Apple software update

New Contributor

Hello, i need your thoughts about an actual way of updating the macOS and Apple apps in a production environemnt.

Let me discribe our past update workflow. I have used Apples SUS Service a few years. With that solution i could activate or deactivate updates after testing and then i have installed the available updates with a weekly policy. But since OS X 10.10 the SUS service was not working correctly. And Apple does not want to provide this service in future.

For now i do the security and app updates sporadic with packages and scripts. I do not want do give the process of updating to the staff. Because we produce magazines and have here many different departments with special software. We have deadlines for many magazines in a week, printing pdfs must be produced in time and the printing company is waiting for them on a fixed date. There were issues in some past updates from apple f.e last big issue was a ethernet problem in a Yosemite security update. I want to test a update and i look to the feedback in some websites before i do my updates in our environment.

I heard that the Mac updates in big companies like IBM are done by the staff whenever they want directly from Apple. I ask me what is the situation in a big company, if there was a buggy update installed? Are these „standard working places“ and it is not problematic if there is a problem for one or two days?

I think the idea from Apple is that a client take his DEP bound Mac in the original packed box from the IT department. Then he celebrates the unpacking of his mac. He switches on the mac and installs with selfservice different things and future updates are made by the client himself whenever he think that a update is neccesary. Cool - but not for me.

Is there a chance of survial of SUS services like Reposado, Margarita or Jamf Netsus in a future view? Please share your thoughts with me.

Thank you in advance!



Contributor III
Contributor III
Is there a chance of survial of SUS services like Reposado, Margarita or Jamf Netsus in a future view?

The future of traditional SUS is somewhat uncertain, but I've been in the habit of scripting the enablement/disablement of the Software Update functionality in macOS with pretty good results.
That is, leaving all the checkboxes (auto check for updates, download newly available updates in background etc...) unchecked on production machines, leaving everything checked on test machines, and then enabling on production machines once testing has been completed (all through Jamf policy obviously.) Once fully enabled, macOS's (and I feel like Apple has really refined this best starting in Sierra,) the OS will download, stage, install updates, and perform any necessary reboots without any additional work on my part. Once the 'maintenance window' is over, you can have another Jamf policy that disables the automatic checking. You do lose the control to granularly control which specific updates are being applied, but I feel as though having a wide enough test window mitigates that loss.
If you choose to go this route caching servers are essential.
There are many prior posts detailing how to script this behavior, but have a look at the preference keys in


In, the keys




enable the auto installation of updates, while the keys in


control the behavior of the staging of updates, installation of XProtect definitions, and the OS's native software update scheduler.

As an aside, you may also want to look into managing the power nap settings on Macs that support it. If possible, enable powernap when the Mac is plugged into a power source. That allows all of this software update functionality to occur even if the system is sleeping.

Do a

man pmset

to read more about how that's done.

The users you support do also have to get used to the idea that their system may not always be in the 'exact' state they left it the night before, but that's just a user training challenge ;)

Contributor III
Contributor III

To add to the above, if you allow macOS to stage and install updates on its own, the time between staging and installation seems to be about two days on average. So any reporting you create around this type of scenario should take that into account.