Jamf Nation Community

@Sherdwain yeah kind off. I want to disable all clients update using apple store then just point into a single host by Casper. What's the best approach? Tnx.

If you are looking to setup a software update server, you might want to check out a few past posts where other users have worked on them. https://jamfnation.jamfsoftware.com/discussion.html?id=12666 or https://jamfnation.jamfsoftware.com/discussion.html?id=12845

Or, if you're looking at the NetBoot/SUS Appliance it was discussed at a past JNUC and the information is posted here: https://jamfnation.jamfsoftware.com/discussion.html?id=5682

I use the Caching Server on my Mac server. Clients still connect to Apple initially, but through the magic of voodoo, they're told to download it from the Caching Server instead.

The server doesn't predownload all updates though, it requires someone to request the file once for it to be cached.

Guess it depends what you are trying to accomplish:

a) if you need granular control of operating system/legacy software updates, you probably want to set up an Apple Software Update Server on a Mac mini, or use Reposado on a Mac. I am not a huge fan of the NetSUS, it has not been updated and needs a lot of tweaking to get running and keep running.

b) if you just want to save bandwidth, and you are also concerned about updates to App Store items, set up a Caching server on a Mac mini server. No reason you can't run both...

c) You also have the ability to download updates (i.e. from support.apple.com/downloads) and add the packages in to Casper, then create Smart Groups and policies to scope them. This currently requires a lot of work. As announced at JNUC 2014, a future version of the Casper Suite will have built-in patch management functionality, but we're not there yet.

I just want to control the updates from all clients.
Which is better SUS or Caching Server on this approach.

100% no question
reposado https://github.com/wdas/reposado

with margarita as a front end to list or unlist what items clients are able to see in their software updates
https://github.com/jessepeterson/margarita

and all this can run on a linux vm. no need to buy mac hardware or software.

@mreaso A caching server doesn't allow you to limit which updates are available to your clients, it just points software updates that are being requested on the network internally as opposed to downloading them from Apple.

What you want you'll want either SUS or reposado as noted above.

@Matt.Sim After XProtect, certain security updates and the inability to prevent Apple from marketing new OSs we've given up on Apples SUS because they're taking control away form it anyways. This literally just caused us to stop using SUS in favor of caching server. Go figure!

@Chris_Hafner
I'm pretty sure there are fixes to all of that.

X protect and certain security updates can be managed with reposado
https://managingosx.wordpress.com/2015/01/30/gatekeeper-configuration-data-and-xprotectplistconfigda...

suppress the yosemite update banner in app store
https://jamfnation.jamfsoftware.com/discussion.html?id=12694

@calumhunter you are 100% correct on all fronts. As a proper solution for @mreaso's request you are quite correct. I should have thought my post through a bit more and pointed that out. I was mostly complaining about how much Apple is bastardizing their own SUS product and complicating this entire process for us (in the name of marketing and consumer protection). It's hoop after hoop from that side. Oh well... I just hate to see folks having to use all of these solutions for what used to be a checkbox.

@mreaso, as pointed out a Apple Software Update Server is what you seem to want.

Be that either via Apple Software Update Server itself, Reposado or NetSUS.

Once that's setup you can set the appropriate catalog URLs on the clients & update scheduled via the JSS.

@Chris_Hafner, we've also moved to caching server as it will only cache what's been requested. Also, we have only ever blocked the "bad" Apple updates that often get pulled or repushed. So if a "bad" update comes out we can tell the clients to ignore it via the softwareupdate command from a policy.