Macjutsu/super v4.0.0-beta7

on GitHub

2023-10-19

Highlights

• New option to save the user's password for future automatic macOS updates and upgrades. Literally, "Save Password" but for automatic macOS updates and upgrades.
• New display customization options including unmovable dialogs and hide background mode courtesy of IBM Notifier 3.0.3.
• New macOS installer workflows are now handled by mist-cli integration, thus removing all python dependencies.
• New LaunchDaemon architecture significantly improves automatic launch and deferment reliability for all super workflows.
• New default "always on" behavior automatically checks for Apple software updates on a regular basis.
• Support for Jamf Pro 10.48+ (Beta) Managed Software Updates.
• Support for Jamf Pro 10.49+ API Roles and Clients.
• Please check out the new super v4.0.0-beta Wiki for more details!

Compatibility Notes

• super version 4.x requires macOS 11 or newer (all code supporting macOS 10.x has been removed).
• All super 4.x code has been refactored for style, clarity, and uniformity. As such nearly every single option name has been changed.
• Most super 3.0 command line options and managed preferences are not compatible with super 4.x
• Previously saved super 3.0 Apple silicon authentication credentials are automatically migrated the first time super 4.x runs.
• It is safe to mix super version 3.0 and 4.x managed preferences (except for the DisplaySilently key) in a single configuration profile. However each version only recognizes the managed preference keys that are compatible for that version.
• Refer to this spreadsheet (tab separated values) for migrating super 3.0 command line options to version 4.x.
• Refer to this spreadsheet (tab separated values) for migrating super 3.0 managed preferences to version 4.x.
• Updated Jamf Pro Extension Attribute scripts now supports both super versions 3.0 and 4.x.
• Updated example MDM configuration profiles for super 4.0.0-beta.

Known Issues

• IBM Notifier is currently exhibiting an issue where line wrapped text is clipped when the display icon is set for sizes larger than 60 pixels. Until this issue is resolved you can use the --display-icon-size=60 option to prevent text clipping.
• Since the release of macOS Sonoma 14, the Apple softwareupdate command on macOS 12.3 - 12.7 is no longer able to list, download, or upgrade to any version of macOS 13 (upgrading to macOS 14+ works fine). A future version of super is planned to work around this new unexpected limitation in macOS.

Specific Changes (4.0.0-beta7)

• Resolved (third time's a charm?) issues preventing the last startup date collection from working properly. (Thanks to @ofirgalcon for testing this time!)
• super 4.0.0-beta7 SHA-256: fa3cc35a0224169128b5388fec1c2d09f3627597dd569bcc8e928e8966e0f242

Specific Changes (4.0.0-beta6)

• Resolved issues preventing the last startup date collection from working properly. (Thanks to Michael Z on on MacAdmins Slack for helping on this one!)
• super 4.0.0-beta6 SHA-256: a57710bb200e7bd702be87019b87675c8f1afefcabc284eeff63a966eeaf79ba

Specific Changes (4.0.0-beta5)

• New automatic archival of active super logs to the "logs-archive" folder if any individual super log file grows larger than 1000 KB in size. This new default behavior can be modified by manually editing parameters in the set_defaults() function.
• New automatic archival of any legacy super logs to the "logs-archive" folder.
• New deadline behavior, users are no longer allowed to chose a deferral past a days or date deadline. If a deadline is sooner than any user deferral option then the deferral times are reduced to match the closest deadline.
• New deadline behavior, if a deadline is soon then any dialog timeout option times above 120 seconds (2 minutes) are reduced to 120 seconds.
• New deadline behavior, if the super workflow is running within 120 seconds of a deadline, it waits for the deadline to expire instead of offering any deferral.
• The new --display-notifications-centered option shows non-interactive notifications in the center of the screen (as opposed to the top right) via the following types:
  • ALWAYS - Always show non-interactive notifications in the center of the screen.
  • SOFT - Show non-interactive notifications in the center of the screen during a soft deadline.
  • HARD - Show non-interactive notifications in the center of the screen during a soft deadline.
  • INSTALLNOW - Show non-interactive notifications in the center of the screen during the install now workflow.
• New support for local user account names if they have spaces. (Thanks to Emmanuel Ergand on on MacAdmins Slack for testing this one!)
• New automatic error deferral when the "only download" workflow is enabled, but there is no active user. This is necessary because softwareupdate is unable to "only" download macOS updates (but it can fully install them) if there is no active user.
• Rearchitected last startup date collection to support multiple time formats. (Thanks to @ofirgalcon for helping with this one!)
• Rearchitected Jamf Pro version detection to provide more accurate version numbers.
• Resolved several issues preventing the user's password from being saved or retrieved from Keychain.
• Resolved issues preventing the super-Deadline-Counter-Soft-Jamf-Pro-EA.sh script from working properly.
• super 4.0.0-beta5 SHA-256: ffd6e599a399109e9d2d881ef9f92ffdd96bb6c1bc8d8c80b267f28282f73079

Specific Changes (4.0.0-beta4)

• First draft of the new super v4.0.0-beta Wiki! Please note that this Wiki itself is also a "beta", so expect updates and corrections.
• Rearchitected Jamf Pro API calls to specify the exact macOS update or upgrade version. This change avoids Jamf Pro/macOS product issues that are known to unintentionally upgrade macOS even when an update was requested.
• Rearchitected automatic zero day now also saves the target macOS version along with the zero day date. This prevents the zero day date from unintentionally reseting when the available update caches are rechecked.
• Rearchitected the insufficient storage and power required alerts as dialogs (previously used notification functions). This resolved several issues preventing those dialogs from respecting display timeouts.
• Updated insufficient storage and power required alerts now support optional display customizations including the dialog timeout countdown, the help button, and the warning button.
• Resolved (no really this time?) a permissions issue preventing display of the custom display icon cache. (Thanks to @master-vodawagner for helping with this one.)
• Resolved an issue that prevented super from saving the user password to the keychain when a standard (non-admin) user was active.
• Fixed a few typos and improved variable logging.
• super 4.0.0-beta4 SHA-256: 574fb4822211e1efc136629310ffec89b14a4a5d7dc1477e4dd1e61ce4e3050c

Specific Changes (4.0.0-beta3)

• New automatic installation of mist-cli version 2.0 if required to facilitate macOS installer workflows. (Huge shout out to @ninxsoft)
• If the --auth-delete-all option is used with other authentication options the --auth-delete-all option takes priority and no longer allows for other credential options.
• Further refinements to the saved user authentication workflow.
• Resolved an issue where previously saved authentication credentials were being unintentionally deleted.
• super 4.0.0-beta3 SHA-256: fca929a284893e6019f337acc2993a8b254490981920a8afcb56c69b40b3d399

Specific Changes (4.0.0-beta2)

• New startup behavior now waits for the loginwindow process before continuing. This reduces softwareupdate errors during the restart validation workflow.
• Further refinements of the --auth-ask-user-to-save-password workflow including that the local account name is no longer stored in the super preference file.
• Resolved an issue preventing the identification of last startup date on macOS 14.
• Resolved an issue preventing user authentication failover if the previously saved user password was invalid.
• Resolved an issue preventing macOS major beta upgrades from being properly discovered.
• Resolved an issue causing calculation errors in macOS minor update required installation size.
• Resolved an issue that caused repeated download attempts of macOS major upgrades.
• Resolved issues causing some display behavior options (--display-unmovable, --display-hide-background, and --display-silently) from being applied when multiple dialogs or notifications are shown.
• Resolved an issue preventing the --auth-mdm-failover-to-user option from working. (Thanks to @croaker-1 for suggesting a fix to this one.)
• Resolved a potential permission issue preventing display of the custom display icon cache. (Thanks to @master-vodawagner for suggesting a fix to this one.)
• Updated Jamf Pro config profile external application custom schema for super 4.0.0-beta2. (Thanks to @robjschroeder for updating this!)
• super 4.0.0-beta2 SHA-256: 40824d6425757022af8c78a9942e81c4a9c442f83c808950429efcf71afcfb2e

Specific Changes (4.0.0-beta1)

• New --usage and --help options behavior now no longer requires sudo, or installs super items, or writes anything to the super.log, or interferes with any running super workflow. However, super still installs automatically (if needed) when using any other options.
• New default behavior if no updates/upgrades are available (or allowed), super now automatically checks for new updates/upgrades on a reoccurring basis. Thus, the --recheck-defer option has been replaced by this default behavior.
• New deferral timer behavior, all deferral timer options are now in minutes (dialog timeouts remain in seconds).
• New deferral timer behavior, all deferral timer options now allow you to specify up to 10080 minutes (1 week).
• New --deferral-timer-workflow-relaunch=minutes option allows you to override the default check for new updates/upgrades deferral interval time of six hours (360 minutes).
• New --workflow-disable-relaunch option prevents super from checking for new updates/upgrades on a reoccurring basis.
• New --auth-ask-user-to-save-password option to save the user's password to the user's keychain after a succesfull user authentication dialog.
• New --auth-credential-failover-to-user option enables fail over to user authentication if any new or previously saved authentication option fails. (The --auth-mdm-failover-to-user option remains as is still used to facilitate failover specific to MDM workflows.)
• New saved authentication behavior, only one authentication option can be active at any given time. If multiple authentication options have been specified the priority order is; --auth-ask-user-to-save-password > --auth-local-account > --auth-service-add-via-admin-account > --auth-jamf-client > --auth-jamf-account
• New Apple silicon credential storage mechanism now encodes all keychain items as base64. This allows for storing unicode text strings and further obfuscates the authentication credentials.
• New Apple silicon credential storage mechanism now also stores all saved administrator credential "account names" in the system keychain. The "account names" were previously stored in the super preference file.
• Previously saved super 3 Apple silicon authentication credentials are automatically migrated to this new storage mechanism the first time super 4 runs.
• New support for Jamf Pro 10.48+ (Beta) Managed Software Updates API. super automatically detects if this feature is enabled on your Jamf Pro server
• New permisions requirements for the (Beta) Managed Software Updates API:
  • Jamf Pro Server Objects > Managed Software Updates > Read & Create
  • Jamf Pro Server Objects > Computers > Read
  • Jamf Pro Server Objects > Mobile Devices > Read
  • Jamf Pro Server Actions > Send Computer Remote Command to Download and Install macOS Update
  • Jamf Pro Server Actions > Send Mobile Device Remote Command to Download and Install iOS Update
• New support for Jamf Pro 10.49+ API roles and clients authentication. The new --auth-jamf-client=ClientID and --auth-jamf-secret=ClientSecret options allow you to specify credentials for this new authentication mechanism.
• New Jamf Pro API computer ID discovery method leverages the Jamf binary if no Jamf Pro ID is provided via super MDM configuration profile. (The Jamf Pro API privilege for "Computers Read" is no longer used to resolve the Jamf Pro ID.)
• New --jamf-custom-url=URL option allows you to override the default Jamf Pro management URL for a custom Jamf Pro API URL.
• New IBM Notifier 3.0.3 is automatically installed.
• New dialog and notification behavior now automatically re-opens if the user attempts to quit via Command-Q keyboard shortcut.
• Updated --display-silently option now allows for selectable display type behavior, see below for the available types.
• New --display-unmovable option prevents the user from moving dialogs and notifications. Thus, the --display-redraw option has been removed.
• New --display-hide-background option hides (via translucent blur) the background when displaying dialogs and notifications.
• The new --display-silently, --display-hide-background, --display-hide-background options modify display behavior via the following types:
  • ALWAYS - Modify display behavior for all dialogs and notifications.
  • SOFT - Modify display behavior for Dialogs and notifications during a soft deadline.
  • HARD - Modify display behavior for Dialogs and notifications during a soft deadline.
  • INSTALLNOW - Modify display behavior for Dialogs and notifications during the install now workflow.
  • DEFER - Modify display behavior for the defer or restart dialog.
  • USERAUTH - Modify display behavior for the user authentication dialog.
  • POWER - Modify display behavior for the power required notification.
  • STORAGE - Modify display behavior for the insufficient storage notification.
• New default behavior, no super dialog ever times out unless you use the --dialog-timeout-default=seconds option. This option sets the default timeout for any dialog that doesn't have a specific timeout setting.
• New individual dialog timeout options now includes the following options:
  • --dialog-timeout-restart-or-defer=seconds
  • --dialog-timeout-soft-deadline=seconds
  • --dialog-timeout-user-auth=seconds
  • --dialog-timeout-insufficient-storage=seconds
  • --dialog-timeout-power-required=seconds
• The user authentication dialog now shows the dialog timeout countdown (only when no custom display accessory is enabled).
• New (renamed) --workflow-install-now option behavior now works when there is no active users.
• New (renamed) --workflow-install-now option behavior is now a temporary option that is not saved for future runs of super. As such the InstallNow managed preference has been removed.
• New rearchitected macOS installer workflows leverage mist-cli instead of erase-install.sh for installer listings and downloads. (Thanks for your service @grahampugh)
• New automatic installation of mist-cli version 1.15 if required to facilitate macOS installer workflows. (Huge shout out to @ninxsoft)
• New internal mechanisms to validate downloaded macOS installers. (Thanks to @grahampugh code inspiration!)
• Upgrade workflows using the macOS installer now use more accurate storage space requirements courtesy of mist-cli (previously this was statically set to 13GB for all macOS installers).
• Systems with macOS 13 and newer no longer check for macOS installers (as they should be able to perform a macOS major upgrade via softwareupdate for all workflows).
• jamfHelper is no loger supported, as such the following options have been removed: --icon-size-jamf=pixels --prefer-jamf-helper --prefer-jamf-helper-off
• jamfHelper is no longer a display option (all code supporting jamfHelper has been removed). Thus, the --icon-size-jamf and --prefer-jamf-helper options have been removed.
• The default battery level required percentage for Mac computers with Apple Silicon is now 20% (Intel remains at 50%).
• Improved --reset-super clears local preferences for all versions of super including legacy preferences.
• Improved temporary file methods for helper installation are now more secure. (Thanks to @giantwombat and @paragonsec for recommending this one!)
• All super logs are now stored in the "logs" folder inside the super working folder. At this time legacy super logs are not moved to this new location.
• Removed python dependency for Jamf Pro API token extraction. (Thanks to @jelockwood for this one!)
• Resolved an issue where MacBook computers with M2 chips were not being properly identified as portables.
• Resolved an issue where the patch version number (11.7.10 <- this last number) of macOS minor updates were not being properly identified.
• Countless improvements to both regular and verbose log output.
• super 4.0.0-beta1 SHA-256: f179ef824b128510f8867388d6d0252044cd2b4b36036181293a7601873c9ee3