I am looking to create a new policy for software update to try to capture some of our laptop carts. These machines are either inaccessible or in use, so I have a hard time keeping them updated. Does anyone have a nifty way of setting it up so that only install software updates that do not require a restart are installed? It's not ideal, but it's better than never doing any updates on these machines.
Solved
Software Update only if no reboot required
+24Best answer by stevewood
I utilize an EA to figure out of a machine has updates that require a restart. I then scope a Smart Group off of that so I can create a policy to install those updates at any time. Machines that require a restart go into another SG and that is used by a policy that appears in Self Service for users to install the updates when they can. The policy runs Software Update from the Terminal.
EA:
#!/bin/bash
/usr/sbin/softwareupdate -l | /usr/bin/grep -i "restart"
if [[ `/bin/echo "$?"` == 0 ]] #if it was successful
then echo "<result>1</result>"
else echo "<result>0</result>"
fi
exit 0Then the policy just has this in the Run field on the last tab:
softwareupdate -iaBoth policies use that command, just one of them is triggered by Self Service and one is set to Every15 when I enable it.
+24This is an excerpt from a larger script I had put together a while ago for the same purpose, but never really used. I know this works on 10.6 and 10.7, but I believe its broken under 10.8 for some reason. Software Update on the command line operates a little differently in Mountain Lion and I honestly never bothered to figure out how to fix it.
#!/bin/sh
theDate=`date +%m-%d-%Y_%H-%M`
## Get all software updates required and export to a file
softwareupdate -l > /tmp/SWUList_$theDate.txt
SWUList="/tmp/SWUList_$theDate.txt"
## Generate short name list of updates that do not require a restart
UpdateList=$(cat $SWUList | sed -e '/restart/d' -ne '/recommended/{g;1!p;};h' | cut -d "*" -f 2 | tr '
' ' ')
## Get human readable list of updates that do not require a restart
ReadList=$(cat $SWUList | awk -F, '/[recommended]$/{ print $1 }')
echo "The following updates will be installed: $UpdateList"
echo "The following updates will be installed: $ReadList"
softwareupdate -i $UpdateList
rm $SWUlist
exit 0In my full script I had it working as a Self Service item that presented a list of the human readable updates that would be installed, with either an Applescript dialog or with jamfHelper.app, depending on how many lines were returned. (jamfHelper can only display so many lines before the rest gets cut off) In the background it would send the short name list of updates back into softwareupdate to actually install them.
I also had some logic in the script that would cause it to stop if no updates were found, i.e, if the $UpdateList was empty.
+38I utilize an EA to figure out of a machine has updates that require a restart. I then scope a Smart Group off of that so I can create a policy to install those updates at any time. Machines that require a restart go into another SG and that is used by a policy that appears in Self Service for users to install the updates when they can. The policy runs Software Update from the Terminal.
EA:
#!/bin/bash
/usr/sbin/softwareupdate -l | /usr/bin/grep -i "restart"
if [[ `/bin/echo "$?"` == 0 ]] #if it was successful
then echo "<result>1</result>"
else echo "<result>0</result>"
fi
exit 0Then the policy just has this in the Run field on the last tab:
softwareupdate -iaBoth policies use that command, just one of them is triggered by Self Service and one is set to Every15 when I enable it.
+24Steve: Say you have a list of updates; 2 require restart and 3 don't. Does your method install the 3 that don't or do those updates get lumped together?
+38They are lumped together. I guess I could take the approach that Mike did and install just the non-restart updates. I haven't gone that far yet. I've been wanting to work on a new update policy but haven't had time. It's been one of those hot topics on the list for years, how to do updates gracefully while letting your users know what's going on.
Plenty of ways to skin the cat.
+24Is there a reason you aren't checking the "Install All Software Updates" option in the Packages tab? Does that only get recommended updates or something?
+24@Steve, I like the EA approach you have. Something I never really thought about doing. The issue I see with it though is you are probably missing a bunch of Macs that have updates that both require and don't require a restart. There may only be a small amount of Macs that have non restart updates only.
With the script I have, it doesn't matter if there is a mix. It only installs the updates that don't require a restart and skips the rest. I might consider combining these 2 approaches; use an EA to find those Macs that have available updates that don't require a restart and scope that group to a policy that runs a script similar to mine to install them on next check in, or once a week, etc. That way there doesn't need to be any logic in the script itself to run a check to see if the list returned was empty.
The only drawback I see is that it means each inventory submission you are doing a full 'softwareupdate -l', possibly in addition to the one your inventory framework is already doing. I don't necessarily love that idea.
@msblake - every update listed in Software Update is labeled as "recommended", as far as I can tell. I can't recall the last time I saw one that didn't have the "recommended" label attached to it, so the "Install All Software Updates" box would install everything, ones that do and don't require a reboot.
+17I've got software update in self service also - used CocoaDialog for user interaction to give them a warning that a reboot would be required and let them choose to continue or not at that time...
+10I was trying to figure out the same thing and came up with something quick and dirty.
#!/bin/sh
NoRestartUpdates=`/usr/bin/sudo /usr/sbin/softwareupdate -l | /usr/bin/grep -v restart | /usr/bin/grep -B1 recommended | /usr/bin/grep -v recommended | /usr/bin/awk '{print $2}' | /usr/bin/awk '{printf "%s ", $0}'`
/usr/bin/sudo /usr/sbin/softwareupdate -i $NoRestartUpdates
exit 0
+3I have a similar situation to the OP and was hoping to do something similar:
- install updates and reboot immediately if required, and if nobody is logged in
- if a user is logged in, present them with a dialog box that allows them to reboot now, or they can dismiss it and reboot at their convenience later
- if the user dismissed the dialog and logged out without rebooting, force a reboot at log out
has anyone figured out a clever way to script this within the context of a Software Update policy?
+38Check out these two JAMF Nation posts:
https://jamfnation.jamfsoftware.com/discussion.html?id=5890
and
https://jamfnation.jamfsoftware.com/discussion.html?id=5404
I'm using the script that @lisacherie posted in the second link to do software updates. It installs updates that do not require update silently (no user interaction) and if they do require updates, uses jamfHelper to pop up a dialog box allowing the user to cancel.
Dig around in JAMF Nation and you'll find other posts on how to only allow the user to defer so many times before forcing the updates.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.