Deploy macOS Updates with JAMF Bootstrap Token MDM

What the JAMF macOS update deployer does

This Automox Worklet™ deploys macOS OS updates to Mac endpoints through the JAMF API, using the endpoint's escrowed Bootstrap Token to authorize the MDM install command. The Worklet reads the JAMF API credentials from policy parameters, looks up the target endpoint by serial number, retrieves its Bootstrap Token escrow status, and posts an InstallOSUpdate command to the JAMF MDM channel. JAMF then forwards the command to the endpoint, which downloads and installs the update under the user account that owns the secure token.

On Apple Silicon and recent Intel Macs, system updates require MDM-issued authorization via the Bootstrap Token. The Worklet does not bypass that requirement; it uses it. If the Bootstrap Token is missing or has not been escrowed to JAMF, the Worklet reports the endpoint as non-actionable and skips the install attempt instead of failing silently. This makes the Bootstrap Token escrow state visible at fleet scale as a precondition the operations team can fix before the next patching window.

Because the evaluation phase checks both the JAMF API reachability and the per-endpoint Bootstrap Token state before any MDM command is posted, the policy can sit on a daily cadence during a feature update wave. Endpoints with no available updates are reported compliant and skipped. Endpoints that are missing the Bootstrap Token are flagged in the activity log so the operations team can re-enroll them or coordinate a Bootstrap Token push from JAMF separately.

Why deploy macOS updates through JAMF MDM

macOS updates on managed Mac fleets have become the hardest patch motion in IT. The OS now blocks shell-driven softwareupdate runs on Apple Silicon unless they originate from an MDM-issued command authenticated by the device's Bootstrap Token. Operations teams that previously scripted softwareupdate -i -a now see installs hang at the reboot phase or fail outright with an MDM-required error. Days turn into weeks of patch latency between a published macOS release and the install landing on every Mac in inventory.

The Worklet sits between two systems that already speak the right languages. Automox holds the schedule, the inventory, and the activity log; JAMF holds the MDM channel and the Bootstrap Token escrow. The Worklet authenticates to the JAMF API on every run, looks up each target endpoint by serial number, posts the InstallOSUpdate command, and polls for the Acknowledged status before reporting back to the Automox console. The catalog defines when the update should land; JAMF holds the MDM channel; the Worklet is the script that triggers the install at the scheduled time.

How JAMF-driven macOS update deployment works

1. Evaluation phase: The Worklet authenticates to the JAMF API using the supplied client credentials and looks up the local endpoint by serial number via GET /JSSResource/computers/serialnumber/{sn}. It reads the bootstrap_token_allowed and bootstrap_token_escrowed_date fields from the returned record. If the Bootstrap Token is not escrowed, the endpoint is reported non-actionable. If available updates exist for the endpoint's macOS version, the endpoint is flagged for the install.

2. Remediation phase: The remediation script posts an InstallOSUpdate MDM command via the JAMF API endpoint POST /api/v1/macos-managed-software-updates/send-updates with the target serial number, the install action (DOWNLOAD_ONLY or DOWNLOAD_AND_INSTALL), and optional max_deferrals. The script polls the JAMF command status for up to a configurable timeout (default 60 minutes) and exits 0 when the command reports Acknowledged or non-zero with the JAMF error code if the command fails or times out.

JAMF macOS update deployment requirements

• Mac endpoint enrolled in JAMF Pro with an escrowed Bootstrap Token (visible in the endpoint's JAMF record under Local User Accounts)

• JAMF API client credentials (API role with Send Software Update Settings Command and Read Computers permissions) supplied as policy parameters

• Automox agent able to reach the JAMF tenant URL from the endpoint (or from a designated coordinator endpoint that proxies API calls on behalf of the fleet)

• macOS 11 Big Sur or later on the target endpoint; Apple Silicon Macs always require the Bootstrap Token path

• End user awareness that a reboot may follow update install; pair the policy with a maintenance-window reboot Worklet if your runbook requires staged reboots after the install lands

Expected macOS state after the JAMF update lands

After successful remediation, the JAMF API reports the InstallOSUpdate command as Acknowledged for the target endpoint, the endpoint downloads the update through the App Store update channel, and the install completes at the next reboot or immediately if DOWNLOAD_AND_INSTALL was selected. The endpoint's macOS version in JAMF inventory updates on the next check-in. Subsequent policy runs report the endpoint as compliant unless a new macOS update has been published since the last run.

Validate by running the Worklet against a single Mac endpoint with a known pending update and confirming the JAMF API command log shows the Acknowledged status. For audit evidence, export the JAMF command record and pair it with the Automox activity log entry from the same policy run. Endpoints that remain at the old macOS version after the policy timeout window expires usually have a stale Bootstrap Token, an enrollment status of Unmanaged, or an end user who has deferred the update past the max_deferrals cap; investigate those before rerunning the Worklet.