Software Update Server

Contributor II

Hey Jamfers,

I am looking to find out what is your method of updating Apple software.

In a previous life we had an Apple server (xServe <-- remember those?) running the Apple Software Update Server. We had it download everything from Apple and then we would manually enable items as we approved them. All the client SUS preferences were 'pointed' at our internal SUS. This kept a lot of the repetitive downloading off the companies Internet connection and on our local network.

Now, I want to develop a solution that give us control over what is deployed. Apple had ,long discontinued the xServe and if i wanted to run a mac based solution i'd have to do it in a VM.

• Do any of you still use Apple SUS?
• There were linux versions out there that would still connect to Apple. Anyone use these?
* Is Apple still supporting the traditional SUS or are they doing everything through the App store now?

I know they jamf just announced the 90 day delay in 10.3 -- so that would give me test time but..

What are YOU doing? ;-)


Esteemed Contributor II

@PeterG The SUS component of a NetSUS will replicate what you were familiar with from your Xserve SUS (and yes, all of the updates are still available in SUS despite Apple's position it is deprecated). One word of warning, the 500GB recommendation for NetSUS storage is too small, go for at least 1TB.

Note: This won't allow you to control an OS install from the App Store, but you can disable the OS updates.


We're at the end of transitioning off using Apple's Server app as our SUS. We're transitioning to a reposado/margarita combo configuration. Reposado is extremely flexible and can run on any hardware/OS. We have our reposado server hosted in our data center on a Linux VM running red hat. Margarita is just a nice little GUI that runs on top of reposado so you can easily approve new updates and remove deprecated ones. The project should be done in the next week or so - we're just wrapping up configuration and doing some additional pilot testing before rolling it out to all of our Macs.

Two other benefits of reposado: 1) you can create branches, and then use a tool of your choice to point your clients to different branches (so have a Beta group that gets all new updates day 0, but a production group that gets them after a week). You can also block updates completely (so prevent the Install High Sierra update rolling out). 2) You can choose to download updates locally to your reposado server, saving your clients from going to Apple to download the latest update if you have concerns about network bandwidth.

Legendary Contributor III

We've been using actual Mac servers (Mac Pros) running OS X/macOS server for years, but I've struggled with keeping SUS and other services running reliably on these boxes. I'm now in the process of setting up Reposado with Margarita on them and will turn off the SUS service, once it's all configured. Is it more work and less convenient in ways? Yes, but Apple has completely ruined OS X Server in my opinion with the crazy amount of bugs and deprecations they've been pushing it toward, and I know I'm not alone in that opinion. It's just not worth fighting it anymore.
At this point, I would definitely not bother with setting up actual macOS servers. Apple has made it clear they want that product to die and they're doing a pretty efficient job of killing it.

Contributor III

I struggled with SUS on several servers for years until Caching Server came along. Then SUS just started to work reliably.

We all know Apple lacked the resources to make macOS Server a great product. /sarc

Recently bought a small Synology NAS for testing and to familiarize myself with. Might be changing to those to replace much of what Apple has taken away,

New Contributor III

hi All, thanks for the information.

Gone through this but didn't see how we are actually targeting end points from JAMF? What kind of policy would help to make the endpoints to be updated with latest patches?

Do you suggest a policy with Smart group to target machine with Once per computer pay load or an ongoing?

From last two months we have got many security updates for Sierra and El Capitan --like 2018-002, 2018-003 and 2018-004 ?

Can you please suggest the best approach with JAMF and NetSUS to target endpoints to be in compliance?

Contributor II

Just implemented the JAMF NetSUS and deployed via Configuration profiles. Having the ability to create different branches is a great feature.

New Contributor III

@ammonsc -- Yes configuration profile helps to point end points to NetSUS. However, how are you configuring policy to check for the updates and how often are you changing the frequency to get the updates installed?

Only Config Profile will install all updates?

New Contributor III

Please share your thoughts @ammonsc even i am struggling to figure out. @ukspvmalapati Please update is you have any luck