SUPERMAN 5.1.0-beta3: Unlocking Alternate Configurations for Enhanced macOS Update Control

Explore the power of alternate configs in SUPERMAN’s latest prerelease and how they unlock new workflows for Mac Admins and macOS update compliance.

Posted May 31, 2025 Updated May 31, 2025

By Tony Young

views 8 min read

On Friday, May 30th, 2025, Kevin White, aka Macjutsu, pushed an update to the super 5.1.0 prerelease. As a strong advocate for the tool, I feel like these changes have been directly targeted at myself. super 5.1.0-beta3 adds a superpower (pun intended) that I and other Mac Admins have long wanted: configuration flexibility.

What does configuration flexibility mean in this case? Well, to find out, we can read through via the most recent CHANGELOG.

  
### Specific Changes (5.1.0-beta3)

- New alternate configuration options allow you to maintain multiple different `super` workflow configurations:
	- New `--config-edit-main` option allows you to create and update configuration settings in the main `super` preference file without starting the workflow. Any other workflow options specified at the same time (or in the same command line) are added to the main `/Library/Management/super/com.macjutsu.super.plist`.
	- New `--config-edit=ConfigurationName` option allows you to create and update configuration settings in alternate `super` preference files without starting the workflow. Any other workflow options specified at the same time (or in the same command line) are added to an alterate preference file located at `/Library/Management/super/configs/com.macjutsu.super.ConfigurationName.plist`.
	- New `--config-delete=ConfigurationName` option deletes the specified alternate configuration preference.
	- New `--config-delete-all` option deletes all alternate configuration preferences in the `/Library/Management/super/configs/` folder.
- New `--config-start-default=ConfigurationName` option starts the `super` workflow using the settings from the specified alternate configuration. Workflow settings in the default configuration take priority over the main `super` preferences. Additionally, settings that are only found in the main `super` preferences are also used in the workflow. To disable this option use `--config-start-default=X`.
- New `--config-start-temp=ConfigurationName` option starts the `super` workflow using the settings from the specified alternate configuration. Workflow settings in the temporary configuration take priority over __BOTH__ the default configuration the main `super`. However, once the workflow defined by the temporary configuration has completed, `super` returns to the default configuration or the main `super` preferences (if there is no alternate default configuration). Additionally, settings that are only found in the main `super` preferences are also used in the workflow. To disable this option use `--config-start-temp=X`.
- Significantly improved `--config-status` option now returns a variety of information about the super workflow configuration and also now includes the installation history of macOS system and security updates. The installation history is generated by parsing output from the `system_profiler` command, so this includes all macOS installations, not just those completed by `super`.
- All active super preference files are now evaluated at the start of every workflow to ensure validity. This allows you to use alternate configuration preference files copied from another computer. In other words, you can create multiple `super` workflow configurations on your administrative computer and deploy them directly to the `configs` folder of other computers.
- New `--workflow-require-active-user` option only allows the `super` workflow to continue if there is a logged in user. With this option enabled, if there is no active user when the `super` workflow runs, then an automatic error deferral will restart the workflow for later.
- New `--workflow-reset-super-after-completion-off` option to disable this behavior if it was previously enabled in a super workflow.
- Improved display icon caching to support multiple alternate configurations.
- Resolved an issue of improper handling of an edge-case when IBM Notifier times out after an extremely long delay.
- Updated [spreadsheet (tab separated values) for migrating to `super` v5.1.0 command line options](https://github.com/Macjutsu/super/blob/5.1.0-beta3/Super-Friends/super-migration-options-v5.1.0.tsv).
- Updated [spreadsheet (tab separated values) for migrating to `super` v5.1.0 managed preferences](https://github.com/Macjutsu/super/blob/5.1.0-beta3/Super-Friends/super-migration-managed-preferences-v5.1.0.tsv).
- Updated [example MDM configuration profiles for `super` v5.1.0](https://github.com/Macjutsu/super/tree/5.1.0-beta3/Example-MDM).
- As always, typo fixes and improvements to both regular and verbose log output.

So now, you are a Mac Admin who has been testing v5.1.0 and are asking yourself, what does this new functionality mean for me, and how can I take advantage of it or test within my environment?

Reading your recent blog post about leveraging super in a semi-automatic mode, I have something planned that should help out with more complicated workflows where you have more control over what happens. When [originally] designing super the primary customer is those that would probably prefer to set-it-and-forget-it. This is why the default workflows behave the way they do. As more technical [Admins] have started using super, it’s become clear that I need to offer a “more control” set of options as well, and that’s the plan [going forward] for v5.2.0 – Kevin White [March, 2025]

Why Alternate Configs Matter

In my current semi-automatic configuration of super running in production, our configuration equates to the following workflow:

Initiate a Change Management Request to mandate updates to the latest version of macOS (currently 15.5, 14.7.6, and 13.7.6 as of May 31st, 2025).
During the approved window of deployment, deploy a Jamf Pro Policy to install/activate super, with a --deadline-date-soft and --deadline-date-hard set to enforce updates after a certain date. The deadline dates are deployed as script parameters so that they are temporary settings, and that the organization is not required to regularly deploy updated configuration profiles with a new date.
1. Previously, we’ve had WorkflowDisableRelaunch enabled via a configuration profile so that super would not return after updates are applied, but have opted against this approach due to an issue seen with Sequoia where updates were downloaded and workflow were marked as complete. Now, super is free to run as often as it needs to ensure installation of updates.
Once a system meets the current required version of macOS, a secondary policy is deployed to disable or even uninstall super until the next Change Management Request window is initiated. This is so updates do not attempt to install as Apple releases them, and only when the organization says it’s okay to run.

The downsides to this approach? We are unable to take advantage of patching Safari updates via super so as not to patch to macOS unintentionally. Oftentimes, Apple releases an update during the mid-maintenance window. Software Update Deferral configurations are in place to account for this, but it adds complexity to ensuring compliance with a minimum enforced version of macOS.

With v5.1.0-beta3 and alternate configurations, we can begin to introduce a Safari Only configuration and set keys like --install-safari-update-without-restarting and --install-prioritize-non-restart-updates

Use Case: Zero-Day Exploit Patching

Other scenarios can now be more thoroughly thought out and deployed as well.

I’m trying to deploy critical macOS updates when Apple releases a critical version with a zero day exploit. I’d like this to have more aggressive updates, like a 1 day hard deadline with 1 hour deferrals. However, I don’t want this to continue running after the patch has been sent. What would be the best way to do this? Since super is a LaunchDaemon it runs the next update as soon as it comes out. Is there a way to target a minor OS version? Or should I just use smart group logic in Jamf Pro to deploy a new profile once Jamf recognizes that it’s on the patched version or above? – Christopher Schasse [Rocketman Tech, April 2025]

In this scenario, pre-work can be done using the --config-edit=ConfigurationName to set a Active Exploit configuration to be more aggressive at enforcement.

  
super --config-edit=ActiveExploit --deadline-days-hard=1 --defferal-timer-default=60 --deferral-timer-menu=10,30,60

This will create /Library/Management/super/configs/com.macjutsu.super.ActiveExploit.plist. You may want to avoid naming the configuration “ActiveExploit” to prevent alerting security scanners unnecessarily, but you get the point. So be sure to choose a more neutral name instead. Now, this alternative workflow can be called upon on-demand via a Jamf Pro Policy or other means

super --config-start-temp=ActiveExploit

There is a general best practice when using super; set permanent settings via a configuration profile, and temporary settings via script parameters (if using Jamf Pro). But also, only include the configuration settings/keys that you absolutely need, and to not set every possible option for the sake of setting every possible option. Now with 5.1.0, alternate temporary settings can be saved into a localized .plist file to be called when needed. Once the workflow defined by the temporary configuration has completed, super returns to the default configuration or the main super preferences (if there is no alternate default configuration). Additionally, settings that are only found in the main super preferences are also used in the workflow.

Testing Continues

If you’ve built out a creative use of super previously that doesn’t fit in a set-it-and-forget-it method, I would love to know what you’ve done thus far. How will you adapt and update your setup with the newly supported alternate configurations within super? Consider sharing those here on this post, in GitHub as a discussion or issue, or within the #super channel on the MacAdmins Slack.

Continued Reading

Check out additional posts relating to super on the Patch Notes and Progress blog.

Video Resources

It’s a Script…It’s a Daemon…It’s S.U.P.E.R.M.A.N. – JNUC 2022
S.U.P.E.R.M.A.N. II – JNUC 2023
How to Soar with S.U.P.E.R.M.A.N. – Rocketman Tech LaunchPad (May 2023)
Need S.U.P.E.R.M.A.N. to Save Your Jamf Server? — How to Optimize macOS Software Updates & The Upgrade Experience - S.U.P.E.R.M.A.N version 4. – Rocketman Tech LaunchPad (May 2024)
S.U.P.E.R.M.A.N. 5.1 (Beta) - Q&A Forum with Kevin White – Rocketman Tech LaunchPad (May 2025)

Mac Admin Tip of the Day

MacAD.UK 2025: Mac SysAdmin & Developer Conference was hosted on May 14th to the 16th at the DoubleTree by Hilton Brighton Metropole, Brighton, UK.

The video sessions have recently been uploaded to YouTube, which can be found here.

Mac Management

This post is licensed under CC BY 4.0 by the author.