Jamf Nation Community

maybe just a script to say softwareupdate -ia

Yeah, had certainly crossed my mind to do something in the background, but it's not ideal.

I poked around a bit and in /System/Library/CoreServices there is actually a SoftwareUpdate.app but it just points to the AppStore when launched. Was hoping Apple had squirreled away the "old" kind.

Yeah, good question. I get the feeling Apple screwed some of us over by moving SWU into the Mac App Store. I still don't understand this decision in 10.8 in the least. They should have kept those as separate applications. More of their 'consumerization' I suppose.

I know the command line softwareupdate still works, but its behavior has been modified slightly. But like jwojda mentions, 'softwareupdate -ia' still works.
If on the other hand you're looking to block the MAS but still have users run and install their own Apple software updates, you may not have a choice but to make it into a Self Service policy they can run.

i just opened a ticket with apple, as we are nearly ready to roll out 10.8 - that issue will need to be addressed.

"Hello, thanks for calling Apple. What can I do for you?"

"Hi, I'd like to be able to run Software Update without AppStore. It would really help us in the Enterprise" <click> "Hello?"

You mean even the automated attendant even hung up on you? No keystrokes on the keyboard even?

if you get 10.8 it will do local software update server.
http://support.apple.com/kb/HT2794
it seems to work pretty well, so if you set the CatalogURL to:
http://localserver.localdomain:8088/index.sucatalog

like described here: http://support.apple.com/kb/HT4069
it works pretty well.

you can still choose what to enable etc.

@jared - yes that is pretty much how it goes, but the squeaky wheel gets the oil. And I can squeak pretty darn loud :)

if you get 10.8 it will do local software update server. http://support.apple.com/kb/HT2794 it seems to work pretty well, so if you set the CatalogURL to: http://localserver.localdomain:8088/index.sucatalog like described here: http://support.apple.com/kb/HT4069 it works pretty well. you can still choose what to enable etc.

The issue isn't running a local SUS, it's that AppStore is blocked. With AppStore blocked, I'm curious how we're even going to get Software Update to run on client machines.

If Mac App Store is blocked, Software Updates can still run on the command line, but your users will never be able to choose the updates they want. If that's how you have it set up now, its going to need to change, because something tells me Apple won't be the one changing anything.

Its funny. One of the concerns when the MAS first debuted was that Apple would eventually force Mac users to to obtain all their apps from it. While that hasn't happened (yet), they are forcing their own updates to go through it, so its just as bad, but in a different way.

a policy with install all available updates checked?

Yeah I think it's going to have to turn into "install all updates" instead. One thing that's appealing is that new hardware supports PowerNap. We can actually update machines as they're power napping. How sweet is that?!

"munki"

(i aim to please.)

Maybe the answer will be in /etc/authorization?

Previously the keys for software update install permissions & app store installs were there.

So you may be able to block mac app from being downloaded, but updates to be run.

You could use Munki as an alternative interface to Software Update:

http://code.google.com/p/munki/wiki/AppleSoftwareUpdatesWithMunki

This also allows non-admins to install Apple updates.

Apple's response was the GUI is no longer available and to use the command line :(

I've been thinking about seeing what I could throw together to replicate the old SoftwareUpdate.app.

It may be as simple as checking receipts and self servicing the updates. But it all depends on how many printers run out of ink n my small, suburban college campus...(just kidding JAMF employees, no need to call me at work again....)

In case anyone comes looking, you can now run the App store in Software Update only mode: http://support.apple.com/kb/HT5391

HT5391 + _appstore group membership =

external image link

don - is there an easy way to script out adding the currently logged in user to the _appstore group membership? I just used the defaults write to the com.apple.appstore, but it still prompted for Admin when I launched app store.
EDIT:

I looked through my scripts and found this was getting the users names and then applying to a group. But when I try it on mine it still doesn't work.

#!/bin/bash

# enable Software Update-only mode in the Mac App Store on Mountain Lion.
# To enable this setting for all user accounts, log in as an admin account and execute this Terminal command:

defaults write /Library/Preferences/com.apple.appstore restrict-store-softwareupdate-only -bool yes

# add user to appstore group membership
sName=`ls -l /dev/console | awk '{ print $3 }'`

dscl . -append /Groups/_appstore GroupMembership $sName

exit 0

I found that

defaults write /Library/Preferences/com.apple.appstore restrict-store-softwareupdate-only -bool yes

combined with

sudo security authorizationdb write com.apple.SoftwareUpdate.scan allow

sudo security authorizationdb write system.install.apple-software allow

seems to do the trick

Chris - thank you! That seems to work perfectly!