Jamf Nation Community

easyedc · ‎07-13-2018

So I'm finally planning to pull the plug on a macOS 10.11/Server 5.2 which has been running our internal software update server for many years through various OS's. I'm looking for feedback on the few things that are floating around as possible options:

Default to the Public Mac App Store
Content caching server leveraging Mac App Store
JAMF NetSUS

I can see pros and cons of almost all of them and was looking for experiences of the group. Doing some searches were mostly people talking about needing help, not really a here's what I do and why. (and this would be so much easier with this FR)

sam_g · ‎07-13-2018

Best thing to do if you really want to control what updates go out and also have branches for updates (i.e. group A gets high sierra update, group B does not) is to use reposado. There's lots of guides out there, but this is probably one of the better ones even if it's a few years old: https://clburlison.com/reposado-guide/ Here's the github: https://github.com/wdas/reposado

If you'd like to stick with Apple only, the best you can do now is have a config profile that delays updates for up to 90 days. That gives you a little bit of time to test updates.

mm2270 · ‎07-13-2018

I would recommend looking at Reposado as well. I kind of went through what you're looking at now a few months back and decided to spin up Reposado on all our old Mac servers that had been running OS X Server. It takes a little work to get it all set up and humming, but once you do, it works well.

easyedc · ‎07-13-2018

Any issues with older hardware running Reposado? It'd be great to not spend $15k to spin up a RHEL VM and storage. I've got my current ASUS running through an old Mac mini with a 1tb SSD.

mm2270 · ‎07-13-2018

Mine are mostly running on 2010 Mac Pros. But I don't see a reason you can't use it on a Mac mini like the one you have. it should run fine on that.

kburns · ‎07-13-2018

I am on the fence as well, but due to wanting to completely control updates and also keep traffic out to the internet to a minimum, I'm thinking reposado + margarita is my best bet.

My only issue is that we're a multi-site organization, and I'm not sure how to best handle managing updates for each site without having updates pull from across the WAN (network team might kill me).

Anyone who has set up reposado in a multi-site organization have any ideas?

simon_brown · ‎07-15-2018

We are a multi-site organisation and use NetSUS in each office. This was a must as originally the Macs in the office this were overloading the network with apple updates especially in offices with little bandwidth. Having it in each office is not ideal as when I need to make available certain updates this has to be changed per NetSUS server however seems to work well. At least when Apple make available new updates this allows us time to test it out before disaster happens :).

ammonsc · ‎07-16-2018

Just started running the JAMF/NetSUS and so far it seems to work well.

Himanshu_panwar · ‎07-16-2018

I have been using a NetSUS appliance on RedHat as well as on ubantu box and it is working like a charm, give a flexibility to chose what to install and what not to.
It also gives you an option whether Mac should download the update from NetSUS or directly from Apple SWU.

easyedc · ‎07-19-2018

Just looking into everyone's suggestions (THANKS ALL!) and something jumped out at me. From the JAMF NetSUS getting_started doc it says

The Software Update Server uses Reposado to sync content from Apple

So is there an advantage to using NetSUS over Reposado that I'm not seeing if all I need is SUS? I wouldn't need a GUI, but I don't think either have one anyway. We don't use Netboot and don't need it as an LDAP proxy.

easyedc · ‎07-19-2018

And I just realized...

How are you macOS managing updates?

I guess that degree from The Derek Zoolander School For Kids That Can't Read Good And Want To Do Other Things Good Too...

Nix4Life · ‎07-19-2018

@easyedc got to love someone that can laugh at themselves, we knew what you meant. @mm2270 take a look at repotoddy to automate your software roll outs. Did you ever get that error 1100 fixed?

easyedc · ‎07-27-2018

Update - I got Reposado working in test and so far so good. I do have one concern that is coming out of all this SUS Testing. Reposado leverages the catalogs that Apple currently publishes, but there's a functional SUS feature available in the server.app still today. Is there honest expectation that Apple's not going to yank out and Reposado breaks under ~~macOS Mojave~~ future OS's?