Help

Download & Install SUS Updates on a Schedule

dstranathan
Valued Contributor II

Posted on ‎04-01-2016 06:34 AM

All

Now that I have JAMF ramped-up in full production mode, I'm now planning a way to update/patch my ~300 managed Macs on a regular frequency.

My company has a monthly IT mainintence window one weekend per month, that gives IT carte blanche to push-out both Windows and Mac updates as needed (and reboot systems when requiredl).

In the past I used scripts & ARD to complete attempt this task (it was sloppy and ham-fisted - as you can well imagine. So happy to have JAMF now).

I have a JSS and a SUS in my DMZ as well as my LAN, so external laptops can now be targeted.

I'm looking for ideas on how you orchestrate such a reocurring task. Looking for insight into creative ways to make this process efficient, graceful and predictable.

As a base, I already have a Smart Group of Macs showing which Macs have pending SUS updates available. My screenshot shows my logic. It's basically a catch-all for any available updates that are ready/pending on my SUS.

Building a Policy to run on a scheduledtime/date window isnt too hard to do (I can tweak it each month for the target dates). Configuring the SUS payload etc is a cinch, too.

I'm interested in tips and trick to manage this. Things like displaying a JAMF message to users before/after updates, hearing your failure/success rates, etc.

Any advice is appreciated

b3846d36c9844529ba88842bc56606a6

0 Kudos
1 REPLY 1

roiegat
Contributor III

Posted on ‎04-01-2016 07:48 AM

So with us, we have to plan and document everything in advance of doing things on the production side. So what I've been doing is using the first week of the month for internal testing. I have 5-6 lab machines that I download the new updates on and test. I have a test plan I fill out for each machine that gets stores on a powershare server.

Second week of the month is UAT testing. We have 15 UAT testers and we push the updates to them and have them fill out the test plans. Again, everything is documented and stored in the correct place. During this time I also start filling out the paperwork to actually do the push on the third week in production. The third week is also when Windows gets their updates.

So third week rolls of the month we start pushing on monday and make sure we hit as many machines as we can. We have three NetSuS's that can deliver the updates and we generally get all the machines done with in two days.

While I do use a similar smart group as you do, use caution. Sometimes machines aren't talking to the right SUS, or are still pointing to the old SUS. So every now and then make sure the computers are talking to the correct SUS. Recently we started using network segmentations to fix that so it's been better.

Good luck.

0 Kudos