Managing Mac OS Updates in an Enterprise? 79
An anonymous reader asks: "What's the best way to manage updates for an office of about 150 Macs of various models with different releases of Mac OS X installed? I would assume the solution involves Apple Remote Desktop Administrator which makes it possible to install updates on client machines without interrupting the user — but then the question becomes how do you keep track of which updates to install? Does Apple have some page squirreled away that lists updates they've released in chronological order with the ability to filter based on OS version and model? Is there an RSS feed or mailing list that announces new updates? For the uninitiated, ARD Admin only lets you install specified packages, so you have to download the updates manually from Apple's website, then queue the packages to be installed on a particular set of machines. This problem would be far simpler if it were possible to simply instruct client machines to run Software Update and install all available updates, or even better, if Apple included automatic update functionality within the OS, a la Windows XP."
Mac OS X Server (Score:5, Informative)
i'm not sure i can put it any more bluntly O_o
btw... first post!(?)
Re:Mac OS X Server (Score:5, Informative)
There's more info on this at Mike's Mac OS X Management Software and Tips [bombich.com] and at Apple's Knowledgebase [apple.com]
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
He probably didn't mean "corrupting the filesystem," as in screwing up the inodes or whatever; he probably meant "corrupting the OS," as in installing an update halfway (or possibly truncating files), such that the OS is missing pieces of itself, and can't run.
In other words, what he's really complaining about is that updates are (apparently) not atomic.
Re: (Score:2, Insightful)
Re:Mac OS X Server (Score:4, Informative)
Once you are done you just end the program and the user can reboot as normal.
There some info on the technique here:
How do I disable Command-Control-Eject (normal reboot)? [apple.com]
A better plan might be to do the software update as a logout hook. That way the update can be configured to occur when the user logs out and it won't interrupt their work. You can read more about login and logout hooks here [bombich.com].
Here are some official Apple articles on the matter:
The Boot Process [apple.com] (includes everything from boot to shutdown)
Customizing Login and Logout [apple.com]
Re: (Score:1)
Re: (Score:3, Informative)
* To take advantage of Software Update Server, client computers must be running Mac OS X v10.4 or later.
The submitter stated they're using different releases of OS X, so this'll only help with their 10.4 clients. Though, I think upgrading them all to 10.4 (or better yet, waiting for 10.5 and upgrading the whole organization in one fell swoop) might not be a bad idea anyway, if they can budget for it.
Re: (Score:1)
Also haveing your system net boot uses a lot of network bandwith.
Seriously, no auto-update? (Score:2)
Does the OS "check" for updates automatically, and just not install them, or does the user have to initiate the update-checking?
If it checks automatically, there's gotta be a way to script installation on a per-machine basis. Even if it doesn't there's gotta be a way to script it (unfortunately I'm not the dude who knows how to do it).
Re: (Score:1)
Also, you have to worry about:
- processor differences (software updates are not universal)
- Depening on what you're updating from, what you download on one machine might not run on another. When in doubt, run the "combo" update.
Apple does not have a chronological list of software updates release, because not all updates apply to all customers. 99% of the updates are shown to you if you need them. The other 1% you have to go hunt down.
Re: (Score:1)
Re: (Score:2)
Re: (Score:1)
My first guess (Score:2)
Just do "man softwareupdate" and check it out
Re: (Score:1)
Macs DO have automatic update (Score:4, Informative)
And if you'd like to script it, take a look at the man page for "softwareupdate".
Re: (Score:3, Informative)
Re: (Score:2, Informative)
Sure you can do Mac updates... (Score:4, Funny)
Re: (Score:2)
The rest of the Enterprise doesn't know about Macs.
But now at least scotty knows to use the keyboard.
man softwareupdate (Score:2, Informative)
Re: (Score:3, Informative)
Including queuing tasks for laptops and the like that are not currently online.
At my previous place of employment, managing about 70 non-admin and 10 or so admin capable OS X boxes, my workflow went like this:
- Set software update to automatically download software on each machine daily
(alternately, if you have OS X server, simply allow the server to cache all of the relevant updates and don't worry about
Radmind (Score:1)
Do nothing. (Score:1)
Our IT department does absolutely nothing unless a patch addressing a _major_ security hole is released, in which case they're supposed to send out an email. So far, no patch has been important enough to warrant an email. You might claim that's irresponsible, but we are talking about OS X here. If a co-worker of mine is incapable of clicking the "Install" button once every c
Re: (Score:3)
Wow. Hope you guys don't do anything important.
Re: (Score:1)
Re: (Score:2)
I don't see why you're mentioning that. Being the best at something else doesn't say anything about how often they'll run updates on their computer.
Of course not. Because you never have before. Obviously...
Re: (Score:1)
The updates are run automatically - all the user has to do is click "Install" when the screen pops up. If one of my co-workers is incapable of pushing a button when a screen pops up once every week or two, we made a mistake in hiring him/her.
You can argue "what-ifs" all day long, but so far there hasn't ever been a vulnerability within OS X that has been explo
Re: (Score:2)
What are you going to do when the first major OS X vulenerability does get exploited? "Sorry guys, our IT department is incompetent, so we're going to have to let you all go"?
Re: (Score:1)
I'll either click "Install" when the patch window pops up, or initiate the process myself (and then click "Install") when I see an email from our IT department asking me to do so. You're assuming that a large group of people can't/won't do that for some reason - I'm not sure if you own a Mac, or if you've ever seen how patches are ins
You know it's late when... (Score:4, Funny)
"Picard to Data: Start upgrading the MacOS workstations"
"Data: process completed in
Then I realized it was "in the enterprise" not "on the Enterprise"... oops.
Min
ARD Option (Score:1)
Also amazingly easy with ARD v. 2 (Score:1)
Best of all, schedule it to wake the workstations at 3:00 a.m., download and install the updates, restart the machines, and put them back to sleep or turn them off. Easy as pie with Apple Remote Desktop and scheduled scripting.
For more: http://macenterprise.org/content/view/117/140/ [macenterprise.org]
http://www.informit.com/articles/article.a [informit.com]
/etc/sources.list (Score:1)
Re: (Score:1)
Instead of installing the recommended (-r) updates, you can also choose to install all (-a).
More info here [wikipedia.org].
It would probably also be a great idea to have a local softwareupdate server, this way you don't have to download all updates every time, but instead only download them once to a local repository; additionally you could test things first before distribution. Read more info here [apple.com]. Although it seems that a local server will only work for
Re: (Score:1)
Mac OS X Updates (Score:5, Insightful)
This is one of my main gripes with OS X, in fact. On Debian and Ubuntu, I have a great package manager that automatically takes care of dependencies, and keeping software up to date is as simple as apt-get update && apt-get upgrade (with graphical front ends available for those who want them). Having to manually hunt down dependencies or updates is just a pain in the behind, and can significantly increase the maintenance cost of a system.
Re: (Score:2)
Having to consciously track versions of non-OSX shipped software yourself - to go to websites to find and install updates on a per-package basis - is too labour intensive for a machine I simply want to get work done on.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Are you kidding?! Dealing with 50 different "update managers" that all do things in different ways, and (worse yet) forcing developers of every piece of software to keep reinventing that wheel, are the last things anyone needs!
No, the better solution would be for Apple to add a standard mechanism for software updates (like package managers do for Linux). Offhand, I woul
Re: (Score:2)
Re: (Score:2)
The code that does those checks in the background is what I meant by an "update manager."
Those ten lines of code still need to be debugged, maintained, etc., and last I checked, 10 is still greater than zero. More importantly, we're not really talking about 10 lines of code. We're talking about 10 lines of code for each and every app that runs on Mac OS. Collectivel
Re: (Score:2)
I just used it to block those AirPort updates for the card I don't have (softwareupdate --ignore AirPort)
dp
Re: (Score:2)
Re: (Score:1)
Re: (Score:1)
There's also Fink, but I found it a harder to use. Check what packages they support and see what suits you.
Re: (Score:3, Informative)
Yeah, that's because Apple believes that iTunes and QuickTime Player should be standard components of any Windows or OS X system.
Incorrect. Apple's Software Update program detects and installs updates for any Apple software you have installed, whether it came with the system or not. For exam
Re: (Score:1)
It's telling you what is available for install, not what updates are out there for already installed software. Subtle distinction, and if it really bugs you then select the package you're not interested in and use the "Update > Ignore Update..." menu item to stop seeing updates for those packages.
Re: (Score:2)
Ok, thanks. I find it really annoying when that window pops up, advertising updates for software I don't have or want.
``
Re: (Score:3, Informative)
Software update is able to quickly determine what software it needs to update by looking at the receipts in the Library/Receipts/ folder.
If you delete the receipt for iTunes in there, Software Update will no longer check for updates for iTunes.
One solution (Score:4, Informative)
That's trivial. In ARD, create a Unix command task to execute as root with the command:
softwareupdate -i -a
This will install all the updates you would otherwise see in the GUI Software Update on the selected clients. Schedule it if you are so inclined, and don't forget to set a reboot task if one of the updates require it.
Re: (Score:3, Informative)
If all the machines you want to update are running Tiger, just do softwareupdate -ai && shutdown -r now to install all available updates and reboot when complete with a single command.
Of course, that doesn't work correctly with Macs running Panther, then you would have to do softwareupdate --install --all and schedule the reboot separately in ARD because IIRC the single-letter switches don't se
Re: (Score:2, Insightful)
I would personally use some kind of pop-up dialog saying your computer is about to be reboot.
There are lots of different ways you can do this, the original bash programs were called dialog and xdialog, there are lots of equilivents these days, basically the idea is that they l
Re: (Score:2)
~Philly
Re: (Score:2)
Re: (Score:3, Insightful)
The single letter switches work fine in Panther, but you can't merge them, ie. it has to be exactly as specified in the original post: softwareupdate -i -a not softwareup
Wow. Start with the basics!!! (Score:1)
First, you have to get all of your hardware on the same OS. Create a master system image of a template machine. (Take a machine, customize it the way you want, add your apps, etc. Create an asr ready disk image of the template machine using Disk Utility or Mike Bombich's fantastic NetRestore (http://bombich.com/). Distribute it however suits your environment best. NetInstall
Re: (Score:1)
If it were only that easy! That might make it easier for administrators, but it's not realistic in a work environment with different departments needing different apps, and older equipment using an older OS version (and working fine-- why risk breaking it?). Keeping it to 3 or 4 images is more realistic. It is still pretty with ARD to create groups broken into different images, though. And using a scheduled script in ARD as mentioned above is sti
Re: (Score:2)
Keeping 3 or 4 images is only realistic if you are willing to pay to increase your I.T. staffing. At the large company where I am MacOS administrator, it takes nearly all my time to maintain our single image; if we had 3 or 4 I wo
osascript (Score:2)
This way, the user knows what's going on, and the patches get installed.
Do a "man osascript" from the commandline. Good stuff.
You could also try FileWave (Score:2)
Learn from someone with experience (Score:2)
Get Mac OS X Server 10.4 and ARD 3.0 or if you have time, wait for OS X 10.5 and for the 10.4 systems you then actually have a server-based automatic update system which shouldn't be too hard to maintain if you have basic knowledge.
I have a lab with all Mac OS'es I am supposed to support and all software we use on them. If an update comes out, I basically test
Enterprise macs (Score:2)
Re: (Score:1)
Filewave! (Score:1)
Some thoughts on automatic updates of mac clients (Score:1)
You do not want your clients to update automatically!
1. When you are responsible that hundreds of persons can work using the clients you are responsible for, you will want to check if an update has any unwanted impact on those clients before you update them.
Maybe you cannot imagine the trouble you get in if one of your major application does no longer work with the newest update that was installed automatically.
If you
Take a look at radmind (Score:2)
In a typical update scenario you would:
1. Install the update on a freshly radminded Mac.
2. Use the radmind tools to create a difference transcript from the updated filesystem against the copy on the server.
3. Uploa