Updates

jstrauss
Contributor

Hey all,

Do you guys have any procedures for deploying updates to machines? If so, can you shed some light on how you handle updating clients?

Thank you much!

Jeffrey A. Strauss
Department of Educational Technology
Systems Administrator
Loyola High School of Los Angeles
1901 Venice Blvd.
Los Angeles, Ca 90006
(213) 381-5121 x265

Please consider the environment before printing this e-mail.

16 REPLIES 16

Not applicable

I have multiple Distribution points that are 10.5 OS X servers that also
run SUS, problem is I can't get the remote servers to pull the updates from
my master SUS. I've tried some of the suggestions without luck. Anyone
else doing this ?
-Nathaniel

milesleacy
Valued Contributor

I'm just spitballing, but SUS settings ought to be a plist or plists. Perhaps you could capture the settings on your "primary" SUS and deploy
them out to your "child" SUSes.
You may need to copy the actual packages from primary to child SUSes. I'd
probably try rsync first.

With the packages copied to the appropriate place, and the plists updated,
you may get what you need.

Take this with the huge caveat that I haven't tried this. I'm just
theorizing the possibility.

----------
Miles A. Leacy IV

? Certified System Administrator 10.4
? Certified Technical Coordinator 10.5
? Certified Trainer
Certified Casper Administrator
----------
voice: 1-347-277-7321
miles.leacy at themacadmin.com
www.themacadmin.com

tlarkin
Honored Contributor

Yes our SUS is an Xserve that is dedicated to SUS and file sharing, and
I want it to download and cache out all approved updates to distribution
points, since our distribution points run off of RAIDs on building level
Xserves. That way they could sync the updates over night, and during
operating hours machines would not go over the WAN for updates, they
could pull them off the casper distribution point.

Does that make sense?

jarednichols
Honored Contributor

Just spitballing here...

On your distribution SUS', could you have SUS on, but disable auto download and auto enable options? Then, use rsync to mirror the /usr/share/httpd/swupd (I think that's it) folder from the "master" to the "distribution" ?

J

On 12/11/08 15:17 , "Thomas Larkin" <tlarki at kckps.org> wrote:

Yes our SUS is an Xserve that is dedicated to SUS and file sharing, and I want it to download and cache out all approved updates to distribution points, since our distribution points run off of RAIDs on building level Xserves. That way they could sync the updates over night, and during operating hours machines would not go over the WAN for updates, they could pull them off the casper distribution point.

Does that make sense?

milesleacy
Valued Contributor

To pull your Apple updates from the Casper distribution point, you'd need to
add them to the JSS, which brings in the manual work of scoping the updates
appropriately.
The Apple Software Update service stores its info in /usr/share/swupd/html/
replicating the contents of this directory from one server to another
*might* get you identical Software Update Servers, but I don't know if it
would work.

What I hypothesize could work and might be worth testing is the following:

  1. Update your primary SUS
  2. Export the SUS service settings from Server Admin on the primary SUS
  3. Import the SUS service settings gathered above to your child SUS
  4. See if importing these settings causes your child SUS to update its SUS data
  5. If the answer to step 4 is no, try rsync-ing your /usr/share/swupd/html/ folder from primary SUS to child SUS.

Manually updating an SUS is something I consider a best practice. You'll
want to see what's available, download the package to a test box and vet the
update, then enable it on the SUS. What this hopes to achieve is to keep
you from having to repeat that process on every SUS in your enterprise.

----------
Miles A. Leacy IV

? Certified System Administrator 10.4
? Certified Technical Coordinator 10.5
? Certified Trainer
Certified Casper Administrator
----------
voice: 1-347-277-7321
miles.leacy at themacadmin.com
www.themacadmin.com

ernstcs
Contributor III

What are we updating? Silly question I know...

Apple Software Updates JAMF Binary Updates Adobe Updates Software Package Updates

Craig E

jarednichols
Honored Contributor

I run our own Software Update Server so I can vette any packages first. If it's ok, I release it in SUS and let the software update mechanism handle it. I do force a once monthly mandatory update. Users can run it optionally on their own or it'll pop up automatically weekly.

j

jstrauss
Contributor

Allow me to clarify:

I mean OS updates, not third-party apps or Casper updates, for which I use Self Service or deploy via policy.

- Jeff

Eyoung
Contributor

I just use the software update option in a policy set to run monthly. It points back to our in house SU server. I take the added step of enabling by subnet to spread the load over a few nights.

Has been working a charm

ernstcs
Contributor III

I run an Apple Software Update Server and control the updates I push out. I have them schedule to happen with Policies over the weekend for labs and office non-mobile systems. The mobile systems are a little trickier depending on the scenario.

But I have the software update server specified in the JSS, you can have more than one if you have multiple locations to deal with and then direct clients to the appropriate ASUS with network segments.

I'm sure most of the people do this.

Craig E

milesleacy
Valued Contributor

For Apple updates, I run my own Apple Software Update Server (SUS), which is
easy and fairly unobtrusive if you have any Mac OS X Server machines in your
environment and under your control (You can use the same box that runs your
JSS) I have a Casper Policy that causes each managed machine to run all
available updates from the internal SUS. You could point the managed
machines to Apple's software update server, but if you do that, you have no
control over which updates get applied and when they get applied. With your
own SUS, you can test the updates first, then add them to the SUS once
you're sure they won't break anything in your environment.
For 3rd party updates, if they're .pkg files I might add them directly to
the JSS. Sometimes I do a fresh install of the app in question, patch it to
the current update and make a new package for that app. You could create a
"new & modified" package in Composer, but that's tricky unless you know
exactly what files the application and it's update modifies.

Remember, test, test, test!

----------
Miles A. Leacy IV

? Certified System Administrator 10.4
? Certified Technical Coordinator 10.5
? Certified Trainer
Certified Casper Administrator
----------
voice: 1-347-277-7321
miles.leacy at themacadmin.com
www.themacadmin.com

jstrauss
Contributor

Well, seems like everyone's doing it the same way, and the solution works for my environment, so I'll join the team. :)

Thanks for all your input everyone. Really appreciate the help.

Jeffrey A. Strauss
Department of Educational Technology
Systems Administrator
Loyola High School of Los Angeles
1901 Venice Blvd.
Los Angeles, Ca 90006
(213) 381-5121 x265

Please consider the environment before printing this e-mail.

milesleacy
Valued Contributor

Do your users run it via self-service?
I have an "updates available" smart group that consists of all machines with

0 updates available. A self-service policy scoped to this smart group

allows non-admins to run Apple updates. As silly as it may seem, this
option can inflate the egos of many users. You might be surprised how far
the illusion of control gets you with people.

Of course, I have a second policy scoped to the same group that runs over
the weekend for anyone who didn't avail themselves of self-service.

----------
Miles A. Leacy IV

? Certified System Administrator 10.4
? Certified Technical Coordinator 10.5
? Certified Trainer
Certified Casper Administrator
----------
voice: 1-347-277-7321
miles.leacy at themacadmin.com
www.themacadmin.com

tlarkin
Honored Contributor

I have a self service policy that runs all approved updates off of our
sus. I also download the pkg for quick critical updates and push them
out via a policy.

I only have one sus and it would be awesome if I could cache those
updates to the casper distribution points. Then I wouldn't have 6000
clients pulling updates off one server. Then just use that one server
to control it while the casper share points distribute it to their set
vlans.

milesleacy
Valued Contributor

Are the distribution points on OS X Servers? If so, the easiest solution is
to create multiple instances of SUS on different network segments.
I was thinking through an automated way to move packages from an SUS to a
Casper distribution point, and it's relatively easy to get the packages
there. The hurdle is making them useful to Software Update, or even to
Casper.

I suppose you could forego the SUS and add Apple update pkgs to your JSS and
deploy them that way. This would bring on additional work as you'd need to
determine the dependencies and compatibility of each update manually and
scope their installation appropriately. If you use an SUS and Software
Update, Apple does that work for you.

----------
Miles A. Leacy IV

? Certified System Administrator 10.4
? Certified Technical Coordinator 10.5
? Certified Trainer
Certified Casper Administrator
----------
voice: 1-347-277-7321
miles.leacy at themacadmin.com
www.themacadmin.com

milesleacy
Valued Contributor

Apple did the work for us.
10.5 Software Update Servers can "cascade". To set this up, you'll need to
change /etc/swupd/swupd.plist on your "child" SUSes.

/usr/libexec/PlistBuddy -c "Set :metaIndexURL
http://yourprimarysus.yourcompany.com:8088/catalogs.sucatalog /etc/swupd/swupd.plist

This will cause your "child" SUS to mirror what's on your primary SUS.

I'm trying to learn new tricks with PlistBuddy instead of sticking with
defaults. If my syntax is off, let me know. "metaIndexURL" is a root level
key in /etc/swupd/swupd.plist. It's value must be the string "
http://yourprimarysus.yourcompany.com:8088/catalogs.sucatalog" for cascading
to work.

Of course, you replace "yourprimarysus.yourcompany.com" with the fqdn of
your primary SUS.

----------
Miles A. Leacy IV

? Certified System Administrator 10.4
? Certified Technical Coordinator 10.5
? Certified Trainer
Certified Casper Administrator
----------
voice: 1-347-277-7321
miles.leacy at themacadmin.com
www.themacadmin.com