Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add option to be more forceful with overly outdated devices #612

Closed
securitygeneration opened this issue Jul 23, 2024 · 2 comments
Closed

Add option to be more forceful with overly outdated devices #612

securitygeneration opened this issue Jul 23, 2024 · 2 comments
Labels
enhancement New feature or request

Comments

@securitygeneration
Copy link
Contributor

securitygeneration commented Jul 23, 2024
edited
Loading

If a device has been offline for some time, it may be quite out of date. But if the latest macOS release is relatively recent, Nudge would only require the device to comply with the current SLA, meaning it could stay significantly out-of-date and noncompliant for as long as 28 days (going by the default standard SLA).

For example, if 14.6 just came out, but I boot up a device on 14.0, it may still have 27 days to update to 14.6. In reality, if a device is older than N-1 (i.e. in this example <14.5), there is an argument that it should be treated as an elapsedRefreshCycle and the user would need to update immediately. This is particularly true if there are CVEs (but checking for this would require excessive additional logic).

One potential 'catch-all' solution would be to have an option to enforce the following logic:

if <systemVersion> is less than <currentVersion-1>; then elapsedRefreshCycle

For example if the device's current macOS version is 14.0, and the latest release of macOS is 14.6:

if 14.0 is less than 14.5; then elapsedRefreshCycle

One option may also be to treat the device somewhat similarly to a fresh device, and respect any configured grace periods.

One caveat to this logic is if, for some reason, Apple releases 14.6, and then a day after (due to an issue) quickly releases 14.6.1, then that would potentially trigger this logic and devices would instantly be pushed to elapsedRefreshCycle (where they would normally have <currentSLA> number of days left to comply. If this logic is implemented, it may make sense to have an option to disable it (or alternatively, make it opt-in).
@erikng erikng added the enhancement New feature or request label Jul 23, 2024
@erikng
Copy link
Member

erikng commented Jul 24, 2024

This may be accidentally addressed with #613.

can you try out this test build with some simulated OS version? Particularly 14.3 against "latest" https://github.com/macadmins/nudge/actions/runs/10076593379
go to Packages (you must be signed in) and then unzip it and run manually
7:29
You'll see the behavior is much more aggressive on 14.3 vs 14.4 and 14.4.1

@erikng erikng mentioned this issue Jul 25, 2024
Merged
@erikng
Copy link
Member

erikng commented Jul 25, 2024

To artificially change the requredInstallationDate to honor a previous macOS minor version, set minorVersionRecalculationThreshold under osVersionRequirement in amount of minor versions.

  • Ex: minorVersionRecalculationThreshold is set to 1 and SOFA feed has macOS 14.5 available
    • macOS device is 14.3: Target macOS 14.4.1 requiredInstallationDate of 2024-04-15 00:00:00 +0000
    • macOS device is 14.4: Target macOS 14.4.1 requiredInstallationDate of 2024-04-15 00:00:00 +0000
    • macOS device is 14.4.1: Target macOS 14.5 requiredInstallationDate of 2024-06-03 00:00:00 +0000

Addressed with 0d53821

@erikng erikng closed this as completed Jul 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@securitygeneration @erikng