In regards to third-party updates: Our school makes each update available as a separate package/policy.

In regards to updates in general: We do vet updates. Most pass. Each update is made available to the end-user to install at the time of his or her choosing. These are accessible to end-users via the app "Self Service". Occasionally, we declare a deadline. For example, I might say, "All updates must be installed by Thursday evening of next week. Any pending updates not yet installed will be forcefully installed on Friday morning." On Friday morning, I remove the updates from Self Service and change the associated "policies" to trigger on each computer's next "recurring checkin".

Mpermann: would I have to create or download PKG files for OS X updates for that, or it would just know to grab them from Apple?

Dmohs: I guess what I'm trying to get over is how much work all of this seems. If they'd just be able to run Adobe CC updates or MS Office updates as root, they'd always get the latest updates and I wouldn't have to do anything. Now I'd have to find where to download them manually and add them to self service, and I hope they don't require any intermediate updates in order to install the new update...

@dtempleton the OS updates is really easy. See the screenshots below. You create a policy that has no trigger on the General panel and in Self Service panel tick to make it available in Self Service and set options as appropriate. Scope it to your smart group of computers that have 1 or more OS Updates and your good to go.

For the other updates, like MS Office, you can download the installer pkg file from Microsoft and make it available in Self Service. You just need to make sure you scope it to the computers that need it using a smart group.

For us, the biggest difficulty lies in our remote users who have to connect via VPN to access company resources including Casper. All our users stay in MS Office apps every minute the computer is on - many even set their Office apps to startup at login. If I need to push out an Office update, I set it to push at login so the updates are applied before users get to their desktop and before the apps auto-launch. For users who are remote, this isn't an option because they are already logged in when they connect to VPN. My only option for them is to ask them nicely to quit their apps and go to Self Service and apply the updates I've made available for them - sometimes that is effective, sometimes not. I prefer to be hands-on with major OS upgrades and especially if EFI and other firmware upgrades are needed. Users get impatient with big updates and may power their Macs off if the update takes too long for their liking. Or if they see the firmware update screen and hear the long tone they may freak out and shut it off before it can complete the update - yes this happens. I'm still trying to formulate a plan for upgrading our remote users to Yosemite (which also includes firmware updates). You may want to rethink the policy of letting users install updates on day 1 themselves. As anyone who fell victim to the Office 2011 14.5.0 update can tell you, vetting the updates before the users get them is a very wise thing to do.

You could edit the /etc/authorization file to allow users to perform software updates. When I worked at a college this is what we did rather than making everyone admins. Here is what we used (NOTE: This code may need to be adjusted for later versions of OS X):

Sets everyone group for access to Software updates

/usr/libexec/PlistBuddy -c 'Set :rights:system.preferences.softwareupdate:group everyone' /Volumes/Macintosh HD/etc/authorization

Sets rule for session owner or admin to scan for and install software updates

/usr/libexec/PlistBuddy -c 'Set :rights:com.apple.SoftwareUpdate.scan:rule allow' /Volumes/Macintosh HD/etc/authorization
/usr/libexec/PlistBuddy -c 'Set :rights:system.install.apple-software:rule allow' /Volumes/Macintosh HD/etc/authorization

AutoPKGR running on my OS X update server. It pulls down all my application updates and puts them to testing. Once tested I change the policy and it's featured as an update for all all users. They get to chose when they update or install by pressing a button.

http://www.lindegroup.com/autopkgr/