Installing updates when the user doesn't have admin

dtempleton
New Contributor II

I'm in the "pre-sales" phase right now and wondering if Casper will work for my company. One thing I'm getting a snag on is how things will work if we don't want our users to have admin.

The problem is that employees take their laptops home with them, carry them from their desk to the conference room to the coffee shop or clients office, and we can't "force" an update at a specific time: we need to give them the ability to install updates on their own schedule. So I can't just run a remote command to update OS X.

Separately, I'm wondering how you all handle third-party software updates: MS Office, Adobe CC, etcetera. Do you have to package up each update, or can you give a non-admin user the ability to run (for example) Microsoft Updater whenever they feel like it? I'm not particularly interested in "blocking" updates from them until they are vetted (we don't do that at the moment; we just let people install Office updates the day they come out), just giving them the ability to install them without needing me to come over and get them through the "sudo dialog."

7 REPLIES 7

mpermann
Valued Contributor II

@dtempleton you could use Self Service to solve your issue with installing OS and third-party updates. You can create a Self Service policy that allows your users to Install OS updates by scoping it to a smart group of any user that has 1 or more OS Updates and make the policy an ongoing policy. Then anytime the user falls into the smart group they can run Software Update from Self Service.
For third-party updates you would just need to either package up the updates yourself or hopefully just use the vendor .pkg file and make those available in Self Service. Again a smart group can be used to scope it to computers that need the specific updates. If you need more details on how to do any of this let me know.

dmohs
Contributor

In regards to third-party updates: Our school makes each update available as a separate package/policy.

In regards to updates in general: We do vet updates. Most pass. Each update is made available to the end-user to install at the time of his or her choosing. These are accessible to end-users via the app "Self Service". Occasionally, we declare a deadline. For example, I might say, "All updates must be installed by Thursday evening of next week. Any pending updates not yet installed will be forcefully installed on Friday morning." On Friday morning, I remove the updates from Self Service and change the associated "policies" to trigger on each computer's next "recurring checkin".

dtempleton
New Contributor II

Mpermann: would I have to create or download PKG files for OS X updates for that, or it would just know to grab them from Apple?

Dmohs: I guess what I'm trying to get over is how much work all of this seems. If they'd just be able to run Adobe CC updates or MS Office updates as root, they'd always get the latest updates and I wouldn't have to do anything. Now I'd have to find where to download them manually and add them to self service, and I hope they don't require any intermediate updates in order to install the new update...

mpermann
Valued Contributor II

@dtempleton the OS updates is really easy. See the screenshots below. You create a policy that has no trigger on the General panel and in Self Service panel tick to make it available in Self Service and set options as appropriate. Scope it to your smart group of computers that have 1 or more OS Updates and your good to go.

For the other updates, like MS Office, you can download the installer pkg file from Microsoft and make it available in Self Service. You just need to make sure you scope it to the computers that need it using a smart group.
254ca7a3266b40f585b18cec1e1064ea
f80c05fff59a4221964d92963944e1e9
1cd8ae7952a541a088443ca171a843a9

AVmcclint
Honored Contributor

For us, the biggest difficulty lies in our remote users who have to connect via VPN to access company resources including Casper. All our users stay in MS Office apps every minute the computer is on - many even set their Office apps to startup at login. If I need to push out an Office update, I set it to push at login so the updates are applied before users get to their desktop and before the apps auto-launch. For users who are remote, this isn't an option because they are already logged in when they connect to VPN. My only option for them is to ask them nicely to quit their apps and go to Self Service and apply the updates I've made available for them - sometimes that is effective, sometimes not. I prefer to be hands-on with major OS upgrades and especially if EFI and other firmware upgrades are needed. Users get impatient with big updates and may power their Macs off if the update takes too long for their liking. Or if they see the firmware update screen and hear the long tone they may freak out and shut it off before it can complete the update - yes this happens. I'm still trying to formulate a plan for upgrading our remote users to Yosemite (which also includes firmware updates). You may want to rethink the policy of letting users install updates on day 1 themselves. As anyone who fell victim to the Office 2011 14.5.0 update can tell you, vetting the updates before the users get them is a very wise thing to do.

mrheathjones
New Contributor III

You could edit the /etc/authorization file to allow users to perform software updates. When I worked at a college this is what we did rather than making everyone admins. Here is what we used (NOTE: This code may need to be adjusted for later versions of OS X):

Sets everyone group for access to Software updates

/usr/libexec/PlistBuddy -c 'Set :rights:system.preferences.softwareupdate:group everyone' /Volumes/Macintosh HD/etc/authorization

Sets rule for session owner or admin to scan for and install software updates

/usr/libexec/PlistBuddy -c 'Set :rights:com.apple.SoftwareUpdate.scan:rule allow' /Volumes/Macintosh HD/etc/authorization
/usr/libexec/PlistBuddy -c 'Set :rights:system.install.apple-software:rule allow' /Volumes/Macintosh HD/etc/authorization

markkenny
New Contributor III

AutoPKGR running on my OS X update server. It pulls down all my application updates and puts them to testing. Once tested I change the policy and it's featured as an update for all all users. They get to chose when they update or install by pressing a button.

http://www.lindegroup.com/autopkgr/