Jamf Nation Community

tlarkin · ‎07-13-2010

I know I have asked this before, but before I go on with a solid set of policies I want to get some feed back from the community on what works best for all of you. I have now set up 6 SUS servers, all 10.5.8 to cascade from one parent server to 5 children servers. I also upgraded every xserve with multiple drives so they are all running RAID 5 now. So, all I have to do is set up my parent SUS to select whatever downloads I want and enable them all my children servers will synchronize updates from the parent. Each child is set to auto download and enable from the parent. So I set it once and forget about it.

In the JSS I set up each SUS based on a network segment. So, I did some mass edits of locations and client data in the JSS to reflect this. Now, if I set up a self service policy to run software update, it will pull updates from the SUS set by the network segment settings correct?

I also want to write a simple Apple Script that interacts with the user and informs them a restart is required. I figure my users never reboot anyway so if they want the new version of iTunes they are getting a reboot. I want to warn them though, so they quit all their apps and save their data. This can be easily done with the System Events in Apple Script.

So, now that I have everything setup and working exactly how I want it to, I need to figure out how to implement the software updates to the clients. I am thinking self service is the way I will go, but not quite sure how to execute it just yet. Do I script it, via manual trigger policy, and then set each manual trigger policy to pull from the subnet it was triggered on? Do I just let Casper do all the driving? I do not want any updates to be downloaded across the WAN. Each building has it's own server and I want to keep all traffic with in the VLANs of each building from the building specific SUS.

Thanks in advance for sharing,

Tom

tlarkin · ‎07-15-2010

OK well I just got done testing this out, and it only partly works. For one I only have 10 updates in my SUS set as enabled for my clients to install. If I view the machine in Inventory and click on edit it will list my specific SUS I set for this machine. I verified my child SUS is properly mimicking these enabled updates and it is. So, I set up a policy to run all available updates off of the default SUS and it actually didn't quite work:

waiting Java for Mac OS X 10.5 Update 5
waiting Safari
waiting Keyboard Firmware Update
waiting AirPort Base Station Update 2010-001
waiting iLife Support
waiting iPhoto Update
waiting iMovie Update
Downloading Security Update 2010-004 0..20..40..60..80..100
Verifying Security Update 2010-004
waiting Security Update 2010-004
waiting iTunes
Installing Java for Mac OS X 10.5 Update 5 0..20..40..60..80..100
Done Java for Mac OS X 10.5 Update 5
Installing Safari 0..20..40..60..80..100
Done Safari
Installing Keyboard Firmware Update 0..20..40..60..80..100
Done Keyboard Firmware Update
Installing AirPort Base Station Update 2010-001 0..20..40..60..80..100
Done AirPort Base Station Update 2010-001
Installing iLife Support 0..20..40..60..80..100
Done iLife Support
Installing iPhoto Update 0..20..40..60..80..100
Done iPhoto Update
Installing iMovie Update 0..20..40..60..80..100
Done iMovie Update
Installing Security Update 2010-004 0..20..40..60..80..100
Done Security Update 2010-004
Installing iTunes 0..20..40..60..80..100
Done iTunes
Done.

You have installed one or more updates that requires that you restart your
computer. Please restart immediately.

A reboot was required with one or more of the installed updates.

Blessing i386 OS X System on /...

Creating Reboot Script...

Seems that it pulled them from Apple. Now I mass edited the location information and set the SUS for each client and it shows that is the default SUS for my client in the JSS. However, when triggering software update from a Casper policy it did not hit up my server. Instead it seems to have got it's updates from Apple instead. As I have no authorized or enabled any firmware updates, or any Airport base station updates.

What step am I missing here?

Thanks

Tom

Report Inappropriate Content · ‎07-15-2010

information and set the SUS for each client and it shows that is the
default >SUS for my client in the JSS. However, when triggering
software update from a Casper policy it did not hit up my server.
Instead it seems to have >got it's updates from Apple instead. As I
have no authorized or enabled any firmware updates, or any Airport base
station updates.

I saw a problem like this when my analysts would initiate software
update as an admin. We had an MCX setting to allow admins to disable
prefs. With prefs disabled they hit Apple's SUS. If there was no one
logged in and they pushed the update command through ARD it would hit
our SUS.

I'm not sure why Casper is ignoring the pref to hit your SUS server
though.

- JD

tlarkin · ‎07-15-2010

OK it seems this may be a case of me not reading the manual..... On page 308 of the Casper Administration guide it says you need to check the box 'set server' to override using the default Apple server. So let me go change my policy and test it out again. We all know no one reads the manuals first, only after it doesn't work, right?

tlarkin · ‎07-15-2010

Well, it still didn't work. Here is the outcome

/usr/sbin/jamf is version 7.2

Executing Policy Software Update...

Setting Software Update Server to http://xs106-casper.kckps.org:8088/ for root...

Installing all available Software Updates...

Result of Software Update:Software Update Tool
Copyright 2002-2007 Apple

Downloading Keyboard Firmware Update 0..20..40..60..80..100
Verifying Keyboard Firmware Update
waiting Keyboard Firmware Update
Downloading Java for Mac OS X 10.5 Update 7 0..20..40..60..80..100
Verifying Java for Mac OS X 10.5 Update 7
waiting Java for Mac OS X 10.5 Update 7
Installing Keyboard Firmware Update 0..20..40..60..80..100
Done Keyboard Firmware Update
Installing Java for Mac OS X 10.5 Update 7 0..20..40..60..80..100
Done Java for Mac OS X 10.5 Update 7
Done.

Displaying message to end user...

Again, I don't have any keyboard firmware updates enabled on my SUS, though this time it did assign the client to the proper child SUS. I have verified all settings on the SUS and they are all still synchronizing as they should.

Thoughts? I am going to open a ticket with jamf

thanks

tom

tlarkin · ‎07-15-2010

Oh geez, if that is it I am going to face palm.....thanks

Report Inappropriate Content · ‎07-15-2010

...Not sure if this still comes into play, but when Snow Leopard Server came
out it had changed the way clients connect to the SUS.

I know at one point this stopped working via the JSS so I had setup
individual policies to point the different OS's to the correct server.
(Maybe this has been fixed since then..) This was more an Apple issue than
JAMF issue, but the syntax to connect each different OS is as follows:

** Leopard **
defaults write /Library/Preferences/com.apple.SoftwareUpdate CatalogURL
"http://SUSXserve.domain.org:8088/index-leopard.merged-1.sucatalog"

** Tiger ** defaults write /Library/Preferences/com.apple.SoftwareUpdate CatalogURL
"http://SUSXserve.domain.org:8088/index.sucatalog"

** Snow Leopard **
defaults write /Library/Preferences/com.apple.SoftwareUpdate CatalogURL
"http://SUSXserve.domain.org:8088/index-leopard-snowleopard.merged-1.sucatal
og"

In 10.5.x Server and prior, you did not need OS specific commands, they all
shared the same syntax.

I'd try setting on manually, and seeing if your results differ.

-- Jason Weber
Technology Support Cluster Specialist
Independent School District 196
jason.weber at district196.org

tlarkin · ‎07-15-2010

For the record I used this to set up the back end, and I verified it
works

http://support.apple.com/kb/HT3765

tlarkin · ‎07-15-2010

Also one more thing (sorry for the multiple emails) I think that when
you set the SUS since it is a user level preference, you must apply the
proper MCX settings. Like Eric pointed out I probably didn't have it
set to system wide, which I did not. So it was set to the user level of
root, since all casper policies run as root. Now, when I set it to
system wide I am willing to bet that it sets the MCX setting to often or
always, which would apply to every user on the system regardless.

I am still testing it out

tlarkin · ‎07-22-2010

Well now that I set for system wide, sure enough SUS works, however, it over wrote all my MCX settings from OD.....

I need casper to manage SUS and nothing else. Ideas?

-Tom

donmontalvo · ‎07-22-2010

Hi Tom,

Just curious, do you have MCX enabled in JSS?

Management > Management Framework Settings > Startup Item > [x] Apply Computer Level Enforced Managed Preferences
Management > Management Framework Settings > Login/Logout Hooks > [x] Apply User Level Managed Preferences

We're in the process of getting AD schema extensions in place for storing MCX, so these settings will always be off. That said, we do want to manage SUS for all workstations. With the above disabled, we are still able to designate specific SUS for clients. I wonder if doing so would cause problems for us (like overwriting MCX applied through AD)?

Thanks,
Don

--
https://donmontalvo.com

tlarkin · ‎07-22-2010

Nope, but I do have the set SUS box to apply system wide, which is where I think the MCX is coming from. Have tickets open with Jamf and Apple Enterprise support, so if someone cannot figure it out, I dunno what will happen. Maybe a vortex will open up and destroy the machine?

Applying settings to it now in trial and error mode. All MCX management in Casper is turned off

bentoms · ‎07-23-2010

Hi guys, We use od supplied MCX settings at a user level only (drive mappings, sys pref access.. etc..) Our SUS settings are enforced via Casper at a Network Segment level with the segments default SUS set to a local one.. works fine.

Ben Toms
IT Support Analyst GREY Group
The Johnson Building, 77 Hatton Garden, London, EC1N 8JS
T: +44 (0) 20-3037-3819 |
Main: +44 (0) 20 3037 3000 | IT Helpdesk: +44 (0) 20 3037 3883

jarednichols · ‎07-23-2010

You could use a startup script to assign SUS based upon OS version to point at the right catalog string. Here's mine.

j

#!/bin/sh

################################################################################################
##### Filename: setSUS.sh
##### Author: Jared F. Nichols
##### Purpose: Sets the CatalogURL for SUS depending on OS version
#####
################################################################################################

OS_vers=sw_vers | grep ProductVersion

case $OS_vers in
*10.5)
defaults write /Library/Preferences/com.apple.SoftwareUpdate CatalogURL http://<SERVER FQDN HERE>:8088/index-leopard.merged-1.sucatalog
;;
*10.6)
defaults write /Library/Preferences/com.apple.SoftwareUpdate CatalogURL http://<SERVER FQDN HERE>:8088/index-leopard-snowleopard.merged-1.sucatalog
;;
esac

exit 0

--
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436

bentoms · ‎07-23-2010

we leave this to the JAMF binary..

Ben Toms
IT Support Analyst GREY Group
The Johnson Building, 77 Hatton Garden, London, EC1N 8JS
T: +44 (0) 20-3037-3819 |
Main: +44 (0) 20 3037 3000 | IT Helpdesk: +44 (0) 20 3037 3883

tlarkin · ‎07-23-2010

When I had the JSS set the update server to set machine wide I got a nice little com.jamfsoftware.mcx file in /Library/Managed Client and I have all mcx settings unchecked in my framework.

No idea if this is meant to happen or not

Jamf Nation Community

software update redux (last question on this)