Posted on 08-06-2015 03:59 AM
Hi everyone,
We're working on some automated patching workflows over here for Apple Software Updates. One question that came up is what to do with shared machines (i.e. laptop carts) that are only online when they're being used by students. We install many updates in the background that won't affect users, but I'm curious what folks think about installing Apple updates that require a restart (i.e. Security Updates, etc).
Ideally I would like to run these (using softwareupdate -ia or similar) and then schedule a restart for that evening while the machines are unused. But will installing these updates while users are on the machines interfere with anything? Or am I just worrying too much?
Thanks in advance for your input!
Posted on 08-06-2015 04:37 AM
I install all updates in the background, including OS patches (e.g. 10.10.4 update or 10.10.4 combo update), firmware updates, and other updates which might require a restart. As far as OS patches go, the effects seem to vary.
With the 10.10.3 updates, the machines would still technically work without a restart, but the JAMF agent would stop working and I wouldn't be able to SSH into the machine until it rebooted.
With the 10.10.4 standard update, the JAMF agent and SSH worked just fine without rebooting. I assume the combo update would probably have the same problem as the 10.10.3 updates, but I haven't had a chance to test that theory.
Personally, this method has worked out OK for my environment, but I am going to be modifying my workflow sometime in the near future. Ideally, if an update gets installed and requires a restart, I would like to prompt the users after the install. That way, if applications or services aren't working properly, the user knows the cause and the resolution.
Posted on 08-06-2015 05:46 AM
We install in the background as well. In the policy have JSS handle the restart with notification. That seems to be the best way to handle a restart. Note: there is an issue where systems from 10.10.2, updated to .3 or higher will have a glitch and the system will become unresponsive.
Posted on 08-06-2015 06:20 AM
We've run into that same glitch as mentioned by @joecurrin If the Mac is on 10.10.3 and upgraded to 10.10.4, the policy will complete properly and reboot. If on 10.10.2, the process hangs, the policy never really completes and a forced reboot is needed. Its a pain in the neck. We have thousands of Macs on 10.10.2 and I'm trying to figure out the best way to get them upgraded to 10.10.4 via Self Service without the system hanging. Not many good options here it seems.
As for the original question though, I agree with @dwandro92, it will depend on the update. Sometimes its perfectly fine to install reboot required updates in the background, and the user can continue to work, and sometimes they will experience odd problems, like not being able to run applications, or open Terminal windows, etc.
Unfortunately, there's no one right answer here. If you want to err on the side of caution, I guess it would be better not to install any reboot needed updates silently, since you can't be 100% sure of the experience.
Posted on 08-06-2015 06:52 AM
As already mentioned, installing OS patches in the background can yield funny results
(not being able to unlock the screensaver until the reboot is done,...).
I've had good experiences with downloading in the background and installing at shutdown/reboot.
Posted on 08-06-2015 07:22 AM
@Chris How do you go about downloading the updates in the background and forcing them to install at shutdown/reboot?
Posted on 08-06-2015 07:46 AM
@bpavlov i mostly took it from here
#!/bin/bash
SWU=$(softwareupdate -l)
SWUL=`echo "$SWU" | /usr/bin/awk '{printf "%s", $0}'`
SWULER=`echo "$SWU" 2>&1 | /usr/bin/head -1`
NoRestartUpdates=`echo "$SWU" | /usr/bin/grep -v restart | /usr/bin/grep -B1 recommended | /usr/bin/grep -v recommended | /usr/bin/awk '{print $2}' | /usr/bin/awk '{printf "%s ", $0}'`
osvers=`sw_vers -productVersion | awk -F. '{print $2}'`
if [[ $osvers != 10 ]]; then
/bin/echo "Script for 10.10 ONLY"
exit 1
elif [ "$SWULER" == "No new software available." ]; then
/bin/echo "$SWULER"
exit 0
elif [[ "$SWUL" == *"[recommended]"* ]]; then
echo "Installing Updates"
/usr/bin/sudo /usr/sbin/softwareupdate -d -a
/usr/libexec/PListBuddy -c "Add :InstallAtLogout array" /Library/Updates/index.plist
for update in $(defaults read /Library/Updates/index ProductPaths | grep -v "[{}]" | awk -F "=" '{print $1}' | grep -o "[^" ]+")
do
/usr/libexec/PListBuddy -c "Add :InstallAtLogout: string $update" /Library/Updates/index.plist
done
/usr/bin/touch /var/db/.SoftwareUpdateAtLogout
/bin/chmod og-r /var/db/.SoftwareUpdateAtLogout
/usr/libexec/PListBuddy -c "Add -RootInstallMode STRING YES" /var/db/.SoftwareUpdateOptions
/usr/libexec/PListBuddy -c "Add -SkipConfirm STRING YES" /var/db/.SoftwareUpdateOptions
/bin/chmod og-r /var/db/.SoftwareUpdateOptions
launchctl unload /System/Library/LaunchDaemons/com.apple.softwareupdated.plist
sleep 2
launchctl load /System/Library/LaunchDaemons/com.apple.softwareupdated.plist
launchctl unload /System/Library/LaunchDaemons/com.apple.suhelperd.plist
sleep 2
launchctl load /System/Library/LaunchDaemons/com.apple.suhelperd.plist
fi
exit 0
Optionally insert some user notification or "you can delay this x times" trickery.
Also works in OS X O Captain! My Captain! if you adjust the version check.