Help

Apple update server

a_simmons
Contributor II

Posted on ‎11-06-2013 07:50 PM

The Macs I support are currently pointing to an internal SUS for Apple updates. I have a problem where clients take their Macbooks away from the organization for extended periods. I was wondering if anybody knows a way to get the Macs get updates directly from Apple when they are taken away from my organization.

0 Kudos
4 REPLIES 4

bentoms
Release Candidate Programs Tester

Posted on ‎11-06-2013 08:35 PM

@a.simmons, do you have an externally accessible JSS?

You can run ```
sudo jamf removeSWUSettings
``` to point them @ Apple.

0 Kudos

calum_carey
Contributor

Posted on ‎11-06-2013 08:48 PM

could network segment based policies work here?

0 Kudos

mm2270
Legendary Contributor III

Posted on ‎11-06-2013 09:23 PM

@calum_carey][/url
Yes, but only if you had an externally facing JSS of some kind, such as a cluster with a Limited Access JSS. Then you could use an "internet" Network Segment that would encompass anyone not on one of your internally defined Network Segments to get the SUS settings reset using command @bentoms][/url posted above. If the JSS is only accessible from inside the network, then there wouldn't be a way to drop external clients into the "internet" network segment and thus no way to run a policy on them to remove the SUS settings.

@a.simmons][/url
Is controlling the updates clients see important to you at all, or do you not care if they can install anything they want? If its not important, and you do have an external JSS, then you could do what was outlined above and that should help. If you do want to control the updates, or, you don't have a JSS in the DMZ, then you'll have to look at other solutions.
Awhile back we had looked at solving the same problem as you, and although I came up with a possible solution, we never implemented it, because we're looking to eventually go a different route.
But what I came up with was, instead of using an Apple SUS, using the JAMF NetSUS appliance and some scripting work.
One of the features of NetSUS, which comes from the underlying Reposado code it uses, is the ability to control the Update catalog, but still have the updates themselves come from Apple's servers. Kind of best of both worlds in a sense in that. you can still disable certain updates if that's important to do, but you don't need to worry about hosting the actual updates in-house. You lose some of the speed of updating since its pulling the files from Apple, so its a little bit of a compromise to address the issue of clients away from the network.
The trick to actually getting the clients to be able to use Software Update while not on the internal network is to curl down the CatalogURL from the NetSUS appliance into a file located on their Macs, and then script it to point Software Update to use that local file as the CatalogURL.
If you're interested, I could run through the basics of how I had it working.

0 Kudos

calum_carey
Contributor

Posted on ‎11-07-2013 08:49 PM

Hmm,
How about creating a launchd item and script to run say daily.
the script could check for the JSS connection. If JSS Connection = unavailable
then do the jamf removeSWUsettings
when the JSS Connection becomes available again, you could have it run a policy via manual trigger to re-instate the swu settings.
of course all the above comments apply regarding what your intentions are with the softwareupdate server ie. are you just wanting cached updates, or are you trying to prevent users installing updates before they are vetted

0 Kudos