Managing Mac OS Updates in an Enterprise?

An anonymous reader asks: "What's the best way to manage updates for an office of about 150 Macs of various models with different releases of Mac OS X installed? I would assume the solution involves Apple Remote Desktop Administrator which makes it possible to install updates on client machines without interrupting the user — but then the question becomes how do you keep track of which updates to install? Does Apple have some page squirreled away that lists updates they've released in chronological order with the ability to filter based on OS version and model? Is there an RSS feed or mailing list that announces new updates? For the uninitiated, ARD Admin only lets you install specified packages, so you have to download the updates manually from Apple's website, then queue the packages to be installed on a particular set of machines. This problem would be far simpler if it were possible to simply instruct client machines to run Software Update and install all available updates, or even better, if Apple included automatic update functionality within the OS, a la Windows XP."

Mac OS X Server

[Hes+Nikke]

um... have you read about any of apples solutions besides ARD? how 'bout this or this?

i'm not sure i can put it any more bluntly O_o

btw... first post!(?)

Re:Mac OS X Server

[Graff]

Automatic updates are also very simple to set up with the softwareupdate tool located at:

/usr/sbin/softwareupdate

It has a man page and everything. You can use this to set up a cron job or whatever to do the updates automatically.

There's more info on this at Mike's Mac OS X Management Software and Tips and at Apple's Knowledgebase

Re:Mac OS X Server

[PygmySurfer]

There's just one problem with your solution:

* To take advantage of Software Update Server, client computers must be running Mac OS X v10.4 or later.

The submitter stated they're using different releases of OS X, so this'll only help with their 10.4 clients. Though, I think upgrading them all to 10.4 (or better yet, waiting for 10.5 and upgrading the whole organization in one fell swoop) might not be a bad idea anyway, if they can budget for it.

Re:Mac OS X Server

[Graff]

There's a way to prevent this. Basically you make a small program which registers the "quit application" event and when the program receives that event you send back a "user canceled" error result to the system. This cancels the reboot and keeps your program running.

Once you are done you just end the program and the user can reboot as normal.

There some info on the technique here:
How do I disable Command-Control-Eject (normal reboot)?

A better plan might be to do the software update as a logout hook. That way the update can be configured to occur when the user logs out and it won't interrupt their work. You can read more about login and logout hooks here.

Here are some official Apple articles on the matter:
The Boot Process (includes everything from boot to shutdown)
Customizing Login and Logout

Macs DO have automatic update

[athempel]

Read all about it.

And if you'd like to script it, take a look at the man page for "softwareupdate".

Re:Macs DO have automatic update

[DDLKermit007]

10.4 and above only. So many people are posting this just searching the Apple site. The OP runs various versions of OSX which are BELOW 10.4. The situation is compounded with mods that don't even know what the hell they are doing moding them up.

Re:Macs DO have automatic update

[athempel]

Rubbish.

man softwareupdate

[xornor]

i run "softwareupdate -ia" from the commandline for installing all updates, could you just set up a cron job to run it?

Re:man softwareupdate

[dr00g911]

Apple remote desktop allows for scheduling command line tasks over the entire enterprise.

Including queuing tasks for laptops and the like that are not currently online.

At my previous place of employment, managing about 70 non-admin and 10 or so admin capable OS X boxes, my workflow went like this:

- Set software update to automatically download software on each machine daily
    (alternately, if you have OS X server, simply allow the server to cache all of the relevant updates and don't worry about this step -- it's mostly there to manage bandwidth spikes)
- Set a scheduled job for Friday afternoons to run softwareupdate from the commandline via ARD.
- Leave the ARD console up and it'll catch laptops during the beginning of the following week that weren't around when the command was issued.

The workgroup management features of the latest ARD are *amazingly robust* and I'd recommend anyone to just go and play with it. Coupled with netboot for major OS upgrades and the VNC like features, it cut the amount of time needed to maintain the entire company to virtually nothing.

One solution

[Espen]

This problem would be far simpler if it were possible to simply instruct client machines to run Software Update and install all available updates

That's trivial. In ARD, create a Unix command task to execute as root with the command:

softwareupdate -i -a

This will install all the updates you would otherwise see in the GUI Software Update on the selected clients. Schedule it if you are so inclined, and don't forget to set a reboot task if one of the updates require it.

Re:One solution

[phillymjs]

Schedule it if you are so inclined, and don't forget to set a reboot task if one of the updates require it.

If all the machines you want to update are running Tiger, just do softwareupdate -ai && shutdown -r now to install all available updates and reboot when complete with a single command.

Of course, that doesn't work correctly with Macs running Panther, then you would have to do softwareupdate --install --all and schedule the reboot separately in ARD because IIRC the single-letter switches don't seem to work for the softwareupdate command in Panther, and Panther won't wait until softwareupdate is done to execute the reboot.

The above commands are better when used with an OS X Server running the Software Update service, so you can pick and choose which ones are made available to all of your managed Macs.

~Philly

Re:Mac OS X Updates

[tverbeek]

it keeps telling me there's an update for iTunes, even though I don't have iTunes installed

Yeah, that's because Apple believes that iTunes and QuickTime Player should be standard components of any Windows or OS X system.

it only updates the software that ships with the system - anything you install separately will have to be updated separately.

Incorrect. Apple's Software Update program detects and installs updates for any Apple software you have installed, whether it came with the system or not. For example, recently after installing Final Cut Pro on a fully-updated system, it gave me another half-dozen updates to download for the apps in the Final Cut package. In this sense it performs the same function as Microsoft Update, or Adobe's Update Manager: providing updates for all of that vendor's products (regardless of when you installed them).

While it would certainly be nice if Apple's Software Update also updated Adobe, Microsoft, and other developers' apps (instead of having to use the inferior update tools those companies provide, or ye olde stand-alone updater), it should hardly be surprising that commercial software developers aren't as chummy and free with their updates as the open-source community is.

Re:Mac OS X Updates

[Johnny+Mozzarella]

Simply deleting an .app from the Applications folder is not enough.
Software update is able to quickly determine what software it needs to update by looking at the receipts in the Library/Receipts/ folder.
If you delete the receipt for iTunes in there, Software Update will no longer check for updates for iTunes.