Software updates deferral question

AVmcclint
Valued Contributor III

How does the "Defer software updates for X days" thing work? Does it count days from the release of an update OR does it count the days from when the computer is made aware of the update? Here's the scenario:
- I have the setting set to defer 1 day.
- a Mac checks for updates and there are none available on this day
- The Mac is shut down - Apple releases an update the next day.
- 5 days later the mac is turned on Should that Mac be able to install the update right then since it has been more than 1 day since the update was made available? I would think so. However, in practice I am seeing that the Mac still says that the computer "is running the latest software update allowed by your administrator" until at least the next day (day 6).

I haven't been able to find any clarification on how this process works. The way it's working now is not how I need it to work.

1 ACCEPTED SOLUTION

mm2270
Legendary Contributor II

Yes, it counts days from the time that the Mac is made aware of the update, just as you found in your testing. I suppose this may be because the Mac may not know exactly when the update was officially released from Apple. I guess the question is, is there anything within the data that gets pulled with a software update check that indicates when the release date is for an update? I’m not sure if there is.

View solution in original post

10 REPLIES 10

mm2270
Legendary Contributor II

Yes, it counts days from the time that the Mac is made aware of the update, just as you found in your testing. I suppose this may be because the Mac may not know exactly when the update was officially released from Apple. I guess the question is, is there anything within the data that gets pulled with a software update check that indicates when the release date is for an update? I’m not sure if there is.

View solution in original post

AVmcclint
Valued Contributor III

That really bites. I tried to use the deferment as a way for me to do testing and make sure it's ok before letting users install it. Once I'm satisfied with it, then I want users to get it asap. If a computer has been sitting in a cabinet for a week and I need it updated for immediate redeployment, it won't be able to get the updates until that additional deferment time passes in addition to the week it was already offline.

mm2270
Legendary Contributor II

I can see why this would be an issue, especially in a case where a deferral is set for something like 15 or 20 days. That means that if a Mac is offline for a week or two and then sees the update once it's back online, it still needs to wait an additional week or two before the update becomes available to it. That could really cause some long delays in getting updates out.

Might I ask - why not just use a local software update server, like Reposado, to manage the updates? That way, you would still get to control when they get seen by your clients, but it would be more immediate after you enable it in the SUS, not based on a deferral period. Granted, running a SUS does have some overhead, because you have to go into the GUI and check to see which updates are showing up, enable/disable them etc. But it would give you the level of instant off/on control you're looking for I think.

AVmcclint
Valued Contributor III

@mm2270 Unfortunately there are a lot of politics involved with adding servers that aren't of the Microsoft flavor. With the demise of a true Mac Server OS, I don't have the time or resources into hacking together an ASU solution. Even getting Caching Server to work reliably has hit roadblocks and resistance with our network security folks. It's a battle I've lost on many occasions and I have bigger fish to fry.

mm2270
Legendary Contributor II

@AVmcclint Sorry to hear it's such a hassle to get anything set up that doesn't fit into a neat checkbox for you.
Just a question though, you say adding servers that aren't of the Microsoft flavor is tough, which I take to mean your org is ok with spinning up a Windows server for you to work with, correct?
If so, although it's not the standard, and I've also never done it myself, I believe Reposado can be set up successfully on a Windows server, since it really is just a web server plus curl and python under the hood. In fact, a quick search found these links. The second one is from one of the last posts on the first link, and seems to have some pretty decent instructions on how to get it set up.

https://groups.google.com/forum/#!topic/reposado/gp1bFuaPuOU
https://kb.parallels.com/en/123841

This is providing you have any bandwidth to even tackle this, and it sounds from your post like that may not be the case. Still, hopefully this is something you can tuck away for another day when you may be able to look at it.

b-wat
New Contributor

Apologies to @AVmcclint and anyone else who visited this thread to find out the issue behind continual update deferral problems. We take time out of our busy schedules to find what turn out to be difficult solutions to easy problems--only to instead find difficult people. Comments like these make me wonder what, if any, neat checkboxes some folks' personalities fit into outside of "passive aggressive" or "generally difficult."

sdagley
Honored Contributor II

@b-wat The comments from @mm2270 in this thread were much more relative/helpful than your comment with no relevant info added over a year after the last post.

mm2270
Legendary Contributor II

I read the comment from @b-wat above several times, trying to understand the context because I was definitely confused about it. I'm not sure, but it's possible what they meant was the difficult people that @AVmcclint has encountered at his place of work, meaning the difficult network security folks who won't allow a simple and secure solution to be stood up to control software updates simply because it isn't created by the Almighty Microsoft. I've run into those types of personalities myself, as I'm sure many of us have.
At least I hope that's what they were referring to, because I really don't see my comments as being "difficult" nor "passive aggressive" in any way.

jhuls
Contributor III

Yowza. Not sure where that comment came from but I'm perfectly fine with @mm2270 being "passive aggressive" or "generally difficult" with me like this when I have a question. To be clear I'm joking in that I don't see anything passive aggressive or anything wrong with what was said. If it wasn't for the apology statement, I would have just thought he was talking in general about certain people at other organizations.

sdagley
Honored Contributor II

The "next checkboxes" comment in today's post seemed like it was directed at @mm2270's post from last year using the same phrase. I don't think they understood that reference was directed to the people @AVmcclint was dealing with rather than him personally.