Software Update Server Updates automatically disabling

Matt_Ellis
Contributor II

I didn't have any luck on the apple forums. So im hoping to have more here.

I am currently setting up a Software Update server for my company and im having a strange issue. I enable all updates from 2103 - Current. They show as enabled and downloaded. But when i come in the next day all updates are disabled. has anyone ever seen this issue before?

System specs:
Mac Mini Late (2012)
OS X 10.10.5
Server app 5.0.4

Mac mini, OS X Yosemite (10.10.5), Server App 5.0.4

138 REPLIES 138

dgreening
Valued Contributor II

You are using the same method as the script which Apple has been providing to address this issue! Kudos!

dliberti
New Contributor

oh really? :) Oh WOW.

Matt_Ellis
Contributor II

So it looks like in the future this will be fixed by apple depreciating ASUS. so bleh..

https://support.apple.com/en-my/HT206871

kish_jayson
Contributor

Yeah, I was not happy when I saw that. I've re-opened my AppleCare Enterprise Support Case and am pressing them for both a resolution to the existing issue and guidance on their plans to offer this functionality once SUS has been deprecated. While Caching Service seems promising, it doesn't allow any granularity about which updates are made available and when.

Matt_Ellis
Contributor II

Yea i understand i would suggest looking up https://github.com/wdas/reposado if you want even more control.

kish_jayson
Contributor

@Matt.Ellis This may be my interim fallback, but Reposado's future is contingent on Apple continuing to publish and maintain the Software Update Catalogs. I don't suspect they're going to keep doing so once SUS has officially been removed from the Server application.

timtimtim
New Contributor III

About deprecating ASUS, I'm really wondering how Apple would like us to schedule updates in the future then. They wouldn't just shut it down now, would they?

rgerman
Contributor

What kind of software update server disables software updates you've enabled. Answer, and Apple Software Update Server!! Pretty bad on Apples part not fixing this... then to have a script that can work around the issue and not share it due to NDA?? Why would they do that? Crazy...

jmunzo
New Contributor

Hey guys, been lurking this thread the past few months. I wanted to thank you all for taking the time to document your troubleshooting techniques and solutions.

@dliberti 's method has proved successful for me the past few weeks, and my updates have remained enabled since. I'm not a great programmer, but I quickly put this script together, and have used it the past few days with success, tested on OSX 10.10.5 with Server 4.0.3, OSX 10.11.3 with Server 5.0.15, and OSX 10.11.6 with Server 5.1.7.

https://github.com/jmunzo/OSX-scripts/blob/master/ASUS_Manual_Update.sh

I commented it up as much as possible. Feel free to modify it / point out issues or corrections / tell me it sucks, haha. I know it's temporary, what with Server 5.2 set to deprecate ASUS, but for now this has been tiding me over.

Thanks again for all the information and documentation!

Matt_Ellis
Contributor II

@kish.jayson Its very possible they wont keep the catalogs going. im hoping they are going to roll some sort of control mechanism into cache server. But i have a strange feeling we are just going to be abandoned and there going to expect corporate users to just trust them on every update.

I hope im wong, but Apple does have a history of forcing change even when its not need or not to the betterment of the user.

Matt_Ellis
Contributor II

@jmunzo Just wanted to say i love the script its refreshing to see such dedication to comments and just a easy to follow structure!

bnation83
New Contributor

First off, thanks for the script. I've looked at the man pages but can't find if there Is there a way to get a list off all the update IDs via the terminal. Anyone know if that is possible and how?
Looking through the script, it looks like I have to enter each ID. I'd like to enable all and then perhaps disable as I am coping the updates to a server on a stand alone network.

carlo_anselmi
Contributor III

Hello, if you only need to disable or enable ALL updates at once, you can stop SUS and manually edit /Library/Server/Software Update/Status/com.apple.server.swupdate.plist by changing the true/false key value for all occurrences
155175111ede452da60d086f814a5fd5
TextWrangler works well because it lets you unlock com.apple.server.swupdate.plist when editing/saving it.
Then simply restart SUS service
There are currently some 1420 product updates on my SUS so this is not a real solution to quickly manage enablig/disabling multiple products (e.g. disabling ALL "voices" or "speech" related updates at once)
Cheers
Carlo

powellbc
Contributor II

My initial testing shows this issue to be fixed in Server 5.2. Considering it is deprecated I am surprised.

bnation83
New Contributor

TextWrangler didn't quite work due to permissions issues. I'm not sure why I didn't think of it before, but I just used vi and did a global substitution. %s/<false/<true. First I made the changes to a backup copy, then swapped the two files and restarted SUS. It took a bit for it to read read all the enabled updates. Well see if they stay enabled.

rseide
Contributor

@powellbc I just set up a brand new Mac Mini server with macOS 10.12.3 and Server 5.2. I enabled 6 updates this morning and now they're disabled. So, for me, the bug is still there. This Mac Mini was new out of the box, so it was a clean set up. The only thing is, 10.11 was installed so I did an upgrade to 10.12.3, then installed Server 5.2.

I am not sure how to resolve this permanently. I'll take a look at the script that jmunzo created.

powellbc
Contributor II

Just last week I was told unequivocally that the bug will not be fixed by Apple support (which is expected with the deprecation of Apple SUS). I spoke too soon on the 5.2 "fix."

I have been using a script from Apple to address this. To use it:

  1. Enable desired updates.
  2. Quit Server.app
  3. Run the script. When Apple sent it to me it was named swupdate_check_and_enable.sh.
#!/bin/bash

# Require root to execute
if [ $EUID != 0 ]; then
echo "This script must be run as root, or used with sudo.  Please try again."
exit 1
fi

# Define variables for the script

servicePlist="/Library/Server/Software Update/Status/com.apple.server.swupdate.plist"
pendingDir="/Library/Server/Software Update/Status/.pending/"
updatesArray=($(awk 'BEGIN {FS="<|>";OFS="
"} /productId/{getline;print$3}' "$pendingDir".ticket_enable*))

# Check current status of updates that have a .ticket_enable_<productID> file in .pending
# and enable any updates not yet enabled

for i in "${updatesArray[@]}"

do

updateName=$(/usr/libexec/PlistBuddy -c "Print :workingSetProducts:$i:IFPkgFlagProductFamily" "$servicePlist")
updateVersion=$(/usr/libexec/PlistBuddy -c "Print :workingSetProducts:$i:CFBundleShortVersionString" "$servicePlist")
updateStatus=$(/usr/libexec/PlistBuddy -c "Print :workingSetProducts:$i:enable" "$servicePlist")

    if [ "$updateStatus" = "true" ]
        then
        echo "$i - $updateName $updateVersion is already enabled, removing the pending ticket status."
        /bin/rm "$pendingDir".ticket_enable_"$i"
        else
        echo "$i - $updateName $updateVersion is pending, but not yet enabled. We will enable it now."
        /usr/libexec/PlistBuddy -c "Set :workingSetProducts:$i:enable true" "$servicePlist"
        /bin/rm "$pendingDir".ticket_enable_"$i"
    fi

done

exit 0

rseide
Contributor

@powellbc thanks so much for that script! I'll give it a shot.

powellbc
Contributor II

PS: This was their suggested list of replacements:

  1. Reposado: https://managingosx.wordpress.com/2011/05/04/introducing-reposado/
  2. JAMF NetSUS: https://www.jamf.com/jamf-nation/third-party-products/180/netboot-sus-appliance?view=info
  3. Glarysoft Software Update: http://alternativeto.net/software/glarysoft-software-update/