Managing Mac OS Updates in an Enterprise?

An anonymous reader asks: "What's the best way to manage updates for an office of about 150 Macs of various models with different releases of Mac OS X installed? I would assume the solution involves Apple Remote Desktop Administrator which makes it possible to install updates on client machines without interrupting the user — but then the question becomes how do you keep track of which updates to install? Does Apple have some page squirreled away that lists updates they've released in chronological order with the ability to filter based on OS version and model? Is there an RSS feed or mailing list that announces new updates? For the uninitiated, ARD Admin only lets you install specified packages, so you have to download the updates manually from Apple's website, then queue the packages to be installed on a particular set of machines. This problem would be far simpler if it were possible to simply instruct client machines to run Software Update and install all available updates, or even better, if Apple included automatic update functionality within the OS, a la Windows XP."

Mac OS X Server

[Hes Nikke]

um... have you read about any of apples solutions besides ARD? how 'bout this [apple.com] or this [apple.com]?

i'm not sure i can put it any more bluntly O_o

btw... first post!(?)

Re:Mac OS X Server

[Graff]

Automatic updates are also very simple to set up with the softwareupdate tool located at:

/usr/sbin/softwareupdate

It has a man page and everything. You can use this to set up a cron job or whatever to do the updates automatically.

There's more info on this at Mike's Mac OS X Management Software and Tips [bombich.com] and at Apple's Knowledgebase [apple.com]

Re:

[supersuckers]

Unfortunately, this still isn't a great solution. We have a few hundred macs where I work, running software update once a week (they are staggered), by way of a cron job. Seems that if for some reason a mac is rebooted during this job, there is a good chance the OS will get completely hosed, corrupting the file system to a point that all the goofy tools out there still can't fix it. For some reason, booting single user mode you can still read the data, then shove it off onto a firewire drive.

Re:

[countach]

I find it hard to believe rebooting it could corrupt the file system. Are you sure you have a clue?

Re:

[mrchaotica]

He probably didn't mean "corrupting the filesystem," as in screwing up the inodes or whatever; he probably meant "corrupting the OS," as in installing an update halfway (or possibly truncating files), such that the OS is missing pieces of itself, and can't run.

In other words, what he's really complaining about is that updates are (apparently) not atomic.

Re:

[Simon80]

Run the updates at night then, when the computers won't be getting rebooted..

Re:Mac OS X Server

[Graff]

There's a way to prevent this. Basically you make a small program which registers the "quit application" event and when the program receives that event you send back a "user canceled" error result to the system. This cancels the reboot and keeps your program running.

Once you are done you just end the program and the user can reboot as normal.

There some info on the technique here:
How do I disable Command-Control-Eject (normal reboot)? [apple.com]

A better plan might be to do the software update as a logout hook. That way the update can be configured to occur when the user logs out and it won't interrupt their work. You can read more about login and logout hooks here [bombich.com].

Here are some official Apple articles on the matter:
The Boot Process [apple.com] (includes everything from boot to shutdown)
Customizing Login and Logout [apple.com]

Re:

[Knightscape]

This (the softwareupdate cli tool) can also be scripted using the 'expect' scripting language as you are trying to poke at bunches of machines at once. I use it to do password changes on our network of 300 + machines. You can include logic to check for availibility of packages first to see if they need to be run, you can us variables to endter the update you'd like to apply specifically, you can have it wait once the machine reboots and log back in to try again. expect will allow you to script ssh and au

Re:

[PygmySurfer]

There's just one problem with your solution:

* To take advantage of Software Update Server, client computers must be running Mac OS X v10.4 or later.

The submitter stated they're using different releases of OS X, so this'll only help with their 10.4 clients. Though, I think upgrading them all to 10.4 (or better yet, waiting for 10.5 and upgrading the whole organization in one fell swoop) might not be a bad idea anyway, if they can budget for it.

Re:

[Joe The Dragon]

You have to buy that and ms has the same things with there servers os for free.
Also haveing your system net boot uses a lot of network bandwith.

Seriously, no auto-update?

[cooley]

Sorry, I haven't used Mac OS since 10.3 was pretty new, and I simply can't remember certain things, but...

Does the OS "check" for updates automatically, and just not install them, or does the user have to initiate the update-checking?

If it checks automatically, there's gotta be a way to script installation on a per-machine basis. Even if it doesn't there's gotta be a way to script it (unfortunately I'm not the dude who knows how to do it). :)

Re:

[macmastery]

It does check automatically, but it doesn't install automatically.

Also, you have to worry about:
- processor differences (software updates are not universal)
- Depening on what you're updating from, what you download on one machine might not run on another. When in doubt, run the "combo" update.

Apple does not have a chronological list of software updates release, because not all updates apply to all customers. 99% of the updates are shown to you if you need them. The other 1% you have to go hunt down.

Re:

[kraiger]

You can have it install automatically in the background, but it would only install more crucial updates, opposed to all updates.

Re:

[pauljlucas]

If Software Update is run on a given machine X, you do NOT have to worry about processor differences -- Software Update downloads the right update for the right CPU.

Re:

[macmastery]

Right, but even though you can keep that package, it may not be appropriate for other machines on your network. That was the point I was trying to make. You face installing it from Apple on many machines instead of downloading it once and deploying it enterprise-wide.

My first guess

[Dr Reducto]

My first guess would be to look at accessing software update from the command line, which would mean that it could be scripted.

Just do "man softwareupdate" and check it out

Re:

[j|m]

Specifically:

sudo softwareupdate --install --all

Macs DO have automatic update

[athempel]

Read all about it. [apple.com]

And if you'd like to script it, take a look at the man page for "softwareupdate".

Re:

[DDLKermit007]

10.4 and above only. So many people are posting this just searching the Apple site. The OP runs various versions of OSX which are BELOW 10.4. The situation is compounded with mods that don't even know what the hell they are doing moding them up.

Re:

[athempel]

Rubbish. [apple.com]

Sure you can do Mac updates...

[__aaclcg7560]

Very quietly. The rest of the Enterprise doesn't know about Macs. If anyone asks, tell them that you're installing Service Pack 2.

Re:

[DuSTman31]

The rest of the Enterprise doesn't know about Macs.

But now at least scotty knows to use the keyboard.

man softwareupdate

[xornor]

i run "softwareupdate -ia" from the commandline for installing all updates, could you just set up a cron job to run it?

Re:

[dr00g911]

Apple remote desktop allows for scheduling command line tasks over the entire enterprise.

Including queuing tasks for laptops and the like that are not currently online.

At my previous place of employment, managing about 70 non-admin and 10 or so admin capable OS X boxes, my workflow went like this:

- Set software update to automatically download software on each machine daily
(alternately, if you have OS X server, simply allow the server to cache all of the relevant updates and don't worry about

Radmind

[moofbong]

Radmind [umich.edu] is also a great tool for managing installs on OS X and UNIX/Linux machines. It might be worth a look.

Do nothing.

[deepb]

Unlike Windows, Mac updates generally give users new features, or other desirable things.. so most users stay on top of that stuff.

Our IT department does absolutely nothing unless a patch addressing a _major_ security hole is released, in which case they're supposed to send out an email. So far, no patch has been important enough to warrant an email. You might claim that's irresponsible, but we are talking about OS X here. If a co-worker of mine is incapable of clicking the "Install" button once every c

Re:

[jlarocco]

You might claim that's irresponsible, but we are talking about OS X here.

Wow. Hope you guys don't do anything important.

Re:

[deepb]

Wow. Hope you guys don't do anything important.

Ahh, but we do! See, my employer has one of the strictest hiring/interview processes known to man. We will never hire someone just for the sake of filling the position - the person must be the best at whatever it is they do. 300 employees later, we've never had an issue with the patch process I described in my original post, and we never will.

Re:

[jlarocco]

Ahh, but we do! See, my employer has one of the strictest hiring/interview processes known to man. We will never hire someone just for the sake of filling the position - the person must be the best at whatever it is they do.

I don't see why you're mentioning that. Being the best at something else doesn't say anything about how often they'll run updates on their computer.

... and we never will.

Of course not. Because you never have before. Obviously...

Re:

[deepb]

I don't see why you're mentioning that. Being the best at something else doesn't say anything about how often they'll run updates on their computer.

The updates are run automatically - all the user has to do is click "Install" when the screen pops up. If one of my co-workers is incapable of pushing a button when a screen pops up once every week or two, we made a mistake in hiring him/her.

You can argue "what-ifs" all day long, but so far there hasn't ever been a vulnerability within OS X that has been explo

Re:

[jlarocco]

The updates are run automatically - all the user has to do is click "Install" when the screen pops up. If one of my co-workers is incapable of pushing a button when a screen pops up once every week or two, we made a mistake in hiring him/her.

What are you going to do when the first major OS X vulenerability does get exploited? "Sorry guys, our IT department is incompetent, so we're going to have to let you all go"?

You can argue "what-ifs" all day long, but so far there hasn't ever been a vulnerabilit

Re:

[deepb]

What are you going to do when the first major OS X vulenerability does get exploited? "Sorry guys, our IT department is incompetent, so we're going to have to let you all go"?

I'll either click "Install" when the patch window pops up, or initiate the process myself (and then click "Install") when I see an email from our IT department asking me to do so. You're assuming that a large group of people can't/won't do that for some reason - I'm not sure if you own a Mac, or if you've ever seen how patches are ins

You know it's late when...

[Minupla]

I misread the post title, so I had images of Picard tapping his comms badge...
"Picard to Data: Start upgrading the MacOS workstations"
"Data: process completed in .005 seconds. We are fully functional sir"

Then I realized it was "in the enterprise" not "on the Enterprise"... oops. :)

Min

ARD Option

[Jedi Master Cody]

If you are using the newest version of Apple Remote Desktop, by selecting the send Unix Command option, you can run software update on the selected computers. ARD 3.0 has many Unix command templates built in. The ones I use most frequently are repair permissions and the software update one. It is an invaluble tool for managing multiple Macs. I take care of about the same # as the parent, and ARD works great. What is awesome about it as well, it finally allows drag and drop from the computers the admin is co

Also amazingly easy with ARD v. 2

[toekneeshops]

Easy even with the older ARD v.2 - just send the unix command "softwareupdate -i -a" to the workstations in question, and they will automatically download and install all needed updates.

Best of all, schedule it to wake the workstations at 3:00 a.m., download and install the updates, restart the machines, and put them back to sleep or turn them off. Easy as pie with Apple Remote Desktop and scheduled scripting.

For more: http://macenterprise.org/content/view/117/140/ [macenterprise.org]

http://www.informit.com/articles/article.a [informit.com]

/etc/sources.list

[shawn443]

you can't apt-get yet with cron yet?

Re:

[Confuzzled]

Yes. Put this in a file named /etc/daily.local:

softwareupdate -i -r

Instead of installing the recommended (-r) updates, you can also choose to install all (-a).

More info here [wikipedia.org].

It would probably also be a great idea to have a local softwareupdate server, this way you don't have to download all updates every time, but instead only download them once to a local repository; additionally you could test things first before distribution. Read more info here [apple.com]. Although it seems that a local server will only work for

Re:

[shawn443]

I know little about Apple besides what I read here, ancient superbowl ads, and the recent commericals featuring the dude who likes nutsacks [imdb.com]. Are there any tools similar to Microsoft's group policy so as to automate this across the network?

Mac OS X Updates

[RAMMS+EIN]

The OS ships with an update tool that notifies you of available updates. Unfortunately, it doesn't seem to take into account what software you have installed (it keeps telling me there's an update for iTunes, even though I don't have iTunes installed), and it only updates the software that ships with the system - anything you install separately will have to be updated separately.

This is one of my main gripes with OS X, in fact. On Debian and Ubuntu, I have a great package manager that automatically takes care of dependencies, and keeping software up to date is as simple as apt-get update && apt-get upgrade (with graphical front ends available for those who want them). Having to manually hunt down dependencies or updates is just a pain in the behind, and can significantly increase the maintenance cost of a system.

Re:

[delire]

Agreed. I spent some time working with OSX 10.4 recently and found the lack of an ability to upgrade installed software using an update tool like apt was sorely missed.

Having to consciously track versions of non-OSX shipped software yourself - to go to websites to find and install updates on a per-package basis - is too labour intensive for a machine I simply want to get work done on.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[yabos]

Most programs have an auto update check themselves. It shouldn't be up to the OS to check every single program for updates it should be the program itself that should notify you of updates.

Re:

[mrchaotica]

It shouldn't be up to the OS to check every single program for updates it should be the program itself that should notify you of updates.

Are you kidding?! Dealing with 50 different "update managers" that all do things in different ways, and (worse yet) forcing developers of every piece of software to keep reinventing that wheel, are the last things anyone needs!

No, the better solution would be for Apple to add a standard mechanism for software updates (like package managers do for Linux). Offhand, I woul

Re:

[yabos]

There's no update manager. It checks in the background to a URL that replies with the current version. App checks own version against this. How hard is that? It's a lot easier than having to write code to tie into some OS managed service. You even say the software provider has to provide the current latest version number. Why not have the application do it itself with probably less than 10 lines of code(Thanks to Cocoa it's really easy) than some other convoluted method. Apple even has an example of

Re:

[mrchaotica]

There's no update manager. It checks in the background...

The code that does those checks in the background is what I meant by an "update manager."

Why not have the application do it itself with probably less than 10 lines of code...

Those ten lines of code still need to be debugged, maintained, etc., and last I checked, 10 is still greater than zero. More importantly, we're not really talking about 10 lines of code. We're talking about 10 lines of code for each and every app that runs on Mac OS. Collectivel

Re:

[Figaro]

Check the manpage for softwareupdate.

I just used it to block those AirPort updates for the card I don't have (softwareupdate --ignore AirPort)

dp

Re:

[RAMMS+EIN]

Thanks for the tip! I will look into it next time I boot OS X (I rarely do so, because I find Debian much more comfortable).

Re:

[MaximXygo]

Actually, Mac OS X DOES take into account what you already have installed. You keep seeing iTunes in Software Update because you don't have it installed, and Apple wants you to have it installed (it's a full installer you're prompted with, not necessarily an updater). If you don't want to see it, simply disable the update (in the File menu). OS X doesn't have the "dependancy" dance you have to take into account with your Linii. Try to learn more about what you're discussing before you knock it. It turns ou

Re:

[Lucien]

It also depends on the packages. I've been using http://macports.com/ [macports.com] (nee DarwinPorts) and it's a great package manager: install dependencies, update to the latest versions, deactivate without installing and so on.

There's also Fink, but I found it a harder to use. Check what packages they support and see what suits you.

Re:

[tverbeek]

it keeps telling me there's an update for iTunes, even though I don't have iTunes installed

Yeah, that's because Apple believes that iTunes and QuickTime Player should be standard components of any Windows or OS X system.

it only updates the software that ships with the system - anything you install separately will have to be updated separately.

Incorrect. Apple's Software Update program detects and installs updates for any Apple software you have installed, whether it came with the system or not. For exam

Re:

[koryn]

it doesn't seem to take into account what software you have installed (it keeps telling me there's an update for iTunes, even though I don't have iTunes installed)

It's telling you what is available for install, not what updates are out there for already installed software. Subtle distinction, and if it really bugs you then select the package you're not interested in and use the "Update > Ignore Update..." menu item to stop seeing updates for those packages.

it only updates the software that ships

Re:

[RAMMS+EIN]

``It's telling you what is available for install, not what updates are out there for already installed software. Subtle distinction, and if it really bugs you then select the package you're not interested in and use the "Update > Ignore Update..." menu item to stop seeing updates for those packages.''

Ok, thanks. I find it really annoying when that window pops up, advertising updates for software I don't have or want.

``

it only updates the software that ships with the system - anything you install separate

Re:

[Johnny Mozzarella]

Simply deleting an .app from the Applications folder is not enough.
Software update is able to quickly determine what software it needs to update by looking at the receipts in the Library/Receipts/ folder.
If you delete the receipt for iTunes in there, Software Update will no longer check for updates for iTunes.

One solution

[Espen]

This problem would be far simpler if it were possible to simply instruct client machines to run Software Update and install all available updates

That's trivial. In ARD, create a Unix command task to execute as root with the command:

softwareupdate -i -a

This will install all the updates you would otherwise see in the GUI Software Update on the selected clients. Schedule it if you are so inclined, and don't forget to set a reboot task if one of the updates require it.

Re:

[phillymjs]

Schedule it if you are so inclined, and don't forget to set a reboot task if one of the updates require it.

If all the machines you want to update are running Tiger, just do softwareupdate -ai && shutdown -r now to install all available updates and reboot when complete with a single command.

Of course, that doesn't work correctly with Macs running Panther, then you would have to do softwareupdate --install --all and schedule the reboot separately in ARD because IIRC the single-letter switches don't se

Re:

[Marcion]

Cron-ning "shutdown -r now" is a bit too simple. Imagine that some user is doing important work and their machine silently reboots, that's not good. This also creates extra work for your helpdesk, "my machine reboots, come and fix it".

I would personally use some kind of pop-up dialog saying your computer is about to be reboot.

There are lots of different ways you can do this, the original bash programs were called dialog and xdialog, there are lots of equilivents these days, basically the idea is that they l

Re:

[phillymjs]

I never push out updates anywhere near business hours, so a silent reboot is not a problem. In fact, I usually set all the machines in my care to power on/wake up for a period late on Sunday night just for maintenance time.

~Philly

Re:

[sheldon]

Until you have that guy who is running a process over night, and you reboot his computer 12 hours into job that takes 16 hours to complete.

Re:

[Espen]

Of course, that doesn't work correctly with Macs running Panther, then you would have to do softwareupdate --install --all and schedule the reboot separately in ARD because IIRC the single-letter switches don't seem to work for the softwareupdate command in Panther, and Panther won't wait until softwareupdate is done to execute the reboot.

The single letter switches work fine in Panther, but you can't merge them, ie. it has to be exactly as specified in the original post: softwareupdate -i -a not softwareup

Wow. Start with the basics!!!

[neuroklinik]

"What's the best way to manage updates for an office of about 150 Macs of various models with different releases of Mac OS X installed?

First, you have to get all of your hardware on the same OS. Create a master system image of a template machine. (Take a machine, customize it the way you want, add your apps, etc. Create an asr ready disk image of the template machine using Disk Utility or Mike Bombich's fantastic NetRestore (http://bombich.com/). Distribute it however suits your environment best. NetInstall

Re:

[toekneeshops]

First, you have to get all of your hardware on the same OS.

If it were only that easy! That might make it easier for administrators, but it's not realistic in a work environment with different departments needing different apps, and older equipment using an older OS version (and working fine-- why risk breaking it?). Keeping it to 3 or 4 images is more realistic. It is still pretty with ARD to create groups broken into different images, though. And using a scheduled script in ARD as mentioned above is sti

Re:

[ktappe]

That might make it easier for administrators, but it's not realistic in a work environment with different departments needing different apps, and older equipment using an older OS version (and working fine-- why risk breaking it?). Keeping it to 3 or 4 images is more realistic.

Keeping 3 or 4 images is only realistic if you are willing to pay to increase your I.T. staffing. At the large company where I am MacOS administrator, it takes nearly all my time to maintain our single image; if we had 3 or 4 I wo

osascript

[nbvb]

Write a quick AppleScript to pop up a dialog box and then run softwareupdate from the command-line ...

This way, the user knows what's going on, and the patches get installed.

Do a "man osascript" from the commandline. Good stuff.

You could also try FileWave

[Dhrakar]

Our local admin swears by FileWave http://www.filewave.com/ [filewave.com] It allows you to do unattended updates, push out specific files and run install packages remotely. It is a commercial package, though...

Learn from someone with experience

[guruevi]

Since anything before 10.3 is not actively supported towards updates anymore, you can ignore those systems except for their monthly automatic updates.

Get Mac OS X Server 10.4 and ARD 3.0 or if you have time, wait for OS X 10.5 and for the 10.4 systems you then actually have a server-based automatic update system which shouldn't be too hard to maintain if you have basic knowledge.

I have a lab with all Mac OS'es I am supposed to support and all software we use on them. If an update comes out, I basically test

Enterprise macs

[briancnorton]

I got in an arguement about this recently. What does an enterprise mac system look like? What software do you run that makes these macs different from home PCs? (this is ignorance, not mac bashing) Is there an equivalant administrative construct to a windows domain? Do you just use the same handlers as BSD? I've done quite a bit of enterprise work, but I've never seen a mac integrated with an enterprise architecture.

Re:

[scottdmontreal]

Read up: OS X Server http://www.apple.com/server/macosx/ [apple.com] Yes, it's called Open directory, it works in a big way. Most enterprises that run OS X server don't want you to know about them. You have no business there.

Filewave!

[Axello]

If you have a couple of hundred Macs to update, you not only have to worry about the OS, but also the applications. That's where the third-party file distribution application help you. There is the open source 'rsync' ofcourse, but that doesn't really help you with the packaging of say, the upgrade of Adobe Photoshop 7 to CS, nor the distribution of it. The program I'm most fond of is FileWave http://www.filewave.com/ [filewave.com]. With this you can distribute any software package, update, document to any number of Macs

Some thoughts on automatic updates of mac clients

[MacQ]

Having quite a lot of experience with macs in an enterprise environment, I can assure you:
You do not want your clients to update automatically!
1. When you are responsible that hundreds of persons can work using the clients you are responsible for, you will want to check if an update has any unwanted impact on those clients before you update them.
Maybe you cannot imagine the trouble you get in if one of your major application does no longer work with the newest update that was installed automatically.
If you

Take a look at radmind

[macshome]

You should take a look at radmind [umich.edu] from U-Mich for total control of the OS and apps on your Macs and other *NIX machines. Essentially it is a tripwire that can restore the entire filesystem to a known, or new, state. As Mac OS X is a primary platform for radmind it has great support and tools.

In a typical update scenario you would:

1. Install the update on a freshly radminded Mac.
2. Use the radmind tools to create a difference transcript from the updated filesystem against the copy on the server.
3. Uploa