Slashdot Mirror
Managing Mac OS Updates in an Enterprise?
An anonymous reader asks: "What's the best way to manage updates for an office of about 150 Macs of various models with different releases of Mac OS X installed? I would assume the solution involves Apple Remote Desktop Administrator which makes it possible to install updates on client machines without interrupting the user — but then the question becomes how do you keep track of which updates to install? Does Apple have some page squirreled away that lists updates they've released in chronological order with the ability to filter based on OS version and model? Is there an RSS feed or mailing list that announces new updates? For the uninitiated, ARD Admin only lets you install specified packages, so you have to download the updates manually from Apple's website, then queue the packages to be installed on a particular set of machines. This problem would be far simpler if it were possible to simply instruct client machines to run Software Update and install all available updates, or even better, if Apple included automatic update functionality within the OS, a la Windows XP."
um... have you read about any of apples solutions besides ARD? how 'bout this or this?
i'm not sure i can put it any more bluntly O_o
btw... first post!(?)
Don't call me back. Give me a call back. Bye. So yeah. But bye our, well, but alright we are on a shirt this chill.
Sorry, I haven't used Mac OS since 10.3 was pretty new, and I simply can't remember certain things, but...
:)
Does the OS "check" for updates automatically, and just not install them, or does the user have to initiate the update-checking?
If it checks automatically, there's gotta be a way to script installation on a per-machine basis. Even if it doesn't there's gotta be a way to script it (unfortunately I'm not the dude who knows how to do it).
Just then the floating disembodied head of Colonel Sanders started yelling Everything You Know Is Wrong!-Weird Al
My first guess would be to look at accessing software update from the command line, which would mean that it could be scripted.
Just do "man softwareupdate" and check it out
And if you'd like to script it, take a look at the man page for "softwareupdate".
Very quietly. The rest of the Enterprise doesn't know about Macs. If anyone asks, tell them that you're installing Service Pack 2.
i run "softwareupdate -ia" from the commandline for installing all updates, could you just set up a cron job to run it?
Radmind is also a great tool for managing installs on OS X and UNIX/Linux machines. It might be worth a look.
~moofbong
If 'con' is the opposite of 'pro', what is the opposite of 'progress'?
Unlike Windows, Mac updates generally give users new features, or other desirable things.. so most users stay on top of that stuff.
Our IT department does absolutely nothing unless a patch addressing a _major_ security hole is released, in which case they're supposed to send out an email. So far, no patch has been important enough to warrant an email. You might claim that's irresponsible, but we are talking about OS X here. If a co-worker of mine is incapable of clicking the "Install" button once every couple weeks when the auto-updater runs, I don't really want that person working with me anymore.
If anything, I'd be more worried about people running XP in Parallels and then forgetting to patch it - that's something that can cause a legitimate problem.
I misread the post title, so I had images of Picard tapping his comms badge... .005 seconds. We are fully functional sir"
:)
"Picard to Data: Start upgrading the MacOS workstations"
"Data: process completed in
Then I realized it was "in the enterprise" not "on the Enterprise"... oops.
Min
On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
If you are using the newest version of Apple Remote Desktop, by selecting the send Unix Command option, you can run software update on the selected computers. ARD 3.0 has many Unix command templates built in. The ones I use most frequently are repair permissions and the software update one. It is an invaluble tool for managing multiple Macs. I take care of about the same # as the parent, and ARD works great. What is awesome about it as well, it finally allows drag and drop from the computers the admin is controlling to the admin computer and from the admin to client.
you can't apt-get yet with cron yet?
Easy even with the older ARD v.2 - just send the unix command "softwareupdate -i -a" to the workstations in question, and they will automatically download and install all needed updates.
5 094&seqNum=4&rl=1
Best of all, schedule it to wake the workstations at 3:00 a.m., download and install the updates, restart the machines, and put them back to sleep or turn them off. Easy as pie with Apple Remote Desktop and scheduled scripting.
For more: http://macenterprise.org/content/view/117/140/
http://www.informit.com/articles/article.asp?p=44
As already mentioned for the system software just run softwareupdate -ir through ARDs send unix command.
this takes care of the OS X udpates.
If you want to automate other software updates it can get a bit trickier. But you can do just about anything with ARD + Automator + Applescript/Perl/etc.
And of course look at Package Maker. The newest version comes on the ARD 3.0 Disc (you need 3.0 for the intel macs).
Package Maker sucks hard. But the end result is good.
The OS ships with an update tool that notifies you of available updates. Unfortunately, it doesn't seem to take into account what software you have installed (it keeps telling me there's an update for iTunes, even though I don't have iTunes installed), and it only updates the software that ships with the system - anything you install separately will have to be updated separately.
This is one of my main gripes with OS X, in fact. On Debian and Ubuntu, I have a great package manager that automatically takes care of dependencies, and keeping software up to date is as simple as apt-get update && apt-get upgrade (with graphical front ends available for those who want them). Having to manually hunt down dependencies or updates is just a pain in the behind, and can significantly increase the maintenance cost of a system.
Please correct me if I got my facts wrong.
This problem would be far simpler if it were possible to simply instruct client machines to run Software Update and install all available updates
That's trivial. In ARD, create a Unix command task to execute as root with the command:
softwareupdate -i -a
This will install all the updates you would otherwise see in the GUI Software Update on the selected clients. Schedule it if you are so inclined, and don't forget to set a reboot task if one of the updates require it.
First, you have to get all of your hardware on the same OS. Create a master system image of a template machine. (Take a machine, customize it the way you want, add your apps, etc. Create an asr ready disk image of the template machine using Disk Utility or Mike Bombich's fantastic NetRestore (http://bombich.com/). Distribute it however suits your environment best. NetInstall-NetRestore sets hosted on a NetBoot server work great.
.pkg or .mpkg format used by ARD. It works really well.
Once you've got all of your hardware on the same OS and same environment, distributing software updates becomes much much easier. I recommend distributing all updates with Apple Remote Desktop 3. The client is free, and part of Mac OS. All you need is a seat of the administative tool for each admin who might need to remotely administer your Macs. Using a combination of ARD and PackageMaker (from the XCode tools), you can not only distribute standard software updates from Apple, but also repackage third-party updaters and installers into the
Yes, there are dependencies, and you can test for them using pre- and post-action scripts stored as the contents of each package. Do as much research as you can on PackageMaker, and be prepared to do shell scripting. Information about installed updates is stored in /Library/Receipts. Every package has a Bill of Materials file that you can read with lsbom. It states exactly what gets installed by the package in question and where it gets installed, as well as the target ownership and privilege attributes.
Mac OS X does offer the ability to periodically check for and install software updates. However, installing updates requires administrative rights, which your end users should not have. You could use Mac OS X Server's software update cache, which periodically checks with Apple's main software update servers and then caches any new updates. You also gain more fine grained control over which updates get installed when. It's not always smart to install new updates immediately. Better to wait a few days or a week and see how the rest of the world fairs. Then, you can make the updates available over your internal software update cacheing servers. One other thing to remember about the Mac OS X Server software update service. You cannot offer your own pre-packaged updates, as softwareupdate checks to make sure every package has been signed with Apple's key. Packages you create yourself still need to be deployed with ARD.
That's the basics, though.
1) Make sure every machine is imaged with the same template. This is crucial. Having machines with different operating systems and software suites installed is the first stumbling block to a managed platform. Enable the ARD client on your template, of course.
2) Try to have users authenticate from a central
Write a quick AppleScript to pop up a dialog box and then run softwareupdate from the command-line ...
This way, the user knows what's going on, and the patches get installed.
Do a "man osascript" from the commandline. Good stuff.
Use Apple's Software Update Server to house locally all the updates so every Mac isn'to using your gateway and bandwidth to update itself. Then use the Server Admin tools to "enabled" and "set required" various updates on the SUS. Finally, when you are ready to initiate the updates (or on a weekly schedule via the task server) fire off a "softwareupdate -ir" (or whatever options you deem appropriate) to all the clients and they will go to your SUS and update themselves in the background.
s erver.htmlb ution.html
i nstall.html. Installing over the network is the best method, but if your network is slow, or configured in such a way that it can't work with netboot/netinstall you can do it via external disk (ie Firewire) if you want too. (Or you can buy a cheap gig switch and "image" your macs at a workbench with its own little network in your lab before sending them out to users).
Relevant products:
Mac OS X Server (SUS functionality) - http://www.apple.com/server/macosx/softwareupdate
Apple Remote Desktop 3 - http://www.apple.com/remotedesktop/softwaredistri
As mentioned before, ARD 3 can be used to install anything in a pkg format, so if you can get enough consistency in your load set to make it worth packaging up your 3rd party apps with something like PackageMaker or logGen and iceBerg, you can use ARD to install them too.
Before you go to all this trouble though, make standard image so all your hardware is on the same OS. Mike Bombich has some nice tools (http://bombich.com) or use Apple's Mac OS X Server tools such as "System Image Utility" http://www.apple.com/server/macosx/netbootnetwork
While you are at it you might as well install and configure a central antivirus server. Symantec has one of these guys too.
Our local admin swears by FileWave http://www.filewave.com/ It allows you to do unattended updates, push out specific files and run install packages remotely. It is a commercial package, though...
Since anything before 10.3 is not actively supported towards updates anymore, you can ignore those systems except for their monthly automatic updates.
Get Mac OS X Server 10.4 and ARD 3.0 or if you have time, wait for OS X 10.5 and for the 10.4 systems you then actually have a server-based automatic update system which shouldn't be too hard to maintain if you have basic knowledge.
I have a lab with all Mac OS'es I am supposed to support and all software we use on them. If an update comes out, I basically test it out there. If it works, I go and download the update packages from the Apple website and then schedule a package installation in ARD3 through the task server for the 10.3 systems and activate the 10.4 updates in Software Update Server. This makes sure that all my updates get done (through the task server, it just does them as computers become available).
I have a 50-client environment with about 3 servers and 4 laptops. I know what I'm talking about. Oh: don't forget to take away admin rights from your users, it will be a great help.
Custom electronics and digital signage for your business: www.evcircuits.com
I got in an arguement about this recently. What does an enterprise mac system look like? What software do you run that makes these macs different from home PCs? (this is ignorance, not mac bashing) Is there an equivalant administrative construct to a windows domain? Do you just use the same handlers as BSD? I've done quite a bit of enterprise work, but I've never seen a mac integrated with an enterprise architecture.
People who think they know everything really piss off those of us that actually do.
If you have a couple of hundred Macs to update, you not only have to worry about the OS, but also the applications. That's where the third-party file distribution application help you. There is the open source 'rsync' ofcourse, but that doesn't really help you with the packaging of say, the upgrade of Adobe Photoshop 7 to CS, nor the distribution of it. The program I'm most fond of is FileWave http://www.filewave.com/. With this you can distribute any software package, update, document to any number of Macs, with any different number of persons or workgroups. It's quite costly, but if the number of Macs exceeds the hundred and/or you have different, far stretched locations, it could save you a bundle. Once the package is distributed, also to any laptop users, you can set a time in the future to activate the new package, and optionally deactivate the old package. This way you can distribute the software in advance, handy on slow uplinks, but activate it all at the same time.
u s/, but I have no experience with that.
There is also NetOctopus http://www.netopia.com/software/products/netoctop
Couple this with ARD for remote support.
Having quite a lot of experience with macs in an enterprise environment, I can assure you:
You do not want your clients to update automatically!
1. When you are responsible that hundreds of persons can work using the clients you are responsible for, you will want to check if an update has any unwanted impact on those clients before you update them.
Maybe you cannot imagine the trouble you get in if one of your major application does no longer work with the newest update that was installed automatically.
If you just for example look at the dependencies between Micorsoft Office 2004 and Mac OS X then you know what I'm talking about.
You will want to test those updates first. Believe me.
2. If you have a lot of clients then you will definitely want to set up your own software update server.
Otherwise your clients will eat away you internet bandwith. Just imagine your 100 clients each downloading that 150MB 10.4.8 update from apple.com. It will block your network for hours...
3. For a method on 'Auto-Update using Apple's Software Update' there's an interesting article here http://macenterprise.org/content/view/198/84/
But you are definitly wrigth. There should be some sort of mechanism so that once set up, a mac client can be forced to update all of its software to the newest releases.
I would also like to see an uninstaller that allows me to uninstall an update that has side-effects...
I don't like to admit it but at this point windows offers better solutions.
In a typical update scenario you would:
1. Install the update on a freshly radminded Mac.
2. Use the radmind tools to create a difference transcript from the updated filesystem against the copy on the server.
3. Upload, again using the radmind toolset, the new transcript and files to the radmind server.
4. Then on the server you add the new transcript to the command file for the workstations you wish to update and they get the new filesystem the next time radmind runs on them.
I'm deploying it at work right now and it's been great. I know other Fortune 50 admins that are deploying it or use it as well. The largest deployments are in the edu space and I know admins there that use radmind to manage upwards of 10,000 Macs.
It's an open project that lives at sourceforge if that strokes your geek ego as well. I'm using it as a wedge to push acceptance of OSS at work.
True it is a very different philosophy, file system management vs. package management, than using an ARD task server, but it gives you things like rollback that ARD or the system Installer can't provide.