLightPath": lines"/usr/local/etc/Nudge/logo.png",For a great understanding of the user experience and 40.configuration, Theseconsider needviewing the following:
MacAdmins Nudge by Neil Martin
There are more resources shown below in the Related Content and Digger Deeper section.
Deployment
After importing the above Fileset, associate with a test device. If the device is running a lower version than that defined within the JSON, a logged in users should be prompted immediately with the option to beupdate modifiedor based on your desired:defer.
requiredInstallationDate:2023-05-30T04:00:00Z, May, 30 2023 at 12:00AM ESTrequiredMinimumVersion:13.3.1, i.e. macOS 13.3.1 (Ventura)
Deployment
Once youhappy, haveconsider expanding deployment until all necessary devices are included.
Reconfiguring
Over time it will become necessary to alter the Installconfiguration Nudgefile, Filesetsuch andthat .mobileconifgnew profilemacOS uploaded into FileWave Admin, youversions are readyset for deployment. As always, grab a few macOS devices and assign them for testing. This will confirmas the minimum level, with new required installation anddates. settingsDue areto properlyself-healing, configuredthis foris youreasily productionhandled environment.within AfterFileWave. testingSimply haschange beenthose completed,lines you are ready for mass deployment.
Forinside the JSON file youas desired and Update Model.
Removal
If Nudge is no longer considered a requirement, disassociation of the Fileset will moveaction the JSONuninstaller filescript, intowhich should remove all elements of Nudge from the /Library/Preferencesdevice.
Nudge TheVersion
As will all Applications, the version installed on devices is lookingreported forback as standard inventory. Inventory Queries could be built to observe the domaincurrent "com.github.macadmins.Nudge.json", confirm that no misspellings are made for the default run times, every 30 minutes.version:
User End Experience
After installing both Nudge and the profile with your configurations, the end user will be prompted with a dialogue window with information regarding the update for the device. This includes:
Your configured Required OS VersionThe devices' Current OS VersionDays Remaining To UpdateHow many Deferred CountsImportant Notes explaining the process and any other details.
Example Fileset with logo
Here is an example fileset with customized logo and wording for your company/organization. Always test to a few devices before mass deployment.
Related Content
Digging Deeper
Customizing Nudge to meet your needs:
With Nudge, there are many more optional features and configurations that may be applied to meet your production environment. You may review these features here: optionalFeatures · macadmins/nudge Wiki · GitHub.
Apple’s Rapid Security Responses:
Nudge has placed a feature-request to be added. For more information regarding, you may review the progress here: Add support for Rapid Security Response updates.