How to enable 10.9 Updates in Netsus

andrew
New Contributor

I ran into problems altering my NETSUS appliance to enable 10.9 updates properly. I poked around JAMFnation, and couldn't find a solution. Finally, I reached out to the fine folks at JAMF Support, and Dave promptly got back to me with a solution. Here it is:

  1. Login/SSH into your netsus installation.
  2. Edit the /var/lib/reposado/preferences.plist so that it looks like this:
<?xml version="1.8“ encoding=“UTF-8“?>
<!DOCTYPE plist PUBLIC "-I/Apple Computer//DTD PLIST 1.6//EN" "http://www.apple.com/DTDs/PropertyList-1.8.dtd“>
<plist version="1.B“>
<dict>
<key>CurlPath</key>
<string>/usr/bin/curl</string>
<key>LocalCatalogURLBase</key>
<string></string>
<key>UpdatesMetadataDir</key>
<string>/srv/SUS/metadata/<{string>
<key>UpdatesRootDir</key>
<string>/srv/SUS/html/</string>
<key>AppleCatalogURLs</key>
    <array>
        <string>http://swscan.apple.com/content/catalogs/index.sucatalog</string>
        <string>http://swscan.apple.com/content/catalogs/index-1.sucatalog</string>
        <string>http://swscan.apple.com/content/catalogs/others/index-leopard.merged-1.sucatalog</string>
        <string>http://swscan.apple.com/content/catalogs/others/index-leopard-snowleopard.merged-1.sucatalog</string>
        <string>http://swscan.apple.com/content/catalogs/others/index-lion-snowleopard-leopard.merged-1.sucatalog</string>
        <string>http://swscan.apple.com/content/catalogs/others/index-mountainlion-lion-snowleopard-leopard.merged-1.sucatalog</string>
        <string>http://swscan.apple.com/content/catalogs/others/index-10.9-mountainlion-lion-snowleopard-leopard.merged-1.sucatalog</string>
    </array>
</dict>
</plist>

Voila. 10.9 updates are now working. Now you just need to point your 10.9 clients to the right branch URL:

sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CatalogURL http://SUS.YOUDOMAIN.COM/others/index-10.9-mountainlion-lion-snowleopard-leopard.merged-1_<branchURL>.sucatalog

Thanks JAMF Support!

30 REPLIES 30

Josh_S
Contributor III

Rather than driving your clients to a specific branch URL manually, you can just update the rewrite rules for Apache. Search for the following <IfModule mod_rewrite.c> code block and add the last two lines.

/etc/apache2/sites-enabled/000-default

...
    <IfModule mod_rewrite.c>
        RewriteEngine On
        RewriteCond %{HTTP_USER_AGENT} Darwin/9
        RewriteRule ^/index.sucatalog$ http://%{HTTP_HOST}/content/catalogs/others/index-leopard.merged-1.sucatalog
        RewriteCond %{HTTP_USER_AGENT} Darwin/10
        RewriteRule ^/index.sucatalog$ http://%{HTTP_HOST}/content/catalogs/others/index-leopard-snowleopard.merged-1.sucatalog
        RewriteCond %{HTTP_USER_AGENT} Darwin/11
        RewriteRule ^/index.sucatalog$ http://%{HTTP_HOST}/content/catalogs/others/index-lion-snowleopard-leopard.merged-1.sucatalog
        RewriteCond %{HTTP_USER_AGENT} Darwin/12
        RewriteRule ^/index.sucatalog$ http://%{HTTP_HOST}/content/catalogs/others/index-mountainlion-lion-snowleopard-leopard.merged-1.sucatalog
        RewriteCond %{HTTP_USER_AGENT} Darwin/13
        RewriteRule ^/index.sucatalog$ http://%{HTTP_HOST}/content/catalogs/others/index-10.9-mountainlion-lion-snowleopard-leopard.merged-1.sucatalog
    </IfModule>
...

Edit: I believe you'll need to restart Apache after making these changes.

andrew
New Contributor

Sweet! Thanks Josh. I look forward to testing this out.

johnnasset
Contributor

Hmm, I edited the 000-default file, added the new catalog entry and bounced the server but am not seeing it in /srv/SUS/html

Josh_S
Contributor III

@johnnasset

You have to make both modifications mentioned above. The first, to /var/lib/reposado/preferences.plist , tells Reposado to synchronize the updates for this new catalog. The second, to /etc/apache2/sites-enabled/000-default, tells any Mavericks client machine that requests the default "/index.sucatalog" file to instead grab the Mavericks specific "/content/catalogs/others/index-10.9-mountainlion-lion-snowleopard-leopard.merged-1.sucatalog" without having to run the "defaults write" command mentioned in the first post.

johnnasset
Contributor

Thanks Josh!! Worked like a charm.

MrDros
New Contributor

@Josh_S, my 000-default has no <IfModule mod_rewrite.c>, etc.

Could you please post your complete file?

TIA Alex

mwilkerson
New Contributor III

I made the changes to the preferences.plist on our NetSUS server as described in the original post, but even after restart, I'm not seeing any Mavericks or new updates (anything from Dec 2013) listed in either of our branches, even after syncing from the web interface. I'm fairly new to this appliance, so I'm not sure if I'm missing something simple. Any thoughts?

garyj
New Contributor

My updated plist file seems to mess up the web interface. I think it might be a problem with quotes getting messed up.
What is the best way to edit the plist file?

Josh_S
Contributor III

@MrDros - Look at the very bottom of the file, it should be immediately prior to the "</VirtualHost>" tag. If your Apache config file doesn't have a mod_rewrite section, you may have to actually enable the rewrite module or something else went wrong during the NetSUS installation. I can't immediately recall, but I think an early version of the NetSUS appliance didn't use mod_rewrite. If that's the case, I'd try a new install/upgrade to v2.

@mwilkerson - I can only think that there is a typo in your file, or it is being blocked (proxy?). I would try copy/pasting the URI (everything between the <string> tags) into a web browser. You should either display or download the sucatalog file.

@garyj - Opinions vary on this. If you want to edit it via a GUI application, you could transfer it to your mac and edit it with a plain text application (such as TextWrangler) and then transfer it back. If you want to edit it in place, you could either use "vi" or "nano". If you decide to edit it in place, make sure you make a backup of the original in case something gets messed up. It's possible that "smart quotes" are messing up the formatting. Looking at the original post, a few of those quotes used do look like some program may have accidentally made them "smart".

The only change you should be making to the reposado config file is to add in the "<key>AppleCatalogURLs</key>" and the next lines from "<array>" to "</array>"

garyj
New Contributor

Thanks, nano did the trick.

mtyles
New Contributor

I've been having some of the same issues above, but have gotten the Netsus to see and download the 10.9 updates. I changed the reposado/preferences.plist and the 000-default files as above. My issue now is that my clients are not checking in to get the updates. Here is the URL my clients are using to check Netsus. I have 2 branches, QA and CORP. Right now I'm only using the QA branch for testing. Is the below the correct?
Before enabling 10.9 updates: http://netsus/content/catalogs/others/index-mountainlion-lion-snowleopard-leopard.merged-1_QA.sucatalog
After enabling 10.9 updates:
http://netsus/content/catalogs/others/index-10.9-mountainlion-lion-snowleopard-leopard.merged-1_QA.sucatalog

Araneta
New Contributor III

NetSUS 3.0 is already out w/ 10.9 updates.

johnnasset
Contributor

Can anybody please refresh my memory on how to update an existing NetSUS from 2.0 to 3.0 via the command line?

Brad_G
Contributor II

wget http://jamfsoftware-content.s3.amazonaws.com/downloads/NetSUS_3.0.run

and

sudo sh NetSUS_3.0.run

Can't take credit for above. ClifHirtle posted the commands under the NetSUS 2.0 topic.

mtyles
New Contributor

Hit a new speed bump. I rebuilt my NETSUS server with 3.0 and it's successfully downloading 10.9.1 updates.

My issue now is: my mavericks test machine running 10.9 is not getting the 10.9.1 update. I can get other non-OS updates fine. My configuration profile scoped to the machine is setting the URL to http://netsus/content/catalogs/others/index-10.9-mountainlion-lion-snowleopard-leopard.merged-1_QA.sucatalog

Any suggestions?

johnnasset
Contributor

@mtyles

Pardon the obvious question but do you have all of the 10.9.1 updates checked as enabled in the Netsus? There are separate updates for the rMBP and MacPro.

mtyles
New Contributor

Here are the 10.9 updates I see and have all of them checked:

Name Version Date Compatibility Update for 10.9 Package Details 1.0 2013-12-18 OS X Mavericks GM Seed Package Details 10.9 2013-10-07 OS X Update Package Details 10.9.1 2013-12-16 OS X Update Package Details 10.9.1 2013-12-16 OS X Update Package Details 10.9.1 2013-12-19

mtyles
New Contributor

All of a sudden, it started working this morning. I'm now getting the 10.9.1 updates.

shakim
New Contributor III

@Josh_S
I made both modifications mentioned above. 1. to /var/lib/reposado/preferences.plist , tells Reposado to synchronize the updates for this new catalog. >>>>This works for me.

  1. to /etc/apache2/sites-enabled/000-default, tells any Mavericks client machine that requests the default "/index.sucatalog" file to instead grab the Mavericks specific "/content/catalogs/others/index-10.9-mountainlion-lion-snowleopard-leopard.merged-1.sucatalog" without having to run the "defaults write" command mentioned in the first post. >>>>This dos not work for me.

I'm not sure if I did something wrong or missing something. Any thoughts?

this is what my 000-default looks like:
<VirtualHost *:80> ServerAdmin webmaster@localhost

DocumentRoot /srv/SUS/html/ <Directory /> Options FollowSymLinks AllowOverride All </Directory> <Directory /var/www/> Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all </Directory>

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ <Directory "/usr/lib/cgi-bin"> AllowOverride None Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all </Directory>

ErrorLog ${APACHE_LOG_DIR}/error.log

# Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn

CustomLog ${APACHE_LOG_DIR}/access.log combined

Alias /doc/ "/usr/share/doc/" <Directory "/usr/share/doc/"> Options Indexes MultiViews FollowSymLinks AllowOverride None Order deny,allow Deny from all Allow from 127.0.0.0/255.0.0.0 ::1/128 </Directory>

Alias /NetBoot/ "/srv/NetBoot/" <Directory /srv/NetBoot/> Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all </Directory>

<IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTP_USER_AGENT} Darwin/9 RewriteRule ^/index.sucatalog$ http://%{HTTP_HOST}/content/catalogs/others/index-leopard.merged-1.sucatalog RewriteCond %{HTTP_USER_AGENT} Darwin/10 RewriteRule ^/index.sucatalog$ http://%{HTTP_HOST}/content/catalogs/others/index-leopard-snowleopard.merged-1.sucatalog RewriteCond %{HTTP_USER_AGENT} Darwin/11 RewriteRule ^/index.sucatalog$ http://%{HTTP_HOST}/content/catalogs/others/index-lion-snowleopard-leopard.merged-1.sucatalog RewriteCond %{HTTP_USER_AGENT} Darwin/12 RewriteRule ^index.sucatalog$ http://%{HTTP_HOST}/content/catalogs/others/index-mountainlion-lion-snowleopard-leopard.merged-1.sucatalog RewriteCond %{HTTP_USER_AGENT} Darwin/13 RewriteRule ^/index.sucatalog$ http://%{HTTP_HOST}/content/catalogs/others/index-10.9-mountainlion-lion-snowleopard-leopard.merged-1.sucatalog </IfModule>

</VirtualHost>

Josh_S
Contributor III

@shakim

I don't have an Ubuntu test server right now, but it *looks* right. Did you remember to restart the Apache HTTPD service after making modifications? I believe, for Ubuntu, the command is the following. Or you could just restart the whole server. It's overkill, but it works.

sudo service apache2 restart

To troubleshoot, you can turn on the develop menu within Safari, other browsers have similar functionality as well, to manually modify your user agent to be "Darwin/13" and then try connecting to your server and grabbing the /index.sucatalog file to see if it correctly redirects you.

However, v3.0 of the NetSUS appliance is out now and enables 10.9 updates out of the box. Might just look at upgrading, it would probably be easier than troubleshooting.
https://jamfnation.jamfsoftware.com/discussion.html?id=9483

jthurwood
New Contributor III

I'm having to manually change my Catalog URL from

http://10.86.6.124/content/catalogs/index_Cabot.sucatalog
to
http://10.86.6.124/content/catalogs/others/index-10.9-mountainlion-lion-

to get my clients to see the 10.9 updates, is there any reason for this or a fix i can change on the NETSUS appliance to get this working?

michaelhusar
Contributor II

@Josh_S
great help! thanx a lot

Micah
New Contributor

@jthurwood

We still need to make this Catalog URL change that was originally detailed by the Reposado documentation. I'm not aware of anything we can change on the NetSUS to accommodate this. Does anyone know otherwise? Right now we just have a policy that changes the Catalog URL for our clients, but the NetSUS web interface shows the default, and currently incorrect, Catalog URL.

michaelhusar
Contributor II

@jthurwood
reposado shows Name: BRANCHName
URL: http://sus.mycompany.corp/content/catalogs/index_BRANCHName.sucatalog

but you use for OS X v10.8
http://sus.mycompany.corp/content/catalogs/others/index-mountainlion-lion-snowleopard-leopard. merged-1_BRANCHName.sucatalog
so you deploy defaults write /Library/Preferences/com.apple.SoftwareUpdate CatalogURL http://sus.mycompany.corp/content/catalogs/others/index-mountainlion-lion-snowleopard-leopard. merged-1_BRANCHName.sucatalog

My whole scenario - Everyone prefers different ways - I just list what I did , hoping it helps.
I had to decide between

A) Use the Casper payload "Configure Software Updates"
uses: defaults read /private/var/root/Library/Preferences/com.apple.SoftwareUpdate CatalogURL
set by e.g. Casper Network segments

B) Use Files and Processes / Execute command: "softwareupdate -iva"
uses: defaults read /Library/Preferences/com.apple.SoftwareUpdate CatalogURL

I chose method B)
0) I upgraded NetSUS to 3.0
1) Under Network segments I have no Softwareupdate Server
2) I do not use the Casper payload Software Updates
3) I use a policy with ?defaults write /Library/Preferences/com.apple.SoftwareUpdate CatalogURL <Branch URL>
with the URL for each OSX:
OS X v10.8
http://sus.mycompany.corp/content/catalogs/others/index-mountainlion-lion-snowleopard-leopard. merged-1_<Branch name>.sucatalog
.....
4) I use a policy with Execute command: "softwareupdate -iva"

This works for me since I do not want the machines to get Updates "abroad"
You have to choose different way when you want the machines to reach the normal "Apple SUS" without any changes for the user. Josh_S pointed that out - in his solution the Apache redirects the "normal" request for Updates without changing the Catalog URL on the client when the machines are in the right network.

ocla__09
Contributor

Hi @Josh_S I have modified the preferences.plist file in the attempt to only bring down 10.7-10.9 updates. However, when I run a sync from the web console it is still pulling updates back to 2005.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>CurlPath</key>
    <string>/usr/bin/curl</string>
    <key>LocalCatalogURLBase</key>
    <string></string>
    <key>UpdatesMetadataDir</key>
    <string>/srv/SUS/metadata/</string>
    <key>UpdatesRootDir</key>
    <string>/srv/SUS/html/</string>
    <key>AppleCatalogURLs</key>
        <array>
            <string>http://swscan.apple.com/content/catalogs/others/index-lion-snowleopard-leopard.merged-1.sucatalog</string>
            <string>http://swscan.apple.com/content/catalogs/others/index-mountainlion-lion-snowleopard-leopard.merged-1.sucatalog</string>
            <string>http://swscan.apple.com/content/catalogs/others/index-10.9-mountainlion-lion-snowleopard-leopard.merged-1.sucatalog</string>
        </array>
</dict>
</plist>

I have tried including the top level index catalog as well with the same results. I also backed up and deleted the /srv/SUS/metadata/ProductInfo.plist then ran a sync again in the hopes that would clear that list out and download just what had been specified in /var/lib/reposado/preferences.plist. I am still getting stuff back to 2005.

Can you think of anything I am missing? BTW I have not selected the checkbox to actually download the updates themselves, just catalogs. I figure I can get things working correctly before I fill up the drive with non needed updates. Is it as simple as editing the catalog file names to remove reference to leopard and snow leopard? Somehow I think not.

Thanks

Josh_S
Contributor III

@Oclassen

Welcome to the way Apple advertises updates!

This is an important note that the name of the catalog file points out: index-10.9-mountainlion-lion-snowleopard-leopard.merged-1.sucatalog

The catalog for 10.9 includes all updates from 10.5-10.9 all merged into one file. It expects a 10.9 computer to be smart enough to pick only updates that it needs from those that are available. They have separate catalogs for older OS's because a 10.6 computer isn't necessarily compatible with a 10.9 update that just came out, even if it is an upgrade to the software on the machine.

ocla__09
Contributor

Thanks @Josh_S. So what you are saying then is I get 10.5-10.9 whether I like it or not :)

jhbush
Valued Contributor II

It looks like according to Greg this should work for 10.8. and 10.9 and then running repoutil --purge-product all-deprecated cleans up old catalog downloads.

<key>AppleCatalogURLs</key> <array> <string>http://swscan.apple.com/content/catalogs/others/index-mountainlion-lion-snowleopard-leopard.merged-1.sucatalog</string> <string>http://swscan.apple.com/content/catalogs/others/index-10.9-mountainlion-lion-snowleopard-leopard.merged-1.sucatalog</string> </array>

https://github.com/wdas/reposado/blob/master/docs/reposado_preferences.txt#L40-L5

Josh_S
Contributor III

@Oclassen
By excluding the other catalog URLs, you should exclude updates that only apply to a specific version of the OS (combo updates and the like), which is helpful and might be enough for you. But updates which are not OS specific will be rolled into that merged catalog no matter how old they are. Downloading the 10.9 catalog and looking through it manually shows updates that go all the way back to 2005 and a few in 2006. Even excluding all but the latest will grab some ancient updates.

@jhbush1973

repoutil --purge-product all-deprecated

This command is very useful for Reposado maintenance and will delete any updates that have been downloaded locally, but are no longer advertised in Apple's sucatalog files and which are not enabled on any Reposado branches. Generally old updates that are still cached locally, and you have manually disabled in all branches. As @Oclassen is not storing any updates yet, there shouldn't be any updates marked as deprecated and nothing to purge.

ocla__09
Contributor

Thanks @Josh_S and @jhbush1973.

In trying to set up a secondary server to point to the internal master, I am seeing some unexpected behavior. Just wanted to doublecheck that I am getting the basic concepts.

I have the master set to download packages in the web console, but I have not checked this box yet on the secondary. However, it appears that when doing a repo_sync on the secondary it is in fact downloading packages and not just catalogs at this point.

If I have the master set to download packages, will the secondary server just mirror the settings of the master regardless of what is set on the web console of the secondary?

Thanks