Post

Super Release Candidate 1

super 5.1.0‑rc1 for Mac Admins: precise targeting, Tahoe support, and sturdier installer flows

Posted
By Tony Young
views 9 min read
Super Release Candidate 1

SUPER 5.1.0-rc1.png

Kevin White has shipped a new pre-release of super: v5.1.0-rc1 (Oct 2, 2025). It builds on the 5.1.0 beta series and adds exact‑version targets, Tahoe 26 support, temp‑override for crisis workflows, and automatic mist‑cli + build validation. This closes gaps where softwareupdate output stalled upgrades and reduces pre‑staging toil.

Below, I’ll recap what’s new since beta3, call out administration impacts, and share ready‑to‑use workflows.

What’s new since 5.1.0‑beta3

You can review the full changelog on GitHub.

  1. Tahoe (26) support: super recognizes macOS 26 for policy and enforcement parity.
  2. Pinpoint version targeting: target an exact minor or a specific major upgrade.
    • --install-macos-minor-version-target=15.6.1
    • --install-macos-major-version-target=15.7.1
  3. Temporary configs can override MDM keys (optional). When enabled, temporary alternate configs (started with --config-start-temp=Name) can supersede conflicting managed prefs—ideal for crisis workflows—then fall back afterward.
1
2

<key>ConfigTempOverride</key>
<true/>
  1. Sturdier mist-cli installer workflows.
    • Auto‑install mist‑cli 2.2 on macOS 15.6+ when needed.
    • Validate installer version and build before proceeding.
  2. Faster, smarter status and discovery.
    • Tunable cache age (SOFTWARE_STATUS_CACHE_AGE_MINUTES).
    • Improved Jamf Pro version parsing (versions like 11.20.1).
    • Clearer logging for alternate workflows and super-audit.log for audits.
  3. Migration documentation updated.
    • Migration TSVs for CLI and managed prefs, plus example MDM profiles.

Reminder: super 5.x requires macOS 11+

Why it matters operationally

  • Exact‑version enforcement for CVE playbooks. Pin, for example, 15.7.1 across Sequoia while validating later dot releases.
  • Alternate configuration overrides allow a temporary, more aggressive workflow to supersede standard MDM‑pushed prefs, then disappear when complete.
  • Lower toil on full‑installer paths—mist‑cli and build checks are handled for you.
  • Cleaner reporting with super-audit.log and accurate Jamf Pro version parsing to keep EA‑based dashboards honest.

Community findings: Struggles going from Sonoma/Ventura to Sequoia (pre‑rc1)

Within the Mac Admins community, many organizations found issues upgrading macOS Sonoma 14 and earlier devices to macOS Sequoia 15.x since Tahoe became available.

  • softwareupdate --list on 14.x often exposed only Tahoe and Safari updates while the GUI offered Sequoia, stalling CLI‑driven upgrades.
  • Major‑upgrade deferrals could still hide Sequoia from CLI tools.
  • Manual recovery (--fetch-full-installer, clearing caches) was inconsistent; mist helped, but not universally.
  • Workarounds tried: pre‑caching full installers (SU or mist), erase-install for stragglers, removing deferrals, and resetting SU caches. Results varied by device state.

What rc1 changes: Pin the target and let rc1 fetch and validate full installers when required, combined with additional bug fixes seems to have resolved previously seen issues in early testing.

The following are some recommendations and even workflows that I already intend on deploying in my environments to take advantage all available functionality within version 5.1.0.

1. Re-Evaluate Configuration Profile

You do not need to configure every possible setting under the sun. In the Mac Admins community, I see a ton of people who will take the “All Options” configuration profile and just change the settings they care about, and then put an X for all other settings. This is not necessary. I highly recommend reviewing the wiki, as well as the script itself to see what default values exist within super. Many settings, if you do not configure them, are innate. You do not have to explicitly disable something that is off by default, it can lead to activation issues. Put the settings that are applicable to your needs and are not going to require constant changes within a profile. Then take advantage of Alternate Configurations, and parameters for all else.

Here is an example of a configuration for super that I have deployed.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>AuthJamfComputerID</key>
    <string>$JSSID</string>
    <key>DeferralTimerDefault</key>
    <string>60</string>
    <key>ScheduledInstallUserChoice</key>
    <true/>
    <key>ScheduledInstallReminder</key>
    <string>120,60,5</string>
    <key>ScheduleDeferredStartFile</key>
	  <string>/Library/Management/PatchNotes/notUpToDate.txt</string>
    <key>DialogTimeoutDefault</key>
    <string>600</string>
    <key>DisplayIconFile</key>
    <string>/Library/Management/PatchNotes/patchnoteslogo.png</string>
    <key>DisplaySilently</key>
    <string>DIALOG</string>
    <key>ConfigTempOverride</key>
    <true/>
    <key>AuthMDMFailoverToUser</key>
    <string>ALWAYS</string>
    <key>InstallRapidSecurityResponses</key>
    <true/>
    <key>InstallNonSystemUpdatesWithoutRestarting</key>
    <true/>
    <key>WorkflowDisableRelaunch</key>
    <false/>
    <key>WorkflowRequireActiveUser</key>
    <false/>
    <key>VerboseMode</key>
    <false/>
  </dict>
</plist>

Note: In my client organization, super is typically not allowed to apply updates automatically outside of Maintenance Windows, and so the key ScheduleDeferredStartFile is used to restrict super by stating “If this file is not on the system, do not update”. The file in question is removed from systems that are running our minimally required. This prevents the need to remove super from devices that are fully patched or constantly turning on/off the WorkflowDisableRelaunch key. We can override the file path in situations where alternate workflows need to run, without the need of deploying multiple different files.

2. Exact Sequoia pin without drifting to Tahoe

What this does: Enforces a specific Sequoia build. Expects full installer if non‑latest; rc1 handles mist‑cli + build validation.

1
2
3
4
5
6

# Exact Sequoia pin without drifting to Tahoe; verifies build before install.
# Expect a full installer if 15.7.1 isn’t the latest
/usr/local/bin/super \
  --install-macos-major-upgrades \
  --install-macos-major-version-target=15.7.1 \
  --workflow-install-now

Per Kevin White: if you don’t specify a full version number, super targets the latest that matches what you gave. For example, 15 will pick 15.7.1. 15.6 will pick 15.6.1. 15.6.0 targets exactly 15.6.0.

3. Temporary override for alternate workflows

What this does: Allows --config-start-temp=Name to supersede conflicting managed prefs during an incident, then revert.

1
2

<key>ConfigTempOverride</key>
<true/>

Organizational policy note: Define who can enable this, the scope, and the time limit if necessary. And/Or decide whether to have this key always enabled so that ease of implementing alternate workflows does not cut into deployment. Document the revert procedure if applicable.

4. Deploy super only once

Deploy super to all systems with those default settings. Because I use the Jamf Pro API to authenticate software updates, I am sure to include the API client and secret. Please be sure not to share secrets to API access to your production servers outside of the Jamf Pro Server. Additionally, in many of the environments I work in, we require manual deployment of IBMNotifier as well as mist-cli via the Jamf Pro policy. The policy is set to run Once per computer, and has a custom trigger in case I ever have to call for a reinstall with the trigger simply being installSuper.

SUPER 5.1.0-rc1.png

SUPER 5.1.0-rc1.png

5. Prep alternate configurations you can trigger on demand

With rc1 I intend to pre-configure multiple alternate configurations to have on hand to call on-demand as necessary. The alternate configurations are included in my initial deployment of super, but can always be created on-demand as well.

What this does: Stages multiple named configs you can start temporarily via Jamf Files and Processes or a policy. These will allow me to call upon super outside of any type of Change Request or Maintenance Window, or allow upgrades to occur via Self Service or mandated by the organization. Be sure to have some sort of standardization when setting a naming scheme for your alternate configurations.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41

#!/bin/bash

# Safari-only Update (no restart)
# Purpose: Keep Safari current on Sequoia and earlier.
/usr/local/bin/super --config-edit=safariUpdates \
--install-prioritize-non-restart-updates \
--install-safari-update-without-restarting \
--schedule-deferred-start-file=/Library/Management/PatchNotes/patchnoteslogo.png

# Zero-day Active Exploit Workflow
# Purpose: Require immediate patching of all systems without extended delays 
# to comply with CISA KEV requirements.
/usr/local/bin/super --config-edit=activeExploit \
--deadline-days-hard=1 \
--deferral-timer-default=60 \
--deferral-timer-menu=10,30,60 \
--schedule-deferred-start-file=/Library/Management/PatchNotes/patchnoteslogo.png

# Enforce major Upgrade to Sequoia (latest available)
/usr/local/bin/super --config-edit=upgradeSequoia \
--install-macos-major-upgrades \
--install-macos-major-version-target=15 \
--workflow-install-now \
--schedule-deferred-start-file=/Library/Management/PatchNotes/patchnoteslogo.png

# Enforce upgrade to minimum baseline version of Sequoia (pinned)
/usr/local/bin/super --config-edit=upgradeSequoiaPinned \
--install-macos-major-upgrades \
--install-macos-major-version-target=15.6.1 \
--workflow-install-now \
--schedule-deferred-start-file=/Library/Management/PatchNotes/patchnoteslogo.png

# Enforce major Upgrade to Tahoe (latest available)
/usr/local/bin/super --config-edit=upgradeTahoe \
--install-macos-major-upgrades \
--install-macos-major-version-target=26 \
--workflow-install-now \
--schedule-deferred-start-file=/Library/Management/PatchNotes/patchnoteslogo.png

# To start any of these configurations, create a Jamf Policy using the Files and Processes payload:
# /usr/local/bin/super --config-start-temp=NameofConfiguration

6. Maintenance Window policy using Jamf API auth

What this does: Applies current deadlines without redeploying super. Includes API client and secret parameters as required by super.

1
2
3
4
5
6
7

/usr/local/bin/super \
--auth-jamf-client=2fa7ec8c-46d5-42aa-be9a-af4d9566dd3c \
--auth-jamf-secret=bvov3OFrA0BoCFMTD9Q1z9RP2HjNxmkGAZNmZm0JOSAttOfpUuSHP16bkJcpG7Pa \
--deadline-date-soft=2025-10-06:14:00 \
--deadline-date-hard=2025-10-07:14:00 \
--install-macos-minor-version-target=15.7.1 \
--workflow-reset-super-after-completion

Note: The Jamf Pro API bits are included in case they were cleared or reset by admins or support. Resetting after completion clears the deadlines but does not clear authentication. because we support more than one major version of macOS, this is repeated based on the major version, so one for Tahoe and one for Sequoia. Sonoma and earlier are required to upgrade. Sequoia devices remain on 15.x during this window; Tahoe is still under a 90 day deferral for most the enterprise at the time of this writing, so upgrading is open only to a select few of Pilot testers. Also Note: You may not need to do this in your own environments as by default super can run on its own automatically to keep systems up to date. I have a maintenance window policy solely due to organizational requirements relating to enforcing security patches.

7. Document deployment posture and guardrails

  • Deploy super with defaults across all systems. Include the API client and secret if you authenticate software updates via Jamf.
  • In many environments IBM Notifier and mist-cli are deployed manually via Jamf and set to run once per computer with a custom trigger like installSuper.
  • To run a zero‑day policy, or any alternative configuration, call: /usr/local/bin/super --config-start-temp=activeExploit.

Caveats and migration notes

DDM software update settings are not supported yet. Use traditional configuration profiles for Software Update Deferral restrictions. On macOS Tahoe 26, these restrictions are deprecated and expected to be removed “next year” by Apple, potentially in 26.4 or in macOS 27. Plan your migration, especially if you run on‑prem Jamf Pro and can’t leverage DDM.

Jamf Managed Software Updates can be unreliable when the target isn’t the latest. The legacy Jamf Pro API remains reliable today but is deprecated and will eventually stop functioning in a later macOS Tahoe or macOS 27 timeframe. Track deprecation notes and test DDM‑based paths in pilot.

Conclusion and next steps

super 5.1.0‑rc1 turns alternate configs into a repeatable pattern for risk‑based patching. Tahoe support, exact‑version pins, temp‑override, sturdier installer flows, and smarter discovery/logging provide fine‑grained control.

  • Promote a defined set of alt‑configs into your environment and MDM profiles.
  • Pilot the exact‑version workflow on a smart group.
  • Pipe super-audit.log into weekly compliance reporting via the available Jamf Extension Attribute.
Mac Management
macOS macOS patch notes Apple MDM updates Jamf Pro super 5.1.0‑rc1 macOS Tahoe 26 Sequoia Mac administration best practices super Tahoe Sonoma macOS Jamf
This post is licensed under CC BY 4.0 by the author.