xolo-server 1.0.0 → 2.0.2

data/lib/xolo/server/mixins/title_jamf_access.rb

@@ -60,13 +60,16 @@ module Xolo
         # @return [void]
         ################################
         def create_title_in_jamf
-          # ORDER MATTERS
+          log_debug "Display Name in create_title_in_jamf: #{display_name}"
 
-          # create the normal ea if needed
-          configure_jamf_normal_ea if version_script
+          # create/activate the Jamf::PatchTitle
+          # this notes the jamf id of the PatchTitle
+          # and sets the display name if needed for subbed titles
+          jamf_patch_title
 
-          # must happen after the normal ea is created
-          configure_jamf_installed_group
+          # This creates the installed group
+          # must happen after activating the title in jamf
+          jamf_installed_group
 
           if uninstall_script || !uninstall_ids.pix_empty?
             configure_jamf_uninstall_script
@@ -82,7 +85,10 @@ module Xolo
           # Just calling this will create it if it doesn't exist.
           jamf_frozen_group
 
-          activate_jamf_patch_title
+          # This either notifies, or does it
+          # TODO: EAs for subscribed titles can change at any time and need
+          # re-accepted - Notifications must happen.
+          accept_jamf_patch_ea
         end
 
         # Apply any changes to Jamf as needed
@@ -94,14 +100,6 @@ module Xolo
         def update_title_in_jamf
           # ORDER MATTERS
 
-          # do we have a version_script? if so we maintain a 'normal' EA
-          # this has to happen before updating the installed_group
-          configure_jamf_normal_ea if need_to_update_jamf_normal_ea?
-
-          # this smart group might use the normal-EA or might use app data
-          # If those have changed, we need to update it.
-          configure_jamf_installed_group if need_to_update_jamf_installed_group?
-
           # if the exclusions have changed update the manual install released policy
           if changes_for_update[:excluded_groups]
             progress "Jamf: Updating excluded groups for Manual Released Policy '#{jamf_manual_install_released_policy_name}'."
@@ -110,7 +108,6 @@ module Xolo
 
           # Do we need to update (vs delete) the uninstall script?
           if need_to_update_jamf_uninstall_script?
-
             configure_jamf_uninstall_script
             configure_jamf_uninstall_policy
 
@@ -122,7 +119,6 @@ module Xolo
           elsif need_to_delete_jamf_uninstall_script?
             delete_jamf_uninstall_policy
             delete_jamf_uninstall_script
-            # can't expire without
           end
 
           # Do we need to add or delete the expire policy?
@@ -132,16 +128,11 @@ module Xolo
             changes_for_update.dig(:expiration, :new).to_i.positive? ? jamf_expire_policy : delete_jamf_expire_policy
           end
 
-          # If we don't use a version script anymore, delete the normal EA
-          # this has to happen after updating the installed_group
-          delete_jamf_normal_ea unless version_script_contents
-
           update_description_in_jamf
           update_ssvc
-          update_ssvc_category
           # TODO: deal with icon changes: if changes_for_update&.key? :self_service_icon
 
-          if jamf_ted_title_active?
+          if jamf_title_active?
             update_versions_for_title_changes_in_jamf
           else
             log_debug "Jamf: Title '#{display_name}' (#{title}) is not yet active to Jamf, nothing to update in versions."
@@ -151,7 +142,6 @@ module Xolo
         # Repair this title in Jamf Pro
         # - TODO: activate title in patch mgmt
         #   - TODO: Accept Patch EA
-        # - Normal EA 'xolo-<title>-installed-version'
         # - title-installed smart group 'xolo-<title>-installed'
         # - frozen static group 'xolo-<title>-frozen'
         # - manual/SSvc install-current-release policy 'xolo-<title>-install'
@@ -169,7 +159,7 @@ module Xolo
         ###############################################
         def repair_jamf_title_objects
           progress "Jamf: Repairing Jamf objects for title '#{title}'", log: :info
-          repair_jamf_normal_ea
+
           configure_jamf_installed_group
           repair_jamf_uninstall_policy
           repair_jamf_uninstall_script
@@ -187,10 +177,32 @@ module Xolo
           delete_jamf_uninstall_policy
           delete_jamf_manual_install_released_policy
           delete_jamf_uninstall_script
-          delete_jamf_frozen_group
+          delete_lingering_policies_for_title
+          sleep 5
+
+          # must delete this group before the patch title
+          # since the group criteria references the patch title
           delete_jamf_installed_group
-          delete_jamf_normal_ea
+          sleep 5
+
           delete_jamf_patch_title
+
+          # static group deleted last,
+          # was used in scopes for patch and normal policies
+          delete_jamf_frozen_group
+        end
+
+        ################################
+        def delete_lingering_policies_for_title
+          Jamf::Policy.all_names(:refresh, cnx: jamf_cnx).each do |polname|
+            next unless polname.start_with? jamf_obj_name_pfx
+
+            polid = Jamf::Policy.valid_id(polname, cnx: jamf_cnx)
+            next unless polid
+
+            progress "Jamf: Deleting lingering policy #{polname}, possibly from a failed version action.", log: :info
+            Jamf::Policy.delete(polid, cnx: jamf_cnx)
+          end
         end
 
         # If any title changes require updates to existing versions in
@@ -211,8 +223,6 @@ module Xolo
             vers_obj.update_release_groups(ttl_obj: self)  if changes_for_update&.key? :release_groups
             vers_obj.update_excluded_groups(ttl_obj: self) if changes_for_update&.key? :excluded_groups
             vers_obj.update_jamf_package_notes(ttl_obj: self) if need_to_update_description?
-            # vers_obj.update_ssvc(ttl_obj: self) if changes_for_update&.key? :self_service
-            # vers_obj.update_ssvc_category(ttl_obj: self) if changes_for_update&.key? :self_service_category
           end
         end
 
@@ -300,125 +310,6 @@ module Xolo
           report
         end
 
-        #######  The'Normal" Extension Attribute
-        ###########################################
-        ###########################################
-
-        # @return [Boolean] Does the 'normal' EA exist in jamf?
-        #########################
-        def jamf_normal_ea_exist?
-          Jamf::ComputerExtensionAttribute.all_names(:refresh, cnx: jamf_cnx).include? jamf_normal_ea_name
-        end
-
-        # Create or fetch the 'normal' EA in jamf
-        # If we are deleting and it doesn't exist, return nil.
-        #
-        # @return [Jamf::ComputerExtensionAttribute] The 'normal' Jamf ComputerExtensionAttribute for this title
-        ########################
-        def jamf_normal_ea
-          return @jamf_normal_ea if @jamf_normal_ea
-
-          if jamf_normal_ea_exist?
-            @jamf_normal_ea = Jamf::ComputerExtensionAttribute.fetch(name: jamf_normal_ea_name, cnx: jamf_cnx)
-
-          else
-            return if deleting?
-
-            msg = "Jamf: Creating regular extension attribute '#{jamf_normal_ea_name}' for use in smart groups"
-            progress msg, log: :info
-
-            @jamf_normal_ea = Jamf::ComputerExtensionAttribute.create(
-              name: jamf_normal_ea_name,
-              cnx: jamf_cnx
-            )
-            @jamf_normal_ea.save
-
-          end
-          @jamf_normal_ea
-        end
-
-        # Configure the 'normal' EA that matches the Patch EA for this title,
-        # so that it can be used in smart groups and adv. searches.
-        # (Patch EAs aren't available for use in smart group critera)
-        #
-        # If we have one already but are deleting it, that happens elsewhere
-        #
-        # @return [void]
-        ################################
-        def configure_jamf_normal_ea
-          progress "Jamf: Configuring regular extension attribute '#{jamf_normal_ea_name}'", log: :info
-
-          jamf_normal_ea.description = "The version of xolo title '#{title}' installed on the machine"
-          jamf_normal_ea.data_type = :string
-
-          # this is our incoming or already-existing EA script
-          if version_script_contents.pix_empty?
-            # nothing to do if its nil, if we need to delete it, that'll happen later
-          else
-            jamf_normal_ea.enabled = true
-            jamf_normal_ea.input_type = 'script'
-            jamf_normal_ea.script = version_script_contents
-          end
-
-          jamf_normal_ea.script = scr
-          jamf_normal_ea.save
-        end
-
-        # Repair the 'normal' EA in jamf to match our version_script
-        ########################
-        def repair_jamf_normal_ea
-          if version_script_contents.pix_empty?
-            delete_jamf_normal_ea
-          else
-            configure_jamf_normal_ea
-          end
-        end
-
-        # Delete the 'normal' computer ext attr matching the Patch EA
-        # @return [void]
-        ######################################
-        def delete_jamf_normal_ea
-          ea_id = Jamf::ComputerExtensionAttribute.valid_id jamf_normal_ea_name, cnx: jamf_cnx
-          return unless ea_id
-
-          progress "Jamf: Deleting regular extension attribute '#{jamf_normal_ea_name}'", log: :info
-          Jamf::ComputerExtensionAttribute.delete ea_id, cnx: jamf_cnx
-        end
-
-        # do we need to update the normal EA in jamf?
-        # true if our incoming changes include :version_script
-        # and the new value is not empty (in which case we'll delete it)
-        #
-        # @return [Boolean]
-        ########################
-        def need_to_update_jamf_normal_ea?
-          changes_for_update.key?(:version_script) && !changes_for_update[:version_script][:new].pix_empty?
-        end
-
-        # the script contents of the Normal Jamf EA that comes from our version_script
-        # @return [String, nil] nil if there is none
-        ##############################
-        def jamf_normal_ea_contents
-          return unless jamf_normal_ea_exist?
-
-          jamf_normal_ea.script
-        end
-
-        # @return [String] the URL for the Normal EA in Jamf Pro
-        ######################
-        def jamf_normal_ea_url
-          return @jamf_normal_ea_url if @jamf_normal_ea_url
-          return unless version_script
-
-          ea_id = Jamf::ComputerExtensionAttribute.valid_id jamf_normal_ea_name, cnx: jamf_cnx
-          return unless ea_id
-
-          # Jamf Changed the URL!
-          # @jamf_normal_ea_url = "#{jamf_gui_url}/computerExtensionAttributes.html?id=#{ea_id}&o=r"
-
-          @jamf_normal_ea_url = "#{jamf_gui_url}/view/settings/computer-management/computer-extension-attributes/#{ea_id}"
-        end
-
         #######  The Patch Ext Attribute
         ###########################################
         ###########################################
@@ -437,6 +328,8 @@ module Xolo
         # @return [Boolean]
         #########################
         def need_to_accept_jamf_patch_ea?
+          return unless managed?
+
           @need_to_accept_jamf_patch_ea
         end
 
@@ -462,16 +355,22 @@ module Xolo
         # @return [void]
         ############################
         def accept_jamf_patch_ea
-          return unless need_to_accept_jamf_patch_ea?
+          # give the server a moment to catch up with the new EA before we check on it
+          log_debug "Jamf: Checking if we need to accept the version-script EA for title '#{title}'"
+          sleep 5
+
+          awating_acceptance = jamf_patch_ea_awaiting_acceptance?
 
-          # return with warning if we aren't auto-accepting
-          unless Xolo::Server.config.jamf_auto_accept_xolo_eas
-            msg = "Jamf: IMPORTANT: Before adding any versions, the Extension Attribute (version-script) for this title must be accepted manually in Jamf Pro at #{jamf_patch_ea_url} under the 'Extension Attribute' tab (click 'Edit') "
-            progress msg
+          # return with warning if we aren't auto-accepting, or for all subscribed titles
+          if awating_acceptance && (subscribed? || !Xolo::Server.config.jamf_auto_accept_xolo_eas)
+            msg = "Jamf: IMPORTANT: The Extension Attribute (version-script) for title '#{title}' must be accepted manually in Jamf Pro at #{jamf_patch_ea_url} under the 'Extension Attribute' tab (click 'Edit'). If you cannot do this yourself, please contact your Xolo server admins for assistance. Deployment will not happen until this is done."
+            progress msg, log: :warn, alert: true
             log_debug 'Admin informed about accepting EA/version-script manually'
             return
           end
 
+          return unless need_to_accept_jamf_patch_ea?
+
           # this is true if the Jamf server already knows it needs to be accepted
           # so just do it now
           if jamf_patch_ea_awaiting_acceptance?
@@ -612,6 +511,8 @@ module Xolo
         end
 
         # API call to accept the version-script EA in Jamf Pro
+        # This never happens for subscribed titles
+        #
         # TODO: when this gets implemented in ruby-jss, use that implementation
         #
         # @return [void]
@@ -645,7 +546,7 @@ module Xolo
         ######################
         def jamf_patch_ea_url
           return @jamf_patch_ea_url if @jamf_patch_ea_url
-          return unless version_script
+          return unless version_script || (subscribed? && jamf_patch_ea_data)
 
           @jamf_patch_ea_url = "#{jamf_patch_title_url}?tab=extension"
         end
@@ -791,7 +692,10 @@ module Xolo
           pol.add_script jamf_uninstall_script_name
           pol.set_trigger_event :checkin, false
           pol.set_trigger_event :custom, jamf_uninstall_policy_name
-          pol.scope.add_target(:computer_group, jamf_installed_group_name)
+          # pol.scope.add_target(:computer_group, jamf_installed_group_name)
+          # all targets, cus jamf doesn't like some policies with scoped
+          # smart groups using 'latest version'
+          pol.scope.set_all_targets
           pol.scope.set_exclusions :computer_groups, [valid_forced_exclusion_group_name] if valid_forced_exclusion_group_name
           pol.frequency = :ongoing
           pol.enable
@@ -809,7 +713,6 @@ module Xolo
         end
 
         # delete the policy first if it exists
-
         #########################
         def delete_jamf_uninstall_policy
           return unless jamf_uninstall_policy_exist?
@@ -866,9 +769,9 @@ module Xolo
             )
             @jamf_installed_group.save
             configure_jamf_installed_group
-            log_debug 'Jamf: Sleeping to let Jamf server see change to the Installed smart group.'
-            sleep 10
+
           end
+
           @jamf_installed_group
         end
 
@@ -881,75 +784,34 @@ module Xolo
 
           jamf_installed_group.criteria = Jamf::Criteriable::Criteria.new(jamf_installed_group_criteria)
           jamf_installed_group.save
+          log_debug 'Jamf: Sleeping 30 secs to let Jamf server see changes to Installed smart group.'
+          sleep 30
         end
 
         # The criteria for the smart group in Jamf that contains all Macs
         # with any version of this title installed
         #
-        # If we have, or are about to update to, a version_script (EA) then use it,
-        # otherwise use the app_name and app_bundle_id.
+        # We use the "Patch Reporting: #{display_name}" criterion so that we don't
+        # care whether the title uses a version-script or app data.
         #
         # @return [Array<Jamf::Criteriable::Criterion>]
         ###################################
         def jamf_installed_group_criteria
-          have_vers_script =
-            if changes_for_update&.dig :version_script
-              changes_for_update[:version_script][:new]
-            else
-              version_script
-            end
-
-          # If we have a version_script, use the ea
-          if have_vers_script
-            [
-              Jamf::Criteriable::Criterion.new(
-                and_or: :and,
-                name: jamf_normal_ea_name,
-                search_type: 'is not',
-                value: Xolo::BLANK
-              )
-            ]
-
-          # No version script, so we must be using app data
-          else
-            aname = changes_for_update.dig(:app_name, :new) || app_name
-            abundle = changes_for_update.dig(:app_bundle_id, :new) || app_bundle_id
-
-            [
-              Jamf::Criteriable::Criterion.new(
-                and_or: :and,
-                name: 'Application Title',
-                search_type: 'is',
-                value: aname
-              ),
-
-              Jamf::Criteriable::Criterion.new(
-                and_or: :and,
-                name: 'Application Bundle ID',
-                search_type: 'is',
-                value: abundle
-              )
-            ]
-          end
-        end
-
-        # do we need to update the 'installed' smart group?
-        # true if our incoming changes include the app_name or app_bundle_id
-        #
-        # If they changed at all, we need to update no matter what:
-        #  - if they are now nil, we switched to a version script
-        #
-        #  - if they aren't nil but are different, we need to update
-        #    the group criteria to reflect that.
-        #
-        # Changes to the version script, if it was in use before, don't
-        # require us to change the smart group
-        #
-        #
-        # @return [Boolean]
-        #########################
-        def need_to_update_jamf_installed_group?
-          changes_for_update[:app_name] || changes_for_update[:app_bundle_id]
+          [
+            Jamf::Criteriable::Criterion.new(
+              and_or: :and,
+              name: "Patch Reporting: #{display_name}",
+              search_type: 'less than or equal',
+              value: 'Latest Version'
+            ),
+
+            Jamf::Criteriable::Criterion.new(
+              and_or: :or,
+              name: "Patch Reporting: #{display_name}",
+              search_type: 'is',
+              value: 'Unknown Version'
+            )
+          ]
         end
 
         # Delete the 'installed' smart group
@@ -1244,14 +1106,15 @@ module Xolo
         #
         # @return [Jamf::PatchSource] The Jamf Patch Source
         #########################
-        def jamf_ted_patch_source
-          @jamf_ted_patch_source ||=
+        def jamf_managed_patch_source
+          @jamf_managed_patch_source ||=
             Jamf::PatchSource.fetch(name: Xolo::Server.config.ted_patch_source, cnx: jamf_cnx)
         end
 
         # The titles available from the Title Editor via its
-        # Jamf Patch Source. These are titles have have been enabled
-        # in the Title Editor
+        # Jamf Patch Source.
+        # These are titles have have been enabled in the Title Editor
+        # but have not yet been activated in Jamf Patch.
         #
         # available_titles returns a Hash for each available title, with these keys:
         #
@@ -1271,93 +1134,79 @@ module Xolo
         #
         # @return [Array<String>] info about the available titles
         #########################
-        def jamf_ted_available_titles
+        def jamf_available_managed_titles
           # Don't cache this in an instance var, it changes during the
           # life of our title instance
-          # jamf_ted_patch_source.available_titles.map { |t| t[:name_id] }
+          # jamf_managed_patch_source.available_titles.map { |t| t[:name_id] }
           # Also NOTE: "available" means not only enabled
           # in the title editor, but also not already active in jamf.
           # So any given title will either be here or in
-          # jamf_active_ted_titles, but never both.
-          jamf_ted_patch_source.available_name_ids
+          # jamf_active_managed_titles, but never both.
+          jamf_managed_patch_source.available_name_ids
         end
 
         # @return [Boolean] Is this xolo title available in Jamf?
         ########################
-        def jamf_ted_title_available?
-          jamf_ted_available_titles.include? title
-        end
-
-        # The titles active in Jamf Patch Management from the Title Editor
-        # This takes into account that other Patch Sources may have titles with the
-        # same 'name_id' (the xolo 'title')
-        # A hash keyed by the title, with values of the jamf title id
-        #
-        # @return [Hash {String =>  Integer}] The xolo titles that are active in Jamf Patch Management
-        ########################
-        def jamf_active_ted_titles(refresh: false)
-          @jamf_active_ted_titles = nil if refresh
-          return @jamf_active_ted_titles if @jamf_active_ted_titles
-
-          @jamf_active_ted_titles = {}
-          active_from_ted = Jamf::PatchTitle.all(:refresh, cnx: jamf_cnx).select do |t|
-            t[:source_id] == jamf_ted_patch_source.id
-          end
-          active_from_ted.each { |t| @jamf_active_ted_titles[t[:name_id]] = t[:id] }
-          @jamf_active_ted_titles
+        def jamf_managed_title_available?
+          jamf_available_managed_titles.include? title
         end
 
         # @return [Boolean] Is this xolo title currently active in Jamf?
         ########################
-        def jamf_ted_title_active?
-          jamf_active_ted_titles(refresh: true).key? title
+        def jamf_title_active?
+          !jamf_patch_title_id.pix_empty?
+          # if subscribed?
+          #   jamf_active_subscribed_titles(refresh: true).key? title
+          # else
+          #   jamf_active_managed_titles(refresh: true).key? title
+          # end
         end
 
-        # The Jamf ID of the Patch Title for this xolo title
-        # if it has been activated in jamf.
+        # The managed titles active in Jamf Patch Management from the Title Editor
+        # A hash keyed by the title, with values of the jamf patch title id
         #
-        # @return [Integer, nil] The Jamf ID of this title, if it is active in Jamf
+        # @return [Hash {String =>  Integer}] The managed xolo titles that are active in Jamf Patch Management
+        #   and their Jamf::PatchTitle id
         ########################
-        def jamf_patch_title_id
-          @jamf_patch_title_id ||= jamf_active_ted_titles(refresh: true)[title]
-        end
+        def jamf_active_managed_titles(refresh: false)
+          @jamf_active_managed_titles = nil if refresh
+          return @jamf_active_managed_titles if @jamf_active_managed_titles
 
-        # create/activate the patch title in Jamf Pro, if not already done.
-        #
-        # This 'subscribes' Jamf to the title in the title editor
-        # It must be enabled in the Title Editor first, meaning
-        # it has at least one requirement, and at least one enabled patch/version.
-        #
-        # The 'stub' patch version should allow this when we create the title.
-        #
-        # Xolo should have enabled it in the Title editor before we
-        # reach this point.
-        #
-        ##########################
-        def activate_jamf_patch_title
-          if jamf_ted_title_active?
-            log_debug "Jamf: Title '#{display_name}' (#{title}) is already active in Jamf"
-            return
-          end
+          @jamf_active_managed_titles = {}
+          all_patch_titles = Jamf::PatchTitle.all(cnx: jamf_cnx)
 
-          # wait up to 60secs for the title to become available
-          counter = 0
-          until jamf_ted_title_available? || counter == 12
-            log_debug "Jamf: Waiting for title '#{display_name}' (#{title}) to become available from the Title Editor"
-            sleep 5
-            counter += 1
+          active_from_ted = all_patch_titles.select do |t|
+            # log_debug "Jamf: Checking if active patch title '#{t[:name]}' with id #{t[:id]} is from the Title Editor's patch source"
+            t[:source_id] == jamf_managed_patch_source.id
           end
 
-          unless jamf_ted_title_available?
-            msg = "Jamf: Title '#{title}' is not yet available to Jamf. Make sure it has at least one version enabled in the Title Editor"
-            log_error msg
-            raise Xolo::NoSuchItemError, msg
+          managed_titles = server_app_instance.managed_title_objects.select(&:managed?).map(&:title)
+
+          active_from_ted.each do |t|
+            @jamf_active_managed_titles[t[:name_id]] = t[:id] if managed_titles.include? t[:name_id]
           end
+          @jamf_active_managed_titles
+        end
 
-          # This creates/activates the title if needed
-          jamf_patch_title
+        # @return [Hash {String =>  Integer}] The subscribed xolo titles that are active in Jamf Patch Management
+        #   and their Jamf::PatchTitle id
+        ########################
+        def jamf_active_subscribed_titles(refresh: false)
+          @jamf_active_subscribed_titles = nil if refresh
+          return @jamf_active_subscribed_titles if @jamf_active_subscribed_titles
 
-          accept_jamf_patch_ea
+          @jamf_active_subscribed_titles = {}
+
+          all_active_patchtitles = Jamf::PatchTitle.all :refresh, cnx: jamf_cnx
+
+          server_app_instance.subscribed_title_objects.each do |st|
+            next unless all_active_patchtitles.any? do |pt|
+              pt[:source_id] == st.jamf_patch_source_id && pt[:name_id] == st.title_id
+            end
+
+            @jamf_active_subscribed_titles[st.title] = pt[:id]
+          end
+          @jamf_active_subscribed_titles
         end
 
         # Create or fetch the patch title object for this xolo title.
@@ -1370,52 +1219,118 @@ module Xolo
           @jamf_patch_title = nil if refresh
           return @jamf_patch_title if @jamf_patch_title
 
-          breaktime = Time.now + Xolo::Server::MAX_JAMF_WAIT_FOR_TITLE_EDITOR
-          until jamf_ted_title_available? || jamf_ted_title_active?
-            if Time.now > breaktime
-              raise Xolo::ServerError,
-                    "Jamf: Title '#{title}' is not available in Jamf after waiting #{Xolo::Server::MAX_JAMF_WAIT_FOR_TITLE_EDITOR} seconds"
-            end
-
-            log_debug "Waiting a long time for title '#{title}' to become available from TEd. Checking every 10 secs"
-            sleep 10
-          end
+          # wait up to 60secs for a managed title to become available.
+          # subscribed titles are already available
+          wait_for_managed_title_to_become_available
 
-          if jamf_ted_title_active?
+          # Jamf::PatchTitle object already active, just fetch it
+          if jamf_patch_title_id # jamf_title_active? || subscribed?
             @jamf_patch_title = Jamf::PatchTitle.fetch(id: jamf_patch_title_id, cnx: jamf_cnx)
 
+          # not yet active, so activate/create the Jamf::PatchTitle object
           else
             return if deleting?
 
-            msg = "Jamf: Activating Patch Title '#{display_name}' (#{title}) from the Title Editor Patch Source '#{Xolo::Server.config.ted_patch_source}'"
-            progress msg, log: :info
+            @jamf_patch_title = activate_jamf_patch_title
+          end
+        end
 
-            @jamf_patch_title =
-              Jamf::PatchTitle.create(
-                name: display_name,
-                source: Xolo::Server.config.ted_patch_source,
-                name_id: title,
-                cnx: jamf_cnx
-              )
-            @jamf_patch_title.category = Xolo::Server::JAMF_XOLO_CATEGORY
-            @jamf_patch_title.save
+        # activate the patch title in jamf, whatever it's source
+        ############################
+        def activate_jamf_patch_title
+          if jamf_title_active?
+            log_debug "Jamf: Title '#{title}' is already active in Jamf Patch"
+            return
+          end
+
+          # patch_source and title_id are required when adding subbed titles
+          # but pre-defined for managed
+          if managed?
+            log_debug "Jamf: Title '#{title}' is managed, so using pre-defined patch source and title_id"
+            log_debug "Jamf: Display Name in managed?: #{display_name}"
+            self.patch_source = Xolo::Server.config.ted_patch_source
+            self.title_id = title
+            log_debug "Jamf: Display Name in managed? after setting patch_source and title_id: #{display_name}"
+
+          # display name is required for managed titles, but will be empty for subbed
+          # so for subbed, we look it up from the patch source
+          else
+            log_debug "Jamf: Title '#{title}' is subscribed, so looking up patch source and title_id from"
+            log_debug "Jamf: Display Name in NOT managed?: #{display_name}"
+            if display_name.pix_empty?
+              self.display_name = Jamf::PatchSource.available_titles(patch_source, cnx: jamf_cnx).select { |t| t[:name_id] == title_id }.first&.dig :app_name
+            end
+          end # if managed
+
+          log_debug "Jamf: class: #{self.class}, display_name: #{display_name}, patch_source: #{patch_source}, title_id: #{title_id}"
+
+          msg = "Jamf: Activating Patch Title '#{display_name}' (#{title}) from the Patch Source '#{patch_source}'"
+          progress msg, log: :info
 
+          jamf_patch_title =
+            Jamf::PatchTitle.create(
+              name: display_name,
+              source: patch_source,
+              name_id: title_id,
+              cnx: jamf_cnx
+            )
+          jamf_patch_title.category = Xolo::Server::JAMF_XOLO_CATEGORY
+          self.jamf_patch_title_id = jamf_patch_title.save
+          log_debug "Activated Jamf Patch Title '#{display_name}' (#{title}) with id #{jamf_patch_title_id}"
+
+          jamf_patch_title
+        end
+
+        # wait up to 60secs for a managed title to become available to be activated
+        # subscribed titles are already available
+        ####################
+        def wait_for_managed_title_to_become_available
+          return unless managed?
+          return if jamf_title_active?
+
+          counter = 0
+          until jamf_title_active? || jamf_managed_title_available? || counter == 12
+            log_debug "Jamf: Waiting for title '#{display_name}' (#{title}) to become available from the Title Editor"
+            sleep 5
+            counter += 1
           end
-          @jamf_patch_title
+
+          return if jamf_managed_title_available? || jamf_title_active?
+
+          msg = "Jamf: Title '#{title}' is not yet available to Jamf. Make sure it has at least one version enabled in the Title Editor"
+          log_error msg
+          raise Xolo::NoSuchItemError, msg
         end
 
         # Delete the patch title
         # NOTE: jamf api user must have 'delete computer ext. attribs' permmissions
         ##############################
         def delete_jamf_patch_title
-          return unless jamf_ted_title_active?
+          log_debug "Jamf: Deleting patch title '#{display_name}' (#{title})"
+          unless jamf_title_active?
+            log_debug "Jamf: Patch title '#{display_name}' (#{title}) is not active in Jamf, nothing to delete"
+            return
+          end
 
-          pt_id = Jamf::PatchTitle.map_all(:id, to: :name_id, cnx: jamf_cnx).invert[title]
-          return unless pt_id
+          # # subscribed titles often have name_id's like "1B7"
+          # # whereas managed titles have name_id's that are the same as the title,
+          # # so we have to look up the id differently for subbed vs managed
+          # key = subscribed? ? title_id : title
+          # pt_id = Jamf::PatchTitle.map_all(:id, to: :name_id, cnx: jamf_cnx).invert[key]
 
-          msg = "Jamf: Deleting (unsubscribing) title '#{display_name}' (#{title}}) in Jamf Patch Management"
+          # unless pt_id
+          #   log_debug "Jamf: Cannot find patch title '#{display_name}' (#{title}) in Jamf, cannot delete"
+          #   return
+          # end
+
+          # # the pt_id SHOULD match the jamf_patch_title_id we have stored, but just in case, we'll use the one we looked up here
+          # unless pt_id.to_s == jamf_patch_title_id.to_s
+          #   log_warn "Jamf: Stored patch title id #{jamf_patch_title_id} does not match id #{pt_id} looked up for '#{display_name}' (#{title}). We are deleting the stored id."
+          # end
+
+          msg = "Jamf: Deleting (deactivating) title '#{display_name}' (#{title}}) in Jamf Patch Management"
           progress msg, log: :info
-          Jamf::PatchTitle.delete pt_id, cnx: jamf_cnx
+          Jamf::PatchTitle.delete jamf_patch_title_id, cnx: jamf_cnx
         end
 
         # @return [String] the URL for the Patch Title in Jamf Pro
@@ -1481,6 +1396,7 @@ module Xolo
         end
 
         # Configure the settings for the manual_install_released_policy
+        # Be sure to call .save on the policy after this to save the changes.
         # @param pol [Jamf::Policy] the policy we are configuring
         # @return [void]
         ###################
@@ -1495,15 +1411,7 @@ module Xolo
           # clear any existing packages
           pol.package_names.each { |pkg_name| pol.remove_package pkg_name }
 
-          # don't add a package or enable the pol if there's no released version
-          desired_vers = releasing_version || released_version
-          if desired_vers
-            rel_vers = version_object(desired_vers)
-            pol.add_package rel_vers.jamf_pkg_id
-            pol.enable
-          else
-            pol.disable
-          end
+          toggle_jamf_manual_install_released_policy pol
 
           # figure out the exclusions.
           #
@@ -1519,12 +1427,36 @@ module Xolo
 
           pol.scope.set_exclusions :computer_groups, excls
 
-          return unless self_service
+          if self_service?
+            add_title_to_self_service(pol)
+          else
+            remove_title_from_self_service(pol)
+          end
+        end
 
-          if pol.in_self_service?
-            configure_pol_for_self_service(pol)
+        # enable or disable the manual install policy for the current release, depending on
+        # whether or not we have a released version
+        # @param pol [Jamf::Policy] the manual install policy for the current release, which may or may not be saved yet.
+        # return [void]
+        ############################
+        def toggle_jamf_manual_install_released_policy(pol, vobj = nil)
+          # remove any current pkg payload
+          pol.package_ids.each { |pid| pol.remove_package pid }
+
+          unless vobj
+            desired_vers = releasing_version || released_version
+            vobj = desired_vers ? version_object(desired_vers) : nil
+          end
+
+          if vobj
+            progress "Jamf: Setting policy #{jamf_manual_install_released_policy_name} to install the package for version '#{vobj.version}'", log: :info
+            pol.add_package vobj.jamf_pkg_id
+
+            progress "Jamf: Enabling policy #{jamf_manual_install_released_policy_name}", log: :info
+            pol.enable
           else
-            add_title_to_self_service(pol)
+            progress "Jamf: Disabling policy #{jamf_manual_install_released_policy_name}, no released version", log: :info
+            pol.disable
           end
         end
 
@@ -1554,111 +1486,164 @@ module Xolo
         # @return [void]
         ##################################
         def add_title_to_self_service(pol = nil)
-          return unless self_service
-
           pol ||= jamf_manual_install_released_policy
 
-          msg = "Jamf: Adding Manual Install Policy '#{pol.name}' to Self Service."
-          progress msg, log: :info
+          unless pol.in_self_service?
+            msg = "Jamf: Adding Manual Install Policy '#{pol.name}' to Self Service."
+            progress msg, log: :info
+            pol.add_to_self_service
+          end
 
-          pol.add_to_self_service
           configure_pol_for_self_service(pol)
+          pol.save
         end
 
-        # Update whether or not we are in self service, based on the setting in the title
-        #
-        #########################
-        def update_ssvc
-          return unless changes_for_update.key? :self_service
-
-          # Update the manual install policy
-          pol = jamf_manual_install_released_policy
-          return unless pol
+        # Add the jamf_manual_install_released_policy to self service if needed
+        # @param pol [Jamf::Policy] The jamf_manual_install_released_policy, which may not be saved yet.
+        # @return [void]
+        ##################################
+        def remove_title_from_self_service(pol = nil)
+          pol ||= jamf_manual_install_released_policy
+          return unless pol.in_self_service?
 
-          # we should be in SSvc - changes_for_update[:self_service][:new] is a boolean
-          if changes_for_update[:self_service][:new]
-            add_title_to_self_service(pol) unless pol.in_self_service?
+          msg = "Jamf: Removing Manual Install Policy '#{pol.name}' from Self Service."
+          progress msg, log: :info
+          pol.remove_from_self_service
 
-          # we should not be in SSvc
-          elsif pol.in_self_service?
-            msg = "Jamf: Removing Manual Install Policy '#{pol.name}' from Self Service."
-            progress msg, log: :info
-            pol.remove_from_self_service
-          end
           pol.save
-
-          # TODO: if we decide to use ssvc in patch policies, loop thru versions to make any changes
         end
 
-        # Update our self service category, based on the setting in the title
-        # TODO: Allow multiple categories, and 'featuring' ?
+        # Update whether or not we are in self service, based on the setting in the title
         #
         #########################
-        def update_ssvc_category
-          return unless changes_for_update.key? :self_service_category
-
+        def update_ssvc
           pol = jamf_manual_install_released_policy
-          return unless pol
 
-          new_cat = changes_for_update[:self_service_category][:new]
+          adding_to_ssvc = changes_for_update.dig :self_service, :new
 
-          progress(
-            "Jamf: Updating Self Service Category to '#{new_cat}' for Manual Install Policy '#{pol.name}'.",
-            log: :info
-          )
+          updating_config = changes_for_update.dig :self_service_category, :new
+          updating_config ||= changes_for_update.dig :description, :new
+          updating_config ||= changes_for_update.dig :display_name, :new
 
-          old_cats = pol.self_service_categories.map { |c| c[:name] }
-          old_cats.each { |c| pol.remove_self_service_category c }
-          pol.add_self_service_category new_cat
-          pol.save
+          # if adding_to_ssvc is nil, we aren't changing it at all
+          # it must be false to indicate removal.
+          removing_from_ssvc = adding_to_ssvc == false
 
-          # TODO: if we decide to use ssvc in patch policies, loop thru versions to make any changes
-        end
+          if adding_to_ssvc
+            add_title_to_self_service(pol)
 
-        # Update the SSvc Icon for the policies used by this version
-        #
-        # @param ttl_obj [Xolo::Server::Title] The pre-instantiated title for ths version.
-        #   if nil, we'll instantiate it now
-        #
-        # @return [void]
-        ###############################
-        def update_ssvc_icon(ttl_obj: nil)
-          ttl_obj ||= title_object
-          # update manual install policy
+          elsif updating_config
+            configure_pol_for_self_service(pol)
 
-          log_debug "Jamf: Updating SSvc Icon for Manual Install Policy '#{jamf_manual_install_policy_name}'"
-          pol = jamf_manual_install_policy
-          return unless pol
+          # we should not be in SSvc, remove it, but leave all the settings
+          elsif removing_from_ssvc
+            remove_title_from_self_service(pol)
+          end
 
-          pol.upload :icon, ttl_obj.ssvc_icon_file
-          progress "Jamf: Updated Icon for Manual Install Policy '#{jamf_manual_install_policy_name}'",
-                   log: :debug
+          pol.save
 
-          # TODO: When we figure out if we want patch policies to use
-          # ssvc - they will need to be updated also
+          # TODO: if we decide to use ssvc in patch policies, loop thru versions to make any changes
         end
 
         # configure the self-service settings of the manual_install_released_policy
+        # NOTE this doesn't actually add it to self service, just configures the settings
+        # See add_title_to_self_service
+        #
         # @param pol [Jamf::Policy] The jamf_manual_install_released_policy, which may not be saved yet.
         # @return [void]
         ############################
         def configure_pol_for_self_service(pol = nil)
           pol ||= jamf_manual_install_released_policy
 
-          # clear existing categories, re-add correct one
-          pol.self_service_categories.each { |cat| pol.remove_self_service_category cat }
-          pol.add_self_service_category self_service_category
+          new_cat = changes_for_update&.dig(:self_service_category, :new) || self_service_category
+          if new_cat
+            progress "Jamf: Setting Self Service category to '#{new_cat}'", log: :debug
+            # clear existing categories, re-add correct one
+            pol.self_service_categories.each { |cat| pol.remove_self_service_category cat }
+            pol.add_self_service_category new_cat if new_cat
+          end
+
+          new_display_name = changes_for_update&.dig(:self_service_display_name, :new) || display_name
+          progress "Jamf: Setting Self Service display name to '#{new_display_name}'", log: :debug
+          pol.self_service_display_name = new_display_name
+
+          new_desc = changes_for_update&.dig(:self_service_description, :new) || description
+          progress "Jamf: Setting Self Service description to '#{new_desc}'", log: :debug
+          pol.self_service_description = new_desc
 
-          pol.self_service_description = description
-          pol.self_service_display_name = display_name
           pol.self_service_install_button_text = Xolo::Server::Title::SELF_SERVICE_INSTALL_BTN_TEXT
           return unless ssvc_icon_file
 
+          progress 'Jamf: Uploading Self Service icon', log: :debug
           pol.save # won't do anything unless needed, but has to exist before we can upload icons
           pol.upload :icon, ssvc_icon_file
+          # re-fetch the pol to get the icon id
           self.ssvc_icon_id = Jamf::Policy.fetch(id: pol.id, cnx: jamf_cnx).icon.id
         end
 
+        # run the autopkg recipe if defined
+        # See Helpers::AutoPkg for more details
+        ############################
+        def run_autopkg_recipe
+          server_app_instance.run_autopkg_recipe self
+        end
+
+        # Methods used by subscription stuff
+        ##############################
+
+        # Returns an array of known patch versions for this title from Jamf
+        # These are not necessarily in xolo, but they are available from the Patch Source.
+        #
+        # One or more Hashes like this:
+        #     {
+        #       "version": "143.0.7499.170",
+        #       "releaseDate": "2025-12-18T20:31:01Z",
+        #       "standalone": true,
+        #       "minimumOperatingSystem": "12.0",
+        #       "rebootRequired": false,
+        #       "killApps": [
+        #         {
+        #           "appName": "Google Chrome"
+        #         }
+        #       ],
+        #       "absoluteOrderId": "0"
+        #     }
+        #
+        # @param version [String, Symbol, nil] If a string, only return info about that version, if :latest,
+        #   only the latest version, otherwise all available versions known by the patch source.
+        #
+        # @param refresh [Boolean] re-read the data from the Jamf Pro API
+        #
+        # @return [Array<Hash>] Data about available patch versions for this title
+        ################################
+        def patch_versions(version: nil, refresh: false)
+          @patch_versions = nil if refresh
+          @patch_versions ||= []
+
+          if @patch_versions.empty?
+            page = 0
+            loop do
+              jpapi_path = "#{Xolo::Server::JPAPI_PATCH_TITLE_ENDPOINT}/#{jamf_patch_title_id}/definitions?page=#{page}&page-size=1000&sort=absoluteOrderId%3Aasc"
+              log_debug "Jamf: Fetching patch versions for title '#{title}' from Jamf API endpoint '#{jpapi_path}'"
+
+              data = jamf_cnx.jp_get jpapi_path
+              break if data[:results].empty?
+
+              @patch_versions += data[:results]
+              page += 1
+            end # loop
+          end # if
+
+          case version
+          when nil
+            @patch_versions
+          when :latest
+            @patch_versions.select { |p| p[:absoluteOrderId] == '0' }
+          else
+            @patch_versions.select { |p| p[:version] == version }
+          end # case
+        end # patch_versions
+
       end # TitleJamfPro
 
     end # Mixins