Deep Dive Into Declarative OS Updates & Upgrades

Got me, Kai. I’m the head of product at Adegy. We’ve got Tom Bridge. He is the amazing face of founder of the MacAdmins Foundation. And we’ve got Bryce, who is one of our amazing senior product managers and the person that I think knows the most about this topic that I’ve ever met. So he is a tremendous resource and a guy to go to with questions. So I’ll let you guys take, you know, a couple seconds as we’re waiting for people and just say a quick hi. Sure. Hello. It’s great to be with everybody today. So I’m Tom Bridge. I’m the chair emeritus of the Mac and Mins Foundation, one of the founding co chairs, but not the founder. There were a whole bunch of us who were working on this project together at the time. But it’s a great pleasure to be here with Atigee who’s a major sponsor of the MacAdmins Foundation. And, you know, we’re here today to talk about a subject near and dear to every MacAdmins heart, and that is operating system updates. There is nothing that’s a big that that’s a better party than a a good operating system update except for bad operating system updates, which we all know about. So, Bryce. Yeah. Yeah. Thanks for being here. And, I know my favorite thing about MacAdmins Foundation is little stickers about OS updates and all the little swag around it and how it’s just so much fun because it really is. It’s everybody’s favorite topic. Absolutely. Awesome. Well, with that, we’ll go ahead and get started. So today, what are we going to be talking about? Well, declarative and operating system updates. But, specifically, we’re gonna be going through a brief history of updates through the ages. I’ll be taking us through that super speed because, you know, we firmly believe that understanding the evolution of how we got to where we are today and how Apple has changed over the years is important to knowing how things might change in the future and why things are the way they are. Then we’ll be going into the updating experience. Again, from the admin and end user perspective, there’s a bunch of different ways that we can do different things, and we’ll kinda talk about some of the pros and cons and why you might choose one or the other or why everyone should use automated actions. Then we’ll dig into a little bit of debugging. This is where Bryce really gets to shine for if any of you have any questions because when things go sideways and they always inevitably do with this topic, unfortunately, troubleshooting can sometimes be tricky. So we definitely want to make sure that you have all the tools you need. And then we’ll talk about giving feedback to both MDM providers and Apple. So with that, let’s go ahead and jump in. As promised, I’m going to speedrun through a history of operating system updates through the ages with macOS. So we step way back in time to when my family had their first Mac running Cheetah. It was macOS ten point o. Personally, without explicitly telling everyone how old I am, I was in middle school and did not care at all about OS updates over it. Now I do, and the history is worth knowing. So there were a couple different ways at this point in time where you could do updates in these early versions. You could use, like, system preferences, the software update command line, or combo update packages. And for those of you who may not have used those, what those would do is if you wanted to jump from, like, ten four two or whatever you happen to have on a disk to, say, ten four eleven as your final updated version, you could use that combo updater to do everything kind of over the top for you. So then we’ll jump ahead, and we’ll go to Snow Leopard, which was the last version that was shipped on a disc, which honestly doesn’t feel that long ago, but it was a long time ago. And then we have Lion. And this was the version that was out when I personally started as an admin. But more importantly, it’s the first version where the only way that you could get it was from the App Store with that full installer. You could still use those system update pain the system update pane to update. You still have the combo updaters, and then there’s still the software update binary. Now, though, through the App Store, you could get the whole versions for each of the major and minor versions, and you could use that start OS install binary within it and do the updates that way, which is what a lot of people chose to do. Now we’ll jump forward to twenty fifteen with El Capitan. And with it, we have our first MDM updates using the schedule OS update, available OS update, and the OS update status commands. From there, we go into having the system preferences pane or the App Store or the software update command line installers, and you could still use the combo update packages. So, basically, we’re just adding more and more and more ways to do these OS updates. Well, Well, that’s helpful. Right? Because we wanna get people through those updates for the most part. Okay. But, you know, as the operating system gets more complicated, what happens? Yeah. So as they start to get more complicated, we wind up running into issues where you have to start kind of getting rid of some of the old ones. Otherwise, you’re gonna run into bad times. So this happens really with Catalina, and this is where we have the end of the road for those combo updaters. Now there’s a good reason for that, though. Fun fact with ten eleven, the big sur release, those installers functioned entirely differently. So big reason for this is they only changed what was needed for the actual update and eliminated a lot of those extra, like, read write cycles because we saw the SSDs getting rolled out on those Macs. Anyone remember their first SSD Mac? I remember it being so fast. I think that that was that was a big day. Right? Like, I mean, because it was gonna say it was it’s like getting a new computer. Yeah. That was also when Retina came out too. Oh, massive steps forward. Flashback. Oh, that does not feel like ten years ago. That’s depressing. Anyway, so another fun thing with Big Sur. This is a great one for Maxis admin. Big Sur also caused some confusion in the updates world because it’s the first version that required local authentication for those updates or upgrades from the volume owner. So you needed an authenticated reboot using the Bootstrap via an MDM command, and people were like, wait. What? No. No. I just do that. It took away some functionality of it, but there are reasons behind it. I mean, all of that kinda goes back to secure enclave and, I mean, laying the groundwork for secure enclave and secure boot that we got then on Silicon Lake. You know? They’re thinking further down the road, but, obviously, there’s a inflection point where it causes some management pain in between there. Absolutely. Cool. So we’ll keep heading along. Skip a few until we hit the next big shift, which will be Sonoma. And this is where, fun fact, we start to add in those enforcement specific declarations. It’s also when Apple added the four zero three response within MDE and ADE enrollment. So you could have a device update before enrolling in the MDM, making those zero touch, like, onboarding experiences really start to shine. Then with macOS fifteen, we got the Pro Plus Max trademark, which I love saying the whole thing because it just feels extra, is like that’s like another iteration on top of those enforcement specific declarations. And it gave us a new declaration object with more granular controls around your update settings. So this really helps us modernize the configuration profiles where you had deferrals in the past, and this is the declaration version of that with some additional controls for the admin. And now Go ahead. Oh, go ahead. I was gonna say having those kind of granular controls was a big request of the community. Hey. I really wanna make sure that I’m on this specific build or this specific build of this specific version and being able to do that even during testing cycles so that you could actually make sure that you had a great experience and the most secure experience for your environment. Absolutely. I think every every time admins are talking to Apple, it’s the, can I have more control? And this was a big win for that. Oh, yes. Cool. So now, I think only fourteen slides in. We’re finally at current era. And with WWDC of twenty twenty five, still this year, we’re not in twenty six yet, Apple stated that software update management using the mobile device management command restrictions and the aforementioned profile payloads and its queries is deprecated. So Apple’s going to remove it next year. They did not specifically say when or if it’ll be a major or minor version. So going forward, organizations will be able to manage and enforce software updates only using declarative management. So this is pretty big news and something we definitely wanna start taking into consideration as we’re looking at our environments. Yeah. And one thing to point out about the nuance of reading between the lines, like, were talking kinda when we’re doing run through this, tvOS changed midstream. TvOS eighteen four well, a eighteen two, eighteen three, then eighteen four, as they’re doing release cycles on that, that got declarative updates. Now, obviously, you can still do it through MDM, but next year, that’s not a version. That’s just next year. Now granted, OS versions are now tied to the calendar year in which they’re, you know, kind of targeted to, like, a a car model year. But, you know, and we’re on Tahoe now, Yukon, Denali, Escalade are next. We’re going to the GM, full size body on frame platform. But, like, it’s it’s it’s within reason that this might be something that we as MDM vendors and as the admin community need to respond to in the year that it’s happening. But, hopefully, that’s not the case, but better be safe than sorry just to make sure that you’re you’re testing it and then getting on that release cycle early. Hundred percent. Doing that kind of preparation work is all about, you know, making sure that you’re ready to leave behind the old mechanism in favor of the new one if it’s if it’s ready to go. And, you know, I was gonna say, someone who worked a lot with those MDM deployment commands, they’re persnickety. Right? Like, they’re not a great experience for the end user because maybe you get a sixty second countdown, and maybe you get a second sixty second countdown an hour after your admin sent that command because it’s gotta download all of the bits to disk, prepare that operating system version, and then it just gives you sixty seconds. There’s no indication to the end user, by the way, your admin has sent down a command that’s about to make the operating system up to date update, and you should definitely save out all of your work before that happens. Otherwise, you might get interrupted in the middle of your cycle. Or worse, if you’ve got a blocking application and you block that update with a, hey. I’ve got a Word doc that I’m I’m pounding away on, and I’m I’m really in the groove. Maybe that update never completes. And so your admin has a bad time and the user has a bad time. I think it’s time to put that thing to bed. Yeah. And it’s time to turn that into a, cool. We used to do this, but now we have better greener pastures forever. Tools now. Yes. I love it. So what what are those tools? So today, we have three types of managed updates and upgrades. So thank you for the nice transition time, Tom. So the MDM updates, the enforcement specific declarations, and the software update settings, global settings, automated automatic actions declaration, and a lot of nuance with that. We’re gonna go through kind of what are the differences. Like, we kinda talked a little bit about love the MDM updates experience with the overall admin and end user, but what do the other things look like? So I’m gonna hand it over to Bryce to walk us through the admin and users and end user experience for each of these. Yeah. And we’ll touch on each of those three and then go into examples of kinda how that functions. So to the point that Tom was making there, we have the looping animated video there in the bottom with that sixty second countdown. And those MDM updates, there was a few different ways you could send it. Within that command, there was default install later and install force restart, my favorite, the end user’s least favorite. Yep. But install force restart would just go at sixty seconds. Like, we’re going. You can’t like, it’s it’s happening. Default would give you that sixty second countdown where if you did click on that, like I’m actually doing in that video clip there, it would pull you to system settings and kinda break you out of that cycle if the end user had the, you know, cognition to go and do that versus click restart or just dismiss it. There was also a install later where you could give the end user a deferral number of times. Now this is one thing and one thing we’ll talk about after we go through the login examples of submitting to Apple. This would be a great feedback. Right now, you actually have, as we’ll talk about with enforcement specifics, the the cycles it goes through, but there’s no, countdown of a deferral where you’d give a specific number of times they could defer it. This is one thing that we lost moving away from MDM updates. However, frankly, it never really worked quite right because what would happen is is you defer it, and then sometimes it would uncache it from disk and then recache it. There was a bunch of different things that took place around that, especially if they were low on free space. So it just wasn’t the most reliable, but on paper, the best user experience. You were there on paper. Yeah. On on paper, it looked great, but, yeah, better ways to do it. Speaking of enforcement specific. So this was the big breath of fresh air that we got at WWDC twenty twenty three, going into that Mac OS fourteen release cycle where we could send a specific build, a specific version, a specific time that that’s gonna take place, and then it’s gonna go and do that. Now to Tom’s point, you’re working on a Word document, and somehow you ignored, you know, thirty whole days of notifications. It is still gonna go, because That’s the word enforcement. They’re kind of you know, they’re saying we’re going to enforce this like a law. It’s going to happen at this specific time. So something to keep in mind that, you know, when it happens, it’s gonna happen. Absolutely. And we always called it the hammer. Right? Like, I mean, we’re we’re we’re there’s there there’s the hammer and then there’s the velvet glove. And you really wanna make sure that your users have a good experience. And, honestly, if we take them down the right path, they’re gonna have a great experience. But there are a few users who are, shall we say, a little bit less interested in participating in IT shenanigans, and I I think that’s most of them, if I’m honest. But, you know, they’re gonna have to still be get updated if you wanna stay compliant as an organization. And so, you know, having that an enforcement specific deadline gives you the ability to trigger those thirty days of of alerts like Bryce was talking about. And if they’ve really honestly ignored that many alerts, they probably, you know, need to get that kind of, you know, specific They were never gonna update to begin with. That’s exactly right. They weren’t gonna play that game, and now they don’t have to. So what that looks like oh, I went backwards. What that looks like on device two, there is one thing. If you may have noticed, when we’re in here, this is within Atogee. If your vendor has it a little bit differently, you can also provide a KB link. Now, again, is the end user gonna know to click on that and go to system settings? Maybe, maybe not. But it’s a nice at least one way of giving at least some personalization, some customization that you can then point the end user to a KB article or something explaining it. If they drill down and click on more info, they would see, oh, you know, that update’s there. With the new automatic actions, they can go and see the same thing. It’s not gonna have that personalization, but they would see that this update is scheduled. And we’ll talk more about what that actually means and what that looks like on device when it works and when it doesn’t work in the login examples in a couple slides here. But, effectively, that same update would get downloaded, and it’s gonna get scheduled for the following day. It uses on device machine learning, which I think they that was before they got into the AI craze. They called it machine learning before, that branding kinda thing became a thing. But it’s figuring out based off of state of charge, if it’s a portable, obviously. What do you have for battery life? Can I go and do that? What do you have for free space? Can I go and do this? And then also, when is your device, like the one sitting next to me, plugged into power, and in my case, plugged into Ethernet, which is even better because it’s gonna always have that network, or it’d be looking for the the airport wireless state saying, I have all of these things that are met. The end user doesn’t have any Word document, although Word’s a bad example because it does have restore states, so it can pause it. Yep. But some older applications that don’t have that, right, there’s nothing that’s blocking me. I’m gonna do it at three AM tonight, and it would just go and magically do that update. No. There’s no. Look. Everything is not foolproof. There needs to be a last saved password state. Like we talked about before in that phasing out of the old binary based OS updates going into the new MDM updates several years ago, twenty fifteen, twenty sixteen time frame, there is that, again, authenticated reboot, that need for that Bootstrap token. In the automatic actions, if the end user hasn’t re auth stored, it doesn’t have that that hashed and stored for some reason, it is gonna prompt for that. So that is one thing. However, I will say from when this launched, and we’ve been running it in production here internally as have a number of customers, it’s gotten substantially better at knowing that and holding on to that state, specifically when they’re using Touch ID. For some reason, Touch ID seems, when that’s enabled and in use, is much, much better at storing that and going for the authenticated reboot then. Then, you know, the device is gonna go ahead, do that update. You’re gonna get a response back. And the most important thing here in in my terms of being an MDM vendor, but also making sure that we’re utilizing what Apple’s giving us, is using the status channel to know why did it do that. This is something that we haven’t really had until we had declarative with fourteen Mac OS fourteen and Mac OS fifteen is what is that install reason, and Apple has been adding things to that and has been listening to feedback of let’s get more information in that status channel. So us as MDM vendors and you guys as admins, anybody in the community can know this is the state the device is in without having to drill down and check logging via the unified system logs on the device itself. That status channel is so clutch. It’s such an important part of declarative device management that, you know, the MDM gets all excuse me. The device management service gets so much more information over that mechanism directly from the device when it’s current, not just on a polling basis, but on Correct. As that information changes, they’re like, like, right. I’ve made this change. I’m going to tell the the supervisor that I have made this change. And, you know, it’s a little bit like keeping things in touch when they need to be and not just, you know, your boss checking on you every thirty minutes. Hey. Did you do the thing? Did you do the thing yet? Have you done the thing? Now we just rely on, you know, we just rely on getting that result back. I I think a lot about it is I have a middle schooler at home. And, you know, we’re we’re trying to stay a little bit lighter touch this year with, have you done your homework? And so, you know, what we’d end up doing is asking that, you know, at the and once a day, like a status channel, hey. How does school go today? Did you get any sign offs at school? And that’s where we get those kind of things. And sometimes he’s excited about that, and he comes home and tells us all about those things ahead of time. That’s the the behavior that we wanna encourage. And so that tends to be how we tend to think of these things. You’re not having to nag somebody. You’re getting a proactive status report, and that’s a much better experience for device management and a much better experience for admins writ large. Thousand percent. And I love thinking about devices just excitedly being like, I wanna tell you about my day like a middle schooler. I wish it was like that. It’s usually not that I need. No. No. That’s awesome. And it’s really it’s also so nice that we’re getting this proactivity from, like, the actual device management vendor side, like, speaking from the strategy path. Like, we are able to build and design things in a way that actually allows admins to know things in real time in a way that is really not feasible with a lot of other check-in methodologies or actually having to be reactive to, hey. Did you did you do your homework? Like, okay. Answer me, please. Like, if they’re actively going out and telling you these things, it allows us to build better experiences for the admins and the end users because we know that in real time, which is amazing. Yeah. And as you’ll see in some of the login ones, like, it’s pretty immediate. Like, once we get to oh, it’s prepared. It’s ready. It it lets the Apple device management system vendor know that. So kinda with that, to kinda talk about since we’re talking is actually good transition talking, timelines and when do you know things. The MDM updates, you know, okay. You’re saying the command is sent. I’m acknowledging it. Good. The update runs. But to, like, Tom’s point, k, you send it. The device takes you know, let’s say you got a caching server. It takes ten minutes. It pulls it. K. It’s doing it right then and there, assuming that it actually triggers, launches, runs the software update, it doesn’t get stuck. A million other things. But, like, it’s just a point in time of boom. Go. It does that. Enforcement specific, like we talked about, is you’re saying, do this, this, and this version at this date and time machine side, and then it’s kind of a, you know, countdown of when you get to that point, and then it’s gonna go. The automatic actions using the new stuff with settings declaration, it’s basically saying, okay. These are the things that you should do as an independent middle schooler, child declarative child management. It’s saying, basically, you know, hey. You know, this is what we’re we’re giving you a cell phone. You know? This is what you need to do. You need to call us and let us know when you need to be picked up from band practice. You’re putting that control in their hands. This is a good analogy. I’m gonna use this again. But, like, you’re basically saying, we trust you to do this, get this task done, and then the device is doing that on its own basis, and it’s happening the instant it happens, not when you are saying you know, calling or texting saying, hey. Like, are you done? Oh, yeah. Forgot. I was talking to my friends. Like, the device is doing that on on your behalf to let you know when it’s it’s ready to go and when it’s done that then. The other component of that is this is also replacing the software update restrictions profile. This is combining those things into one. So most importantly is obviously the automatic actions and enforcing that and the new logic on the back end within the software update, Damon, which is purely just OS side. But it’s also, are you gonna allow the standard users or the admin users to do updates? How many notifications do you wanna see? What’s the cadence you wanna see those in for iOS and iPadOS? Because up until as we were just talking about before this, literally, like, yesterday or maybe it was Tuesday this week that Mac or iOS twenty six was not being advertised if you were on eighteen seven one and had automatic updates turned off. Now that that cycle has changed because we’re looking at December fifteenth as the first business day in the US calendar. I think it’s actually gonna be Friday or yeah. It’d it’d be a day earlier, in EMEA. But you’d have these updates that are the next version of that release cycle train that would be being shown and then the rapid security response, which has actually been now renamed to supplemental security update stuff on the back end, and it’s controlling all of those. And do you wanna stop the update? And do you wanna automatically do it then after that deferral’s up after that one to ninety days? And, like we’ll talk about, also beta updates. So it’s a lot of things that it’s they’re trying to cram into there to get all of that functionality, and it makes for a better user experience. But as we’ll talk about, there’s still some points for for feedback there. So criteria to make this happen. There’s a whole talk that I gave at Penn State. I’ll put the link in the the chat when we get to q and a that I’ve got more of stuff in there from the Appleseed program and different things about what are the exact you know, it’s like state of charge. Intel needs to be fifty percent or more, basically. Silicon, you can have thirty percent or more. IOS and iPadOS are slightly different. But what it really boils down to is you wanna be charged over fifty percent. You wanna have a network, and you wanna have that, end user not having anything that’s not restorable open Is what it really boils down to. And then that will take place on there. Same scenario for the enforcement specific. You know, obviously, it’s still gonna go when it when it’s gonna go. But at the same time, if the device doesn’t like, let’s say you got ten percent battery, yeah, it’s not gonna go when it’s supposed to go. It’s gonna get delayed. And that means that when that end user then comes back online and they’re fully charged again, then it’s gonna go, which changes the expected behavior of what the user was looking for. So, like, in a normal let’s say you set thirty days out, they’re gonna get a prompt as soon as it gets the declaration. It’s gonna say, hey. There’s an update. You wanna do it? And, of course, they’re gonna say no, or they won’t see it because they’re in a Zoom call. They have do not disturb on because it doesn’t blow through do not disturb yet at that point. Then after cutting that value in half, so fourteen days in this example, it’s gonna say, hey. You know, once a day. You got an update coming up in two weeks. You wanna do it? Oh, they’re not gonna. So then we get to more of, okay. You got twenty four hours. This is when it starts blowing through do not disturb, and it’s gonna say, hey. You have an update available. We’re gonna do it. You wanna do it? And they’re gonna say no, or they’re not on their device. Maybe it comes up that so happens you put it at end of business possible that maybe they just had shut the lid on their MacBook for the day. They they took off at a dentist appointment, whatever it is. Then the next time they come online, they’re gonna start getting hourly notifications saying, hey. There’s gonna be an update. It’s gonna happen. It’s gonna happen. It’s gonna happen. Then when you get to one hour is when it really starts prompting you where it’s gonna say, hey. You get sixty minutes, thirty minutes, ten minutes, sixty seconds, and then that’s when it’s gonna go. The point of, let’s say, you were at, the dentist and you were off that day, if the device comes back online the following day, it’s gonna go and say, hey. I missed that install by date. Is the update downloaded? Yeah. Yeah. Yeah. Okay. Cool. You got sixty minutes, then we’re gonna do it. If it’s not downloaded, then you kinda go into that loop. Basically, it’s just gonna keep trying to do that in that loop over and over. It’s a better experience than just it not updating and you’re not meeting compliance from an admin perspective, but there are some pitfalls of that from the end user side. I know we’ve gotten reports. And like you said, Tom, you know, in back in your vendor days calling it the hammer of, like, when it’s gonna go, it’s gonna go. And we’ve had a number of people that they’re on a Zoom meeting, and it’s gonna go. Fun fact is actually Zoom will keep running in the background. We’ve had a couple reports of this as it gets to Apple loading bar when it goes for the reboot before it goes to the restore partition to finish the install. So you can stay on your call with no video. They can hear you. You can’t see them. It’s kinda fun. Yeah. It’s great because you don’t necessarily know that you’re still on the call. It’s just like, oh, crap. Yeah. There’s definitely been times where that’s not not the ideal experience. So to that point, what’s better than that? Well, as admins, we’re relinquishing a little bit of that. You must do this at this date. But from an end user side, this is where the magic this is where it kinda comes to that it just works. Obviously, I’m showing you screenshots of where it just doesn’t work, but that is more of the narrow band of exceptions to the rule. So these are things that we’ve actually seen in our production. This is actually from one of our support engineers on his device because he’s got, like, five hundred gigabytes of system logs from all the support update, tickets. And so, basically, it was like, hey. You need to do an update, but you don’t have enough free space. So he he gotta pop up the following morning after we had run out the deferral window saying, hey. I wanna do an update, but you gotta give me some free space, which, again, you know, open to interpretation if the end user will actually take action on that. The points for feedback for Apple, we’ll talk about. Or it could be something where it would say, hey. You need to close these apps. Like, I’m talking about applications that don’t have that save restore state where it comes back after a reboot. It’s gonna let you know, hey. You know, close some stuff out. When you’re done for the day, we’re gonna do the update then. And what that really means is it’s figured out that time window when it’s usually plugged into power, and and looking for that then. But something that is late breaking, as we’ve now gone into release candidate in the public beta, this can kinda be more discussed. This is actually from, our friend Selena’s, production device here within Atigee, where she was going from beta two to beta three, and it was basically saying, hey. You know, you didn’t get that. They’ve changed the prompt to make it be nice and big on the screen. That this is this is for scale. This is real scale size on a fourteen inch MacBook Pro screen, And it’s right in the center, and it’s not movable or dismissible until you hit cancel or or try it again tonight. And then, obviously, the end user would go through. It would try and do it again later that night again if they have everything closed and and and quit out then. So this is kind of the nirvana we wanna get to of we want it like this, but maybe with a deadline. And after that, like, it’s we’re smooth sailing compared to where we’ve been over the last ten years, really. Anything to add on end user experience, or should I go into debugging? I think we can start. Think the the steps the the the move forward here is so substantial. And, also, the, you know, the the the environment as a whole, you know, gets to be a lot more pleasant for the end user at this point. I mean, Apple’s really tried to file down a lot of the rough edges, not just for admins but for end users as well on these software updates. I mean, I think we’re down to, like you know, it’s maybe a ten minute operation where it used to be thirty or more. And getting to a place where we we can clearly set the expectations on this is really important. Yeah. An unattributed quote that I’ll I’ll I’ll give here is don’t swim upstream, kinda like the quote of don’t fight the Fed. The Fed’s always gonna win. In this scenario, the end user’s expecting that experience. And if you wanna meet them where they are, you have to give them that experience. And, obviously, that’s not to say just accept it at face value. We’re gonna talk about giving feedback to Apple because there is definitely an opportunity here with that. But as a community working together to I mean, us, other people I know at different MDM vendors, we’re trying to get Apple in a better state for this and give them the information they need to make that business case to make this better because it benefits all of us. Because all of us have the same pain point. Alright. Absolutely. Let’s jump into the debugging, though. I mean, I think the part that I think is so cool. Hundred percent. This is where I think most of I’m personally most excited by all of this because this is a tricky subject for a lot of people, we get a lot of questions on it. And, again, we’ve got the expert among experts on this, so let’s leverage that. Bryce, you wanna take it not me. I’ll say this. It’s this is my my my segue of telling Apple where we need to make improvements and where to make this better for all of us. This is how we can tell that story. Knowing what the device is doing and when and why is where you can then figure out this is where we need to put some time and effort in making that experience better. So we’ve got four examples here. Declaration blank pending where, like, there’s just, hey. Why is it not doing anything? A declaration completing an update. What does that look like? And then the new automatic actions machine learning failing on an overnight, update on an iOS device, a little bit different for a change versus macOS. And then a new one, using that screenshot we just talked about from Selena’s device saying, why did this fail overnight, and and what did it do to prompt the user then? So the blank pending, we are doing a update for macOS fourteen fifteen dot four to fifteen dot five. And when we were looking within Atigee, because we are using the status channel and manifesting that right on the, device page. So if you’re another vendor, of any other type, you know, you’re just clicking on a device record. This is kinda what that that go live page looks like, and you’re clicking on that pending update, you know, saying, okay. Fifteen five is pending. What’s the deal here? This is on a VirtualBuddy VM on a wired network. Pop open the logs, and we’ll start looking for software update dot install, just doing a wildcard search. And we’ll see, oh, here’s this, the software update, subscriber, and software update daemon’s gonna be coming up around that. Why is that? Well, if we change that and and look at specifically software update dot install in that filter and we look into the software update subscriber update status, so this is that status channel that we were talking about with the middle schooler with the cell phone calling you after band practice, you’re saying, okay. This is the device basically saying, hey. You know, it’s June third at three in the morning. I was I was gonna go and do this update, but it didn’t go. Why is that? Well, here we can see software dot failure reason, and it’s gonna tell you, hey. This is why that failed. And then more importantly, the thing that was kinda interesting with this and that we had then wound up reporting to Apple is the dot install reason here is blank, but we know we sent a declaration. So without that information being present, it’s not something that we, as a vendor, as device management, can tell you what’s going on because we just know, I don’t know. It failed here. But it is prepared, and it is, you know, pending still. If we drill down in further then, we can see oh, and this is just I’m putting it side by side. That’s the same log we were just looking at. We can see, oh, well, you know, it’s showing that reason is blank. And on the Atagy back end, when we’re actually inspecting the page there, we got, well, we know it’s prepared. But, again, without that data there, I can’t really tell you anything about that. So that was filed as a feedback, and Apple has since, resolved and fixed that. On a side note, these are all the different things you could see in that install dot reason, and this is something that we’re showing on that device page within Atigee. System settings would be just like if you took any other, you know, personally owned device, popped in there, and said, yep. I wanna go and do this update. That’s how you triggered it. System settings was the point that you had done that from. Install tonight would be like an automatic action install tonight where it’s sitting there and pending with it. Automatic update would also be where it’s saying, hey. I wanna do this on an automatic basis using that machine learning, or if you have the just checkbox set in the settings too. Notification would be they got something in notification center like we were looking at those examples of, and they went, yeah. I don’t have anything going on. I’m going to lunch. Do the update right now, and it’s gonna go and do that then. Setup assistant would be like we talked about, way back in the timeline where with Mac OS fourteen, there is the ability and also iOS and iPadOS seventeen, where if you’re doing that setup assistant, kick off the update before you enroll it. Still haven’t seen one come through like this because it doesn’t make sense to me how we would see it in this status because the device isn’t enrolled yet, but it’s it’s here in the documentation. Command line would be obviously if they use the tool. MDM would be if it was triggered by one of the legacy MDM commands, and then declaration would be if it was specifically triggered by that enforcement specific and we’re saying, this date and time, go and do this. So this is an example where this update is completing on a past due, update here. So I was just going from fifteen four as a minor version to the patch version of fifteen four dot one, and I purposely made it happen, after the fact because the device was, powered off. And this is my live production Mac that I was using. Again, we’ll hop in the logs, and we’ll look at software update dot install reason. If we go and look in here, we can see, you know, the device you know, this is it hasn’t gotten anything. There’s no there’s no declaration at this point. I had our director of operations go and push that to my device. We can see it picks up that declaration and activates it on device. And so what that is then doing is, basically, this is the update subscriber status saying, I have this instead of instructions from Atagy as my device management, I, as the device, as a responsible middle schooler, am going to call them and do this update. And it’s gonna go ahead, download that update, and go and do that. Then, you’d see here the install reason, declaration, the install state. Right now, none because it hasn’t done anything yet. This is only seconds after we’ve received it, but that’s the pending version, and that’s when I wanna go and do it. Then my device will kick off. It’ll start downloading. And then in a pretty short order because I have a caching server, it’ll be downloaded and prepared. And so then, you know, actually, here. Yeah. Fifteen twenty five to fifteen thirty seven. So less than twenty minutes later, the device has it prepared, and it’s ready to go. And so then it’s gonna say, hey. I’m gonna start the install process for that. Once the install completes, that’s gonna blank back out. There’s no failure. The device is updated. That’s how that past due would work. It’s also how it would work on a longer time scale. If it wasn’t past due, it just would have taken a longer time. Automatic actions on iOS. This is an update for iOS eighteen dot six beta three, part of the Appleseed beta. I had a one day deferral set, and I just let it pass that one day. The device then said, hey. There’s an update. Do you wanna install it now or later? I said, yeah. Yeah. Later. I don’t care. I don’t wanna do this right now, as an end user would. If we look into the sub subscriber status, what we saw was that it’s looking for that Appleseed beta, and there’s no install state because it hasn’t really done anything yet. It goes through. It’s going to cache it. It is now prepared. I think I missed getting the downloading on there. And it pulled it down. It’s got the correct version, that seven seventy three b, which is one of the beta builds for that. And then what happened? It didn’t update. Well, that’s because this device, I was purposely leaving plugged into power and not doing anything, but I hadn’t locked and unlocked it since it received that, which means it did not get a passcode to give it that bootstrap for the authenticated reboot. What do we see in the status? We see, well, we have a failure reason. What? We have a count of one. There’s one entry about it. And what it’s saying is that the key bag required for that passcode unlock, it’s not escrow. We don’t have that. So I’m prepared, but I can’t do it. So on device then, I got an alert when I came back to it. Actually, this is when I at Penn State Mac admins. I came back to the device. It was sitting there plugged into power, on the PSU Wi Fi, and it said, hey. I I couldn’t do it, and it asked for my my passcode. And then immediately, it was saying, hey. You wanna agree to the terms and condition for Apple c beta? And I said, yeah. Yeah. Sure. Great. Then it will start unpacking and verifying it because I’ve put that in, and I’ve agreed to the terms. Great. Now the update is prepared. Update installs. Notification center on the device shows me, hey. You’re on eighteen dot six. And so the end user had some idea of, like, hey. I need to take this action because it’s it’s it’s routing them to that, and then magically, it just did the update after that took place then, which is a much better experience. Absolutely. I think, Bryce, just to kinda jump in here, one of the things that I find really, you know, interesting from a troubleshooting perspective on this one too, like, this example is great because it was due to the being locked that it was blocked initially, but it would have been blocked by terms and conditions. But because it hadn’t reached that point yet, you actually didn’t see that in the log. So if someone had, you know, unlocked it, but then not accepted terms and condition, turned it off, that’s the only way you’re going to see that necessarily. But it’s a great example of how, like, Apple oftentimes can have multiple failure reasons in a row, and the admin only has a small viewpoint of it of what’s failing first. Yep. It’s like a Rube Goldberg machine. If the next domino doesn’t topple, it’s not gonna topple the next thing. Great Yep. Great example. Yes. Hundred percent. Like the opening of flover. Just trying to make toast here. Oh, then. Now that’s a pro book. Yeah. Throwback. Right there. Wow. Hey. That was also a Mac. That was a Mac, I think it was a fat Mac, a five twelve Mac, if I remember correctly, in the opening scene of that. I’ll have look that up later. Okay. Our last example of the day. So this is on Selena, our our our friend’s device here in Atagy production. Appleseed beta for IT where she’s getting the releases there, and the automatic actions are unable to go to the update on this device. Well, what happened? Well, we can see here at midnight thirty, basically, on the device that the update status was there. I’ve got the update. It’s prepared. Great. Cool. Whatever. Selena must be a night owl because then at about three forty two AM, it finally was like, yeah. Yeah. Yeah. Okay. I’m good. She’s not gonna be touching the device anytime soon. We can update. That machine learning element where it figures out where your machines are and are not being in use is so clutch. You know, my day job works in nightclubs now. And so most of our staff are on their machines until midnight, one AM, some cases later. And so, you know, most of the time, our machines update between five and seven AM. Interesting. So, like, they are much, much later. It does give you a much broader window, to work with that. And, you know, for our staff who are, you know, night owls, they prefer not having to worry about that. Yeah. Well, if you were doing enforcement specific and you said, yeah. Do it at eight PM. It’s after the business day after dinner. They should have plugged it into power if they work from home. But what if that’s when they’re logging back on to to, like, finish stuff up for the day? That’s right. They go, well, I’m just gonna go watch Netflix now because you just interrupted their workflow. And so in this example, software update daemon, we can see this, you know, basically looking at the parameters of it, the properties, and saying, okay. Install tonight is enabled. Great. Let’s go do that. So software update daemon goes off to the races. It says, okay. I’ve got the recovery partition all set. We have that local authentication. It’s present. That that escrow of of her last off is good. And then we can see, okay. Well, what’s this? A little bit later, it says, well, actually, we’re gonna set this for for due later. And if we drill down in, we can see, well, what’s this? It looks like that there’s an app blocking the restart. Well, why is that? What did it do? Well, let’s take a look. What’s the bundle identifier? Oh, it looks like com dot adigi dot mac manage, which is our self-service app, was still open or the menu bar app was still open. Inside baseball, I did a bunch of looking into it. She also uses a VNC app that then continues to wake the device up when it’s in sleep mode, yada yada. One thing led to another. It’s one of those things of again, we only know the first point of this app can’t close, but it’s because the device can’t go to sleep. So the menu bar app is trying to redraw. Bottom line is having this information when we filter it through in the logging will let us know, hey. This is a great point of failure. We know why that is. That’s new as twenty six dot two. And as we’ll talk about, this is one thing I will be submitting as a feedback of the status channel tells me that it’s an automatic action, but it’s not manifesting the failure description from in here. So this is a point where looking to the debugging and putting together of, hey. Why don’t we pull that failure description from the automatic actions and put that in the status channel? That could be really helpful to us as admins. So if you find examples of your own, you should definitely file that too. So then after that, eight forty eight AM, Selena logs in for the day central time US. His device basically goes, hey. I’ve actually queued that up for tonight again. Basically, that’s what it’s saying up in the upper corner there. It’s gonna install tonight. We’re gonna try again tonight. And it’s just gonna keep doing that cycle over and over until it updates and and when it can actually get that update done. Now like I just talked about, final thing, providing feedback. So, like, in those examples there where I broke down, the status channel’s not gonna tell you that Selena had MacManage open and the menu bar app running and all that. It’s just gonna know, yeah, update’s prepared, but it’s not gonna know that because at this point, that’s not being sent back through. That’s an excellent point of feedback. If you’re not in Appleseed for IT or education, if you’re an EDU customer, highly recommend it. If you’re using Apple Business Manager for your device enrollments, you can sign up for the program for free. You just need to agree to the terms and conditions on it. There is an NDA if you’re not supposed to talk about it publicly. Like, for example, like, we’re not talking about anything that’s gonna be in any future OS that that’s not already out there. The release candidate’s out there publicly in the public beta now. But there is different components that you can get, not only those beta OSs, but also you have access to submitting enterprise feedback, goes to a specific channel for that team, which is very helpful for them to get that, because it’s just more curated, of these are the enterprise use cases around that. When you’re submitting those feedbacks, it’s also helpful to let your MDM vendor know. In this scenario where, you know, com dot adag dot mac manage, the bundle ID is the one that’s being stuck there. That’s something that we’re looking into of why would that get stuck around that. So sending that in as a ticket with logs and screenshots and explaining that, super helpful. And that goes for any vendor, not just us. Any we’ve been at other vendors before. It’s always nice to know, where that is because it saves you a of the legwork. And, also, when you have hundreds of devices or thousands or tens of thousands or hundreds of thousands, that’s a lot different use case than just the one that sits next to me on my desk that I do stuff on occasionally. It’s, great to get that feedback. When you’re sending it into Apple, if you’re part of the regular beta program, beta dot apple dot com, otherwise, or Appleseed. And like I said, hugely helpful to be using the enterprise and the business program, to get that feedback for them. And then this is one point of, information that we’ve been directed from Apple about is submit the logs from the affected device first. When it opens the ticket, it’s just cataloged, and it’s much more clear to them versus you can grab logs and examples from a device after the fact, but submitting it on device runs the analytics and gets them everything that they need versus, well, maybe you missed a file or you didn’t grab the full archive or whatever it may be. Yeah. We we’ve also seen on that, though. Like, it’s not just that it gets them the information, but the response time is different in terms of, like, something on the tagging on their end also changes from if you’re actually filing from the impacted device versus if you do it on your production machine. Like, we’ve actually seen the responsiveness vary quite a bit. And so what happens after response? Yeah. The inside baseball on it is because you’re launching setup the feedback assistant app on device. It’s actually it’s kinda like when you go into a browser. That’s this is this is my summarization from looking at it. When you’re, like, in a browser and it goes, oh, your user agent, you’re on Safari in this version. But if you’re making a report from a version that’s not that like, it doesn’t even though the logs are one thing, that’s that’s different of how that that that session comes in. Absolutely. Awesome. Well, we just went through a ton. Thank you. Thank you, Bryce, for going through all those examples. They’re always amazing no matter how many times I hear it. We’ve got some time for, you know, q and a. We’re also going to be doing a Zoom poll on if you want to learn about even more beyond this one hour webinar. Happy to, you know, talk with you guys. Our product team is very passionate about this. Bryce, more than anyone else I’ve ever met, seriously, on this topic, he loves it and could talk about it a ton. So we are happy to help no matter, you know, what your vendor is, whether or not it is or isn’t Atagy. We wanna make this better for all admins. So let us know. But let’s open up for questions. Yeah. And I the first one I see here, q and a from Patrick, that is not the install dot log. I did another session, which I’ll make I’ll I’ll grab that at Penn State about unified system logging. Was a couple years ago now. Starting with oh, it’s kinda really I don’t remember off top of my head, but right around the Big Sur era, twenty fifteen, twenty sixteen I think it was twenty sixteen. MacOS went to using fully unified system logs, which are actually compressed binary files that are proprietary to the unified system logging, and that’s actually where all of these things live. Or, like, our self-service, Atogee MacManage, that logs to that internal unified system versus just dumping it to a text file. And what that allows you to do is you can have filters and tags and different things to figure out what’s actually going on there. So when we’re checking that, we’re actually checking the system logs dot log archive, which is something that you get when you run a sys diagnose, which is actually what feedback assistant is doing when you go and report an issue. And then you can uncompress it, pull it out, open it in the console app, or you can use the logging binary. So it basically, I’m checking that and then cross referencing it against what we as the MDM vendor are getting. Now in a scenario, if your vendor isn’t showing you that on the device record, you’re gonna have a little bit more of a needle in the haystack. But if you filter by that install status like we talked about, you’ll be able to get that message pretty quickly. When I’m looking at it, I’m pulling it from, okay. I know in Atogee, I can see on go live that this device had an entry at three forty AM, whatever it was, when the device couldn’t go and do that. So I know I can kinda zero in on that time frame versus looking at millions of entries in there. It just helps to narrow it down when you’re looking at those local files. Unified logging is such an amazing tool, and it works more with just with than with just the operating system. You can have your binaries logged there. You can have all these things. And, of course, it goes back now almost a decade. Twenty sixteen was the initiation of Decade. Of unified logging. And so, you know, I was gonna say it’s if your vendors aren’t using unified logging, you know, maybe this is a good time for you to put in that feature request to them as well. You know, everybody needs feedback. Right? Like, we all need feedback to do our jobs better and, you know, providing that clear feedback with the business case that goes with it. Hey. I wanna track what’s going on with our applications. We’re having this weird problem, and it would be so much easier for us to resolve if you just log to the unified logging system instead of an individual feed. So I think that that’s a that’s a big part of it. That, you know, now that we have all of these controls over, the environment, it’s so important. Hundred percent. And I just put that logging session. Because what in that session, I go through how can you use the command line tools because there are a number of admins that I’ve worked with in the past that they will do different custom extension attributes within, like, Jamf or a dev custom device back within Atigee. Do I always recommend it? No. Because it’s it takes a little bit of time for to do the query, but you could make it pull down, filter for something specific and then pipe that back into that device inventory. So there is a couple powerful ways you can do that. Or if you just SSH the device and look for it specifically, you could do it that way too without having to put hands on the device physically or grab that archive. And I’m also gonna put this in the chat here too. Do you wanna hear me yell about updates more, there’s there’s a longer format of this too. Yes. I I like to call it the, if you look if you’ve watched the one that I give at Maxis admin in Sweden, it’s like the quick super speed version. And then if you want the full fat milk version, you watch Bryce’s PSU session because it’s, like, an hour and twenty minutes. And it’s it’s great. So it’s just like, how much how much are you looking to get into this? And if you still have questions, like, I always love to end things with, like, product at Ategy dot com. All the PMs and myself, check that. It comes straight to our inbox. We love getting questions even if you’re not an active customer on pretty much anything because we’re all in seat because we’re nerds about this stuff. So, yeah, we’ll give it a second in case anyone has any other questions. So please feel free to put them in. I I I I have one while we’re waiting to see if anybody has another one. So this is kind of just like a learned life experience. Do you guys have any mem like, what’s your earliest memory of an OS update ticket that you took when you’re working at a help desk or in your career? Because I I I know mine specifically, but I’ll I’ll see if you guys have two of them. Say it again? So, like, either your earliest experience with an OS update going wrong, like, your career or in in your life god. I I know mine. Oh gosh. Mine, I think, would have been at University of Wisconsin Eau Claire. We had rolled them out, and one of the graphic design professors I have this was before MDM updates. And I had gone, and I had physically installed things. And they were, you know, admins on their devices. And this professor called me at, like, six AM as he was getting ready because I don’t know how he’d gotten it, but he had somehow, like, completely bricked his device over the process of an update because he was trying to do it himself, but did it wrong and tried to, like he basically wiped his whole device trying to update it even though I had just updated it. And I was just like, okay. Cool. I’ll come into the I’ll come into the university early. And I wound up spending, like, thirty five minutes while he talked about how he needed all this specialty software, we had to completely do everything from scratch. I still am not sure how he managed it. That’s a painful one that comes to mind from over I had a ten six eight server to ten seven server. Just garbage fire. Just relentless garbage fire migration. It took an office of ours offline for the better part of a couple of days. It was so bad. Yeah. So it and that was also the part of server kind of not like, that was, like, a more of, we’re gonna let vendors kinda take over from here. It’s kinda where that that really started with work group manager going more away, and and and there were there’s a big transition with a lot of that too. Yeah. Yeah. Mine, I have I have two of them. One of them is personal. One of them is is work related. My personal one, I think I told the story out at the Penn State one of Mac OS ten dot three. I was like, erase and install because I was, like, eleven or ten. I don’t know how old I was at that point. I was like, erase and die. That sounds cool. I’m gonna do that, which probably what that professor had done somehow on nearest Catherine. I’m like, I’ll do that, and everything was gone. It was like like that South Park meme of, like, oh, and it’s gone. Everything was just gone on the family computer, which I I thought was kinda fun. I had to rebuild everything, but you live and you learn. You live and you learn. Favorite My favorite work one iron ironically, also a professor and also somehow got the update. This is, when Mac OS I think it was ten seven also. So maybe we have that in common, Tom. Ten seven came out. It was the first one you could get through the App Store. And everybody was trying to figure out how do I how do I block it? How do I not have them do the App Store? Because in EDU, it always comes out at the worst time of the year. It comes out at the start of semester. So you at an EDU, you either run n minus one the whole year, or you get to the point that you’re doing updates over winter term or j term, and then they come back and have the new OS starting in January. And he somehow, I do not know, blew through everything I had done, all the default rights. It was locked down. The app couldn’t launch. He somehow maybe he got the dot app on his in in Flash Drive. I don’t know. But he installed it, and he could not print because and, also, the directory binding was broken because we were still using mobile accounts then. So yeah. But he’s also the same professor. He was actually a professor I had when I was going to school there because I went to school at the same time. Danger. Yeah. Nice guy, though. He also is the professor that pay played civ civ five for a a number of hours on his production university Mac. Okay. But great game. Cool guy. Yeah. Cool guy. Great game. I I do have to give one thing that just came to mind on the the good old Windows side of the house because, you know, you go through the trenches and become an Apple admin, and you’re like, oh, why was I like this? But you said, oh, and it’s gone. Fun story to kind of end my my PTSD of when I was an admin. We had a student employee at the university, and we had SCCM two thousand seven. And they clicked the wrong button and managed to delete every single installation file on our distribution point, and it took us three days to update from back from all the backups because they had deleted over two thousand carefully scripted, put together installers, and wiped everything for the whole university. So just don’t don’t do that. Yeah. You’re good. That’s a resume generating event. Yeah. That one was that’s that’s what you made me think of thinking back that far away, Bryce. And I don’t like thinking about my SCCM days, so thanks for that. Well, it’s all over now. I’ll answer the the two questions in chat, and we can wrap up here. Perfect. To the anonymous attendee question here, I’m having trouble with updates not progressing after turning back on declarative and doing the keep devices updated to latest that they don’t get declared. Is there an easy way on the endpoint to see why the declaration, happens in the event? So, like I was talking about with that status channel let me go back here a few slides. If you’re doing that within Atigee, you could look in the events on device here where that that device is gonna have what you know, was the sender and the receiver of that, what was the reason for it, and did it actually get that. If you’re not using, that or you don’t have that in events or it happened a while ago because those are retained for ninety days, You could look within the logging. And, specifically, what you’re gonna wanna look at and filter for would be the software update subscriber like we were talking about because that’s gonna tell you the dot failure reason, the dot install reason, and what state is that in. I would also add, if you’re on Mac OS fourteen, they probably need to be rebooted. There’s a whole another sidebar about Mac OS fourteen dot four and how Apple removed the ability to run the kick start command for the software update daemon, which we were using with an internal agent tool to cycle that when we saw it stuck, where after twenty four hours, if the status hadn’t changed, the update probably stuck. Well, that got removed with Mac OS fourteen dot four and has not come back since. Now the service has gotten much more reliable since then, and, obviously, that was also part of the point. Apple kinda there was a dialogue of, well, you can’t just keep killing it because, yeah, it works then, but we’ll never get the logging to that point of sending Apple that feedback. So that’s now been adjusted to send logs in and grab logs that we can send in when we have that happen. But to that point, if we’re on fourteen or even really early fifteen, I’ll need to physically reboot the device. I would bet not money, but some pride that it’s probably a, a reboot needs to take place. Last question here from dRucker about, one of the strongest features in the status channel. I agree. How can we leverage that in real time for conditional access and zero trust? So that is something that Bob Gendler and the team at NIST is looking at, that has not been put on the GitHub repo. They’re still looking into that because declarative has not been enforced with that yet. But when we get into requiring declarations for those, compliance benchmarks, that status channel, I believe, is gonna be a way that vendors are gonna have to do some development work, us included, because right now, we just forced that or we just force that we just surface that on the the the status. But we don’t actually take action on that currently, because there’s also like, let’s say you’re using the passcode declaration. You could say, well, not only has it been installed, they haven’t set their passcode yet. There’s a big difference between I’ve installed the profile or declaration in this case, and I’ve actually made them change their password yet. So that’s something that’s definitely gonna be coming on the road as, you know, NIST, obviously, they’re they’re on the forefront of that. And I know the team at the UK Center for Cyber Essentials, couple members are in the community that I’ve I talked with on that. They’re also looking into that too. Absolutely. And on the vendor front, like, from from our standpoint, building out the product, like, it is how the vendor leverages it, like, to your question of, like, how do you do it without over architecting it or just blowing through it, that should ideally be handled on the vendor side, and we’d be building in the logic for that. So you’re not having to worry about it. Right now, we’re waiting for the ability to kinda connect the pieces so that if we see that it’s, you know, not compliant, we’re able to then route it as long as you have everything set up. So, ideally, in the very near future, you won’t actually have to worry about it because it’ll be infrastructure on the vendor side rather than having you do it locally. So Yeah. That said, you could if you really wanted to, you could write a custom rule within a benchmark. I mean, I’m speaking to the Adity side of it, although I know the Jamf compliance project is very similar in it. You could write a custom fact that does go through. And like I had then that that Penn State session where you run a login command, you pull it back, you pipe it through Grip, you trim it down, and you could put that in there. You could get something back that you then make a rule of if this, then that. You could do that. Last question here we had that just came in, from Anonymous again. Do you need to enable the enable all automatic updates if, MDM profile, if the DDM updates are configured? No. The new declarative, it it it takes precedence. I think, actually, I said this when I talked with you, Tom, about the humans and fish can coexist peacefully. Yes. MDM and declarative can coexist peacefully together. It’s just that declarative is gonna take precedence. So you could deploy both of them, but using the settings declaration will automatically over overrule, whatever’s there for that. Awesome. And it looks like we don’t have any other open questions. Again, if you guys think of some and you want to know more, you can reach us at product at adagy dot com. We’re happy to help out. Thanks, everybody, for dialing in. This recording will be available if you wanna share it out. And huge thanks to you, Tom, for joining us. This is great. Always a pleasure to have you. Catherine and Bryce, thank you so much. And for your continued support of the MacAdvins Foundation as a whole, we couldn’t do this without our partners like Atigee. And, you know, the doing these kind of events is a great way for us all to kinda give back to that community of support out there. So thank you both so much. Absolutely. Thank you. Thank you. Awesome. Well, thanks, everyone. Have a good rest of your Thursday.