How are you handling SUS?

New Contributor III

I am curious about how everyone is handling Apple Software Updates. At this point with Windows we host an internal WSUS and my bosses want to continue with that tradition with Apple Updates. Since we cannot scope out updates to test machines like we can in WSUS, I am curious to see what everyone else is doing. Are you just letting the machines get updates from Apple or are you managing the distribution of them.


New Contributor III

My concern is that I feel that Apple will be eliminating SUS options in macOS Server.

Contributor II

I know it is not SUS but we have Cache servers at every site. It has helped way more than we can measure on our bandwidth (School) plus we found the download speeds are faster which is obvious as the internet connection is slower than the LAN connection.


Our Apple Engineer told us that SUS has been deprecated, to reinforce your comments above. I pushed for "so how do we manage this" and his response was rather unhelpfully "The best approach is always to ensure app compatibility ahead of update releases." and:

"With hard and fast OS version limitations and users with admin rights, the best approach is user education. IT needs to maintain a matrix of app/OS version compatibility and communicate any gaps to the users.

With each major OS release, Apple IS&T publishes a “Can I Install Sierra” web page explaining any app compatibility gaps."

There are some tricks you can do to stop particular OS-level updates (or, any other app updates I guess) by using
softwareupdate --ignore "Update Name"

You can get the applicable update name by running softwareupdate --list and taking the value up to the "-" character, i.e.:
macOS Sierra Update-10.12.3 macOS Sierra Update (10.12.3)

So you run softwareupdate --ignore "macOS Sierra Update" and it won't show the 10.12.3 update anymore. The bad part is that there doesn't seem to be any way to go ahead and install 10.12.2 if you want (my test machine for example is on 10.12.1 and I can't make it just let me update to 10.12.2 if I want to, at least not that I can see).

Valued Contributor

Hi Guys, Both @anickless and @KSchroeder make good points for caching server, however if you want something that you can "legally virtualize",with a bit more control, you may want to look into setting up Reposado on a physical Linux or into Jamf's NetSUS appliance. I am also at a K-12 and use Reposado vs a Caching server

some info from a past post


Contributor III

We use an internal Apple Software Update Server and point all our lab Macs to it. We also use the same server to provide Adobe updates.

I will soon be looking into setting up a caching server to replace the SUS, but this requires discussions with the security and networks teams!

Valued Contributor II

Throwing my 2¢ into this as well. We currently are running an Apple SUS through server 5.2. We've had similar discussions with Apple and are looking to migrate off it as well. Will most likely leverage a JAMF netSUS as it's replacement. Currently have bought ourselves a bit of time since it's running still on macOS 10.12 and Server 5.2.

New Contributor II

Hi everyone,

Server v 5.4 no longer offers SUS. I'm told that Caching Server is the expected replacement, but from review it's not a direct comparable technology, and thus can not officially replace a SUS Server / Client relationship. What's everyone doing?

Valued Contributor II

@chris.denoia I'm running Server 5.4 and still using SUS. The feature is still there, but you have to view advanced settings to turn it on. 09df4f5b331545ea9459d3577ab83134

Esteemed Contributor II

@chris.denoia NetSUS bundles the SUS clone features of Reposado in a package that's easily deployable on non-Mac hardware (read that as beefier server hardware running a VM host like VMware's ESXi). Setup is very straightforward, but the 500GB disk space recommendation is on the low side these days with a current sync of the Apple updates coming in around 430GB, so you'd be better off starting with 1TB.

New Contributor III

I killed off our SUS with server app back in el cap the writing on the wall was clear. I switched to caching it. So all of our macs and ipads just go to apple to get updates and i have a wsus for the windows side. Apple is a pain with all the my way or the highway.

Valued Contributor

We have margarita/reposado on a Linux server. Until that stops working, that's going to be out solution as caching server does too give us the control that we desire.

I don't think that caching server is a good solution for larger orgs with more advanced networks.

Esteemed Contributor II

Despite all the warnings that SUS is deprecated, it is required at least through Sierra as the softwareupdate tool, which the App Store relies on for system updates, definitely expects to be talking to either a local SUS, or the Apple production SUS.