Silent Office 365 upgrade using msupdate and Jamf

It is entirely possible to silently upgrade users from Office 2016 VL to Office 365/2019 without user interaction, provided they are already using Outlook with an Office email account. The only thing your users will see, is a window informing them Office is being activated the first time they start one of the Office applications after the upgrade. It only takes a few seconds.

The upgrade will happen in the background and the user can keep using the machine while it is being performed. If users try to start an app while it is being updated, they will get a user friendly message telling them the app will start after the update is complete.

Unlicensing Office 2016 before upgrading is unnecessary, as the new license is backwards compatible. With this method it is not necessary to uninstall the previous version first or have users approve a non-graceful application quit either.

Users may be asked for permission to quit an app to perform an upgrade, but it can be postponed. Also it will be Microsoft’s own AutoUpdate system that quits the app, which is the most graceful way to do it.

These are the steps you need to achieve a silent upgrade using Jamf:

First, distribute the most recent version of the Microsoft AutoUpdate package from macadmins.software to all clients using a policy or Patch Management.

Then register Microsoft AutoUpdate afterwards by running a script running the two lsregister commands below (see Paul Bowden’s RegMAU tool) as the logged in user on clients, to pre-approve the popup asking users to approve the first run of Microsoft’s update daemon when it starts along with an app.

Distributing Microsoft AutoUpdate this way will not conflict with the installations of users who have not yet been upgraded from Office 2016, so both of these steps can be done ahead of time.

Distribute Paul Bowden’s Jamf Controller for Microsoft AutoUpdate configuration profile to clients that are running Mojave (so Jamf has the right permissions to control msupdate in a script). This can be done using a smart group containing all clients running 10.14, and can also be done ahead of time without conflicting with the current installation. The unsigned .mobileconfig can be uploaded directly into a new Jamf configuration profile, Jamf will sign it before distribution.

When you are ready to update a client, set the following preferences, using a configuration profile:
com.microsoft.office OfficeAutoSignIn TRUE
com.microsoft.office OfficeActivationEmailAddress jane.doe@example.com
com.microsoft.office DefaultEmailAddressOrDomain jane.doe@example.com

Replace jane.doe@example.com with the correct Office 365 account. In Jamf, you can use $EMAIL instead of the actual address in a configuration profile. Jamf will fill in the email address from Jamf on a per-user-basis before distributing the profile. Provided the email is correct in Jamf, this will work. The address can be populated from AD on enrollment or in production, but that is beyond the scope of this article. You could also try Paul Bowden’s SignInHelper script and set the above values using a plist instead, or script it yourself using the Jamf API. The DefaultEmailAddressOrDomain preference is incorrectly documented as an Outlook preference on macadmins.software, by the way.

To make the upgrade as silent as possible, block popups informing the user what’s new with each update:

com.microsoft.office ShowWhatsNewOnLaunch FALSE

Set these autoupdate preferences in the same configuration profile:

com.microsoft.autoupdate2 HowToCheck AutomaticDownload
com.microsoft.autoupdate2 StartDaemonOnAppLaunch TRUE
com.microsoft.autoupdate2 UpdateCheckFrequency 60
com.microsoft.autoupdate2 AcknowledgedDataCollectionPolicy RequiredDataOnly
com.microsoft.autoupdate2 DisableInsiderCheckbox TRUE

com.microsoft.autoupdate2 EnableCheckForUpdatesButton TRUE
com.microsoft.autoupdate2 SendAllTelemetryEnabled FALSE

By setting the update interval to 60 minutes, you make sure the Office applications are updated relatively swiftly.

Also add the Office 2019 App Array from Paul Bowden’s GitHub to the above preference domain, removing apps you are not distributing from the array. This is the essential step that will make sure that msupdate upgrades to Office 2019. Make sure you include the AutoUpdate app in the array. Some of these preferences are not strictly necessary, but recommended to prevent unnecessary popups and ensure the process goes smoothly.

Add this Outlook preference:
com.microsoft.Outlook TrustO365AutodiscoverRedirect TRUE

Repeat the preferences below for Word, Excel, Powerpoint and OneNote (see macadmins.software for the correct keys). The last two preferences might not be necessary, but will make sure we keep in line with the acknowledged data collection policy preference above, which disables that pop-up as well, and block other potential annoyances.

com.microsoft.Outlook kFREIntelligenceServicesConsentV2Key TRUE
com.microsoft.Outlook PII_And_Intelligent_Services_Preference FALSE
(or TRUE, if you want to enable these features)
com.microsoft.Outlook NSRequiresAquaSystemAppearance TRUE (disables Dark Mode in Office, which will otherwise be enabled on update for users who have it turned on in Mojave)
com.microsoft.Outlook SendAllTelemetryEnabled FALSE
com.microsoft.Outlook SendASmileEnabled FALSE

Set these (Outlook only) to disable a few more popups/distractions that may make the process less silent:

com.microsoft.Outlook HideCanAddOtherAccountTypesTipText TRUE
com.microsoft.Outlook o365GroupsOobePromoTriggeredPref TRUE
com.microsoft.Outlook googlePromoTriggeredPref TRUE

If you want to disable as much telemetry as possible, you need to set SendAllTelemeteyEnabled to FALSE for a few other applications as well:

com.microsoft.Office365ServiceV2 SendAllTelemetryEnabled FALSE
com.microsoft.autoupdate.fba SendAllTelemetryEnabled FALSE

One way of creating the profile quickly is by using Erik Berglund’s ProfileCreator app to make it, modify and clean it up using Xcode, then upload the useful parts into the custom section of a new Jamf configuration profile. If ProfileCreator saves the profile as a .mobileconfig, rename it to .plist before opening it in Xcode. Use the Preferences section of the macadmins.software website and Paul Bowden’s app array as a reference. The app array for Microsoft AutoUpdate that ProfileCreator makes differs slightly from the one from Bowden. In that specific case, use the one from Bowden.

Make sure all your users have been assigned the correct Office 365 license in Microsoft’s administration system, and that their Office username is the same as the email address set in the preferences described here. The assigned license needs to be one that supports the use of local Office applications.

The apps will start updating as soon as the new profile is in place and Microsoft AutoUpdate runs, which it will when a user starts one of the Office applications.

You can also trigger the update using a modified version of Paul Bowden’s msupdatehelper script, which leverages Microsoft’s msupdate command-line tool. Make sure a new profile containing the correct app array is in place, then run the script on clients using a Jamf policy.

To modify the script so it works correctly in this use case, replace the old version codes (ie. MSWD15 for Word) with the correct ones for Office 2019/365 (MSWD2019 for Word) in the latter section of the script. See the Office 2019 App Array above for the correct codes. Then, set the apps you will not update to false (usually the three last ones) in the upper section of the script. Lastly, replace the versions to update to (“latest” in the example script) with the exact version number for the Office 365 apps you will update to, also in the upper section of the script. You can find the version numbers on macadmins.software. As of the time of writing, the latest version for the main Office 2019/365 apps is 16.27.19071500.

Instead of running Bowden’s script, you could probably make a shorter script running msupdate in the context of the logged in user, specifying to download the latest version by its’ version number. Let me know if you have tried doing it this way, in the comments below.

If you already have a profile for Office 2016 in place, make sure you distribute the new one before removing the old one, as it is imperative that Outlook knows what email address the user has for the mailbox to function correctly.

If you want to update one client or a small group of clients at a time, you can use a static computer or user group to specify the computers that will receive the update. Add the group to the list of exclusions for the old profile, while including it in the scope of the new profile. Create a policy running the modified msupdatehelper script on clients that have gotten the new profile.

You can also use smart groups to make sure the policies and profiles are only applied to computers that have the updated version of Microsoft AutoUpdate. Having clients report inventory once a day might be a good idea to keep things moving in a sensible pace.

Do not enable the preference that disables the Office 365 activation dialog on first launch, and test with each new preference you set to make sure everything still works as desired.

If you need OneDrive and Teams, you can distribute these using Patch Management or policies initially, while distributing the full Office 365 BusinessPro suite including these apps to new users. There isn’t currently a good solution to prefilling credentials in these apps, unfortunately (OneDrive prefill can be scripted, but it might be better to wait until Microsoft comes up with something that works more smoothly).

Users who are not using Outlook might get prompted for their Office 365 user password. Some configurations might require the user to manually activate the software in the top menu. Let me know your experience with this in the comment section.

The next version of Office 2019/365 will be released on August 13th and will feature a revamped set of privacy keys. Make sure you check the macadmins.software website regularly to keep up with the latest changes.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s