Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Managing Mac OS Updates in an Enterprise?

Cliff posted more than 7 years ago | from the a-nontrivial-problem dept.

79

An anonymous reader asks: "What's the best way to manage updates for an office of about 150 Macs of various models with different releases of Mac OS X installed? I would assume the solution involves Apple Remote Desktop Administrator which makes it possible to install updates on client machines without interrupting the user — but then the question becomes how do you keep track of which updates to install? Does Apple have some page squirreled away that lists updates they've released in chronological order with the ability to filter based on OS version and model? Is there an RSS feed or mailing list that announces new updates? For the uninitiated, ARD Admin only lets you install specified packages, so you have to download the updates manually from Apple's website, then queue the packages to be installed on a particular set of machines. This problem would be far simpler if it were possible to simply instruct client machines to run Software Update and install all available updates, or even better, if Apple included automatic update functionality within the OS, a la Windows XP."

cancel ×

79 comments

Mac OS X Server (5, Informative)

Hes Nikke (237581) | more than 7 years ago | (#16118885)

um... have you read about any of apples solutions besides ARD? how 'bout this [apple.com] or this [apple.com] ?

i'm not sure i can put it any more bluntly O_o

btw... first post!(?)

Re:Mac OS X Server (5, Informative)

Graff (532189) | more than 7 years ago | (#16118976)

Automatic updates are also very simple to set up with the softwareupdate tool located at:
/usr/sbin/softwareupdate
It has a man page and everything. You can use this to set up a cron job or whatever to do the updates automatically.

There's more info on this at Mike's Mac OS X Management Software and Tips [bombich.com] and at Apple's Knowledgebase [apple.com]

Re:Mac OS X Server (1)

supersuckers (841107) | more than 7 years ago | (#16119737)

Unfortunately, this still isn't a great solution. We have a few hundred macs where I work, running software update once a week (they are staggered), by way of a cron job. Seems that if for some reason a mac is rebooted during this job, there is a good chance the OS will get completely hosed, corrupting the file system to a point that all the goofy tools out there still can't fix it. For some reason, booting single user mode you can still read the data, then shove it off onto a firewire drive.

Re:Mac OS X Server (1)

countach (534280) | more than 7 years ago | (#16119817)

I find it hard to believe rebooting it could corrupt the file system. Are you sure you have a clue?

Re:Mac OS X Server (1)

mrchaotica (681592) | more than 7 years ago | (#16121642)

He probably didn't mean "corrupting the filesystem," as in screwing up the inodes or whatever; he probably meant "corrupting the OS," as in installing an update halfway (or possibly truncating files), such that the OS is missing pieces of itself, and can't run.

In other words, what he's really complaining about is that updates are (apparently) not atomic.

Re:Mac OS X Server (2, Insightful)

Simon80 (874052) | more than 7 years ago | (#16120547)

Run the updates at night then, when the computers won't be getting rebooted..

Re:Mac OS X Server (3, Informative)

Graff (532189) | more than 7 years ago | (#16121845)

There's a way to prevent this. Basically you make a small program which registers the "quit application" event and when the program receives that event you send back a "user canceled" error result to the system. This cancels the reboot and keeps your program running.

Once you are done you just end the program and the user can reboot as normal.

There some info on the technique here:
How do I disable Command-Control-Eject (normal reboot)? [apple.com]

A better plan might be to do the software update as a logout hook. That way the update can be configured to occur when the user logs out and it won't interrupt their work. You can read more about login and logout hooks here [bombich.com] .

Here are some official Apple articles on the matter:
The Boot Process [apple.com] (includes everything from boot to shutdown)
Customizing Login and Logout [apple.com]

Re:Mac OS X Server (1)

Knightscape (832324) | more than 7 years ago | (#16132928)

This (the softwareupdate cli tool) can also be scripted using the 'expect' scripting language as you are trying to poke at bunches of machines at once. I use it to do password changes on our network of 300 + machines. You can include logic to check for availibility of packages first to see if they need to be run, you can us variables to endter the update you'd like to apply specifically, you can have it wait once the machine reboots and log back in to try again. expect will allow you to script ssh and automate login processes so on large networks it is easier to maintain with fewer admins.

Re:Mac OS X Server (2, Informative)

PygmySurfer (442860) | more than 7 years ago | (#16118996)

There's just one problem with your solution:

* To take advantage of Software Update Server, client computers must be running Mac OS X v10.4 or later.

The submitter stated they're using different releases of OS X, so this'll only help with their 10.4 clients. Though, I think upgrading them all to 10.4 (or better yet, waiting for 10.5 and upgrading the whole organization in one fell swoop) might not be a bad idea anyway, if they can budget for it.

Re:Mac OS X Server (1)

Joe The Dragon (967727) | more than 7 years ago | (#16120029)

You have to buy that and ms has the same things with there servers os for free.
Also haveing your system net boot uses a lot of network bandwith.

Seriously, no auto-update? (1)

cooley (261024) | more than 7 years ago | (#16118896)

Sorry, I haven't used Mac OS since 10.3 was pretty new, and I simply can't remember certain things, but...

Does the OS "check" for updates automatically, and just not install them, or does the user have to initiate the update-checking?

If it checks automatically, there's gotta be a way to script installation on a per-machine basis. Even if it doesn't there's gotta be a way to script it (unfortunately I'm not the dude who knows how to do it). :)

Re:Seriously, no auto-update? (1)

macmastery (600662) | more than 7 years ago | (#16118933)

It does check automatically, but it doesn't install automatically.

Also, you have to worry about:
- processor differences (software updates are not universal)
- Depening on what you're updating from, what you download on one machine might not run on another. When in doubt, run the "combo" update.

Apple does not have a chronological list of software updates release, because not all updates apply to all customers. 99% of the updates are shown to you if you need them. The other 1% you have to go hunt down.

Re:Seriously, no auto-update? (1)

kraiger (704911) | more than 7 years ago | (#16119013)

You can have it install automatically in the background, but it would only install more crucial updates, opposed to all updates.

Re:Seriously, no auto-update? (1)

pauljlucas (529435) | more than 7 years ago | (#16120311)

If Software Update is run on a given machine X, you do NOT have to worry about processor differences -- Software Update downloads the right update for the right CPU.

Re:Seriously, no auto-update? (1)

macmastery (600662) | more than 7 years ago | (#16121204)

Right, but even though you can keep that package, it may not be appropriate for other machines on your network. That was the point I was trying to make. You face installing it from Apple on many machines instead of downloading it once and deploying it enterprise-wide.

Macs Are Our Easist Machines To Manage (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#16118904)

This is, of course, because we have no Macs or have any need for Macs.

Problem solved.

Everything is Windows and Linux, with Linux use growing at a fairly rapid rate here. Hopefully we will be 90-95 percent Linux within a couple years.

My first guess (1)

Dr Reducto (665121) | more than 7 years ago | (#16118922)

My first guess would be to look at accessing software update from the command line, which would mean that it could be scripted.

Just do "man softwareupdate" and check it out

Re:My first guess (1)

j|m (144235) | more than 7 years ago | (#16118982)

Specifically:
sudo softwareupdate --install --all

Use Automatic-Integrated Delployment System (-1, Redundant)

Anonymous Coward | more than 7 years ago | (#16118927)

Apple has this great remote deployment software called Automatic-Integrated Delployment System. It uses a backdoor system to push in updates that are queued in a daisy-chain. You don't have to worry about protection from viruses because you know it's clean and hasn't been used by anyone else.

Macs DO have automatic update (4, Informative)

athempel (551232) | more than 7 years ago | (#16118930)

Read all about it. [apple.com]

And if you'd like to script it, take a look at the man page for "softwareupdate".

Re:Macs DO have automatic update (3, Informative)

DDLKermit007 (911046) | more than 7 years ago | (#16119134)

10.4 and above only. So many people are posting this just searching the Apple site. The OP runs various versions of OSX which are BELOW 10.4. The situation is compounded with mods that don't even know what the hell they are doing moding them up.

Re:Macs DO have automatic update (2, Informative)

athempel (551232) | more than 7 years ago | (#16119302)

Rubbish. [apple.com]

Sure you can do Mac updates... (3, Funny)

creimer (824291) | more than 7 years ago | (#16118969)

Very quietly. The rest of the Enterprise doesn't know about Macs. If anyone asks, tell them that you're installing Service Pack 2.

Re:Sure you can do Mac updates... (1)

DuSTman31 (578936) | more than 7 years ago | (#16120973)

The rest of the Enterprise doesn't know about Macs.

But now at least scotty knows to use the keyboard.

man softwareupdate (2, Informative)

xornor (165117) | more than 7 years ago | (#16118980)

i run "softwareupdate -ia" from the commandline for installing all updates, could you just set up a cron job to run it?

Re:man softwareupdate (2, Informative)

dr00g911 (531736) | more than 7 years ago | (#16121410)

Apple remote desktop allows for scheduling command line tasks over the entire enterprise.

Including queuing tasks for laptops and the like that are not currently online.

At my previous place of employment, managing about 70 non-admin and 10 or so admin capable OS X boxes, my workflow went like this:

- Set software update to automatically download software on each machine daily
    (alternately, if you have OS X server, simply allow the server to cache all of the relevant updates and don't worry about this step -- it's mostly there to manage bandwidth spikes)
- Set a scheduled job for Friday afternoons to run softwareupdate from the commandline via ARD.
- Leave the ARD console up and it'll catch laptops during the beginning of the following week that weren't around when the command was issued.

The workgroup management features of the latest ARD are *amazingly robust* and I'd recommend anyone to just go and play with it. Coupled with netboot for major OS upgrades and the VNC like features, it cut the amount of time needed to maintain the entire company to virtually nothing.

Radmind (1)

moofbong (188566) | more than 7 years ago | (#16119048)

Radmind [umich.edu] is also a great tool for managing installs on OS X and UNIX/Linux machines. It might be worth a look.

Re:Radmind (0)

Anonymous Coward | more than 7 years ago | (#16119718)

Cage said it best on Grand ol' Party Crash; "If the opposite of pro is a con then look beyond this/ the opposite of Congress must be progress".

Do nothing. (1)

deepb (981634) | more than 7 years ago | (#16119059)

Unlike Windows, Mac updates generally give users new features, or other desirable things.. so most users stay on top of that stuff.

Our IT department does absolutely nothing unless a patch addressing a _major_ security hole is released, in which case they're supposed to send out an email. So far, no patch has been important enough to warrant an email. You might claim that's irresponsible, but we are talking about OS X here. If a co-worker of mine is incapable of clicking the "Install" button once every couple weeks when the auto-updater runs, I don't really want that person working with me anymore.

If anything, I'd be more worried about people running XP in Parallels and then forgetting to patch it - that's something that can cause a legitimate problem.

Re:Do nothing. (2)

jlarocco (851450) | more than 7 years ago | (#16119183)

You might claim that's irresponsible, but we are talking about OS X here.

Wow. Hope you guys don't do anything important.

Re:Do nothing. (1)

deepb (981634) | more than 7 years ago | (#16121506)

Wow. Hope you guys don't do anything important.
Ahh, but we do! See, my employer has one of the strictest hiring/interview processes known to man. We will never hire someone just for the sake of filling the position - the person must be the best at whatever it is they do. 300 employees later, we've never had an issue with the patch process I described in my original post, and we never will.

Re:Do nothing. (1)

jlarocco (851450) | more than 7 years ago | (#16122341)

Ahh, but we do! See, my employer has one of the strictest hiring/interview processes known to man. We will never hire someone just for the sake of filling the position - the person must be the best at whatever it is they do.

I don't see why you're mentioning that. Being the best at something else doesn't say anything about how often they'll run updates on their computer.

... and we never will.

Of course not. Because you never have before. Obviously...

Re:Do nothing. (1)

deepb (981634) | more than 7 years ago | (#16123291)

I don't see why you're mentioning that. Being the best at something else doesn't say anything about how often they'll run updates on their computer.
The updates are run automatically - all the user has to do is click "Install" when the screen pops up. If one of my co-workers is incapable of pushing a button when a screen pops up once every week or two, we made a mistake in hiring him/her.

You can argue "what-ifs" all day long, but so far there hasn't ever been a vulnerability within OS X that has been exploited on a large scale (e.g., Melissa, Code Red, Blaster, etc), and I doubt there ever will be (unless they make major changes in later versions). There's simply no business case for spending money and inconveniencing people so you can be 100% sure they're not brain-dead and neglected to press the "Install" button when it popped up in front of their face.

Re:Do nothing. (1)

jlarocco (851450) | more than 7 years ago | (#16123781)

The updates are run automatically - all the user has to do is click "Install" when the screen pops up. If one of my co-workers is incapable of pushing a button when a screen pops up once every week or two, we made a mistake in hiring him/her.

What are you going to do when the first major OS X vulenerability does get exploited? "Sorry guys, our IT department is incompetent, so we're going to have to let you all go"?

You can argue "what-ifs" all day long, but so far there hasn't ever been a vulnerability within OS X that has been exploited on a large scale (e.g., Melissa, Code Red, Blaster, etc), and I doubt there ever will be (unless they make major changes in later versions). There's simply no business case for spending money and inconveniencing people so you can be 100% sure they're not brain-dead and neglected to press the "Install" button when it popped up in front of their face.

Hey, I'm not trying to troll, I'm just pointing out that an ounce of prevention is worth a pound of cure. At one point no vulnerabilities in Windows had been exploited either, and we all know how that turned out.

Re:Do nothing. (1)

deepb (981634) | more than 7 years ago | (#16124605)

What are you going to do when the first major OS X vulenerability does get exploited? "Sorry guys, our IT department is incompetent, so we're going to have to let you all go"?
I'll either click "Install" when the patch window pops up, or initiate the process myself (and then click "Install") when I see an email from our IT department asking me to do so. You're assuming that a large group of people can't/won't do that for some reason - I'm not sure if you own a Mac, or if you've ever seen how patches are installed within OS X, but it's really that simple. There's absolutely no excuse for not doing it, especially when not doing it means ignoring instructions that everyone previously agreed to follow (signing off on the company handbook).

"Sorry guys, our IT department is incompetent, so we're going to have to let you all go"?
More along the lines of "you're incompetent, get the hell out." Even though it wouldn't happen, let's pretend it was everyone. What would you do if everyone started stealing from your company? Or just general unethical behavior that would normally be grounds for termination? Let them off with a slap on the wrist, knowing full well you now have a company full of thieves?

At one point no vulnerabilities in Windows had been exploited either, and we all know how that turned out.
Right, but the vulnerabilities had been there all along. That's the difference. :)

Re:Do nothing. (1)

vilms (106676) | more than 7 years ago | (#16126093)

Are you ALL local admins of your own Macs?

At our place (no local admins, so no local installs of software), the problem with Apple's updates are that they sometimes break the bespoke applications that rely upon -say- Safari. I agree that the Apple software update model is super-convenient for the majority of Macintosh users who are masters of their own systems, but that's not really working in an "Enterprise" environment, as I see it.

Re:Do nothing. (0)

Anonymous Coward | more than 7 years ago | (#16119977)

I agree with you up until the point you think the end user is doing it. I know from experience that even if the password is blank, the end user is going to wonder how to get past the authentication dialog box necessary to install the updates. I would say, on average, the end user waits 6-9 months before putting in a call to figure out their password. Once you set it or tell them, they generally forget by the time you are out the door. Or, at least by the time the next authentication dialog box comes up. It is a good thing they are using a Mac! :-)

You know it's late when... (3, Funny)

Minupla (62455) | more than 7 years ago | (#16119106)

I misread the post title, so I had images of Picard tapping his comms badge...
"Picard to Data: Start upgrading the MacOS workstations"
"Data: process completed in .005 seconds. We are fully functional sir"

Then I realized it was "in the enterprise" not "on the Enterprise"... oops. :)

Min

Re:You know it's late when... (0)

Anonymous Coward | more than 7 years ago | (#16120680)

There is only Kirk!

ARD Option (1)

Jedi Master Cody (660096) | more than 7 years ago | (#16119142)

If you are using the newest version of Apple Remote Desktop, by selecting the send Unix Command option, you can run software update on the selected computers. ARD 3.0 has many Unix command templates built in. The ones I use most frequently are repair permissions and the software update one. It is an invaluble tool for managing multiple Macs. I take care of about the same # as the parent, and ARD works great. What is awesome about it as well, it finally allows drag and drop from the computers the admin is controlling to the admin computer and from the admin to client.

Also amazingly easy with ARD v. 2 (1)

toekneeshops (727799) | more than 7 years ago | (#16119272)

Easy even with the older ARD v.2 - just send the unix command "softwareupdate -i -a" to the workstations in question, and they will automatically download and install all needed updates.

Best of all, schedule it to wake the workstations at 3:00 a.m., download and install the updates, restart the machines, and put them back to sleep or turn them off. Easy as pie with Apple Remote Desktop and scheduled scripting.

For more: http://macenterprise.org/content/view/117/140/ [macenterprise.org]

http://www.informit.com/articles/article.asp?p=445 094&seqNum=4&rl=1 [informit.com]

/etc/sources.list (1)

shawn443 (882648) | more than 7 years ago | (#16119241)

you can't apt-get yet with cron yet?

Re:/etc/sources.list (1)

Confuzzled (443836) | more than 7 years ago | (#16119291)

Yes. Put this in a file named /etc/daily.local:
softwareupdate -i -r
Instead of installing the recommended (-r) updates, you can also choose to install all (-a).

More info here [wikipedia.org] .

It would probably also be a great idea to have a local softwareupdate server, this way you don't have to download all updates every time, but instead only download them once to a local repository; additionally you could test things first before distribution. Read more info here [apple.com] . Although it seems that a local server will only work for 10.4.

Re:/etc/sources.list (1)

shawn443 (882648) | more than 7 years ago | (#16119375)

I know little about Apple besides what I read here, ancient superbowl ads, and the recent commericals featuring the dude who likes nutsacks [imdb.com] . Are there any tools similar to Microsoft's group policy so as to automate this across the network?

Software update (0)

Anonymous Coward | more than 7 years ago | (#16119342)

As already mentioned for the system software just run softwareupdate -ir through ARDs send unix command.

this takes care of the OS X udpates.

If you want to automate other software updates it can get a bit trickier. But you can do just about anything with ARD + Automator + Applescript/Perl/etc.

And of course look at Package Maker. The newest version comes on the ARD 3.0 Disc (you need 3.0 for the intel macs).

Package Maker sucks hard. But the end result is good.

Mac OS X Updates (4, Insightful)

RAMMS+EIN (578166) | more than 7 years ago | (#16119378)

The OS ships with an update tool that notifies you of available updates. Unfortunately, it doesn't seem to take into account what software you have installed (it keeps telling me there's an update for iTunes, even though I don't have iTunes installed), and it only updates the software that ships with the system - anything you install separately will have to be updated separately.

This is one of my main gripes with OS X, in fact. On Debian and Ubuntu, I have a great package manager that automatically takes care of dependencies, and keeping software up to date is as simple as apt-get update && apt-get upgrade (with graphical front ends available for those who want them). Having to manually hunt down dependencies or updates is just a pain in the behind, and can significantly increase the maintenance cost of a system.

Re:Mac OS X Updates (1)

delire (809063) | more than 7 years ago | (#16119548)

Agreed. I spent some time working with OSX 10.4 recently and found the lack of an ability to upgrade installed software using an update tool like apt was sorely missed.

Having to consciously track versions of non-OSX shipped software yourself - to go to websites to find and install updates on a per-package basis - is too labour intensive for a machine I simply want to get work done on.

Re:Mac OS X Updates (1)

Ash-Fox (726320) | more than 7 years ago | (#16119573)

I have used Fink [sourceforge.net] and created my own repositories to manage Macs. Note that there is a lot of manual labour involved.

Re:Mac OS X Updates (1)

yabos (719499) | more than 7 years ago | (#16120465)

Most programs have an auto update check themselves. It shouldn't be up to the OS to check every single program for updates it should be the program itself that should notify you of updates.

Re:Mac OS X Updates (1)

mrchaotica (681592) | more than 7 years ago | (#16121710)

It shouldn't be up to the OS to check every single program for updates it should be the program itself that should notify you of updates.

Are you kidding?! Dealing with 50 different "update managers" that all do things in different ways, and (worse yet) forcing developers of every piece of software to keep reinventing that wheel, are the last things anyone needs!

No, the better solution would be for Apple to add a standard mechanism for software updates (like package managers do for Linux). Offhand, I would suggest maybe adding a field to be defined in each app's version.plist that would list a URL for that app's update notification RSS feed. Then, upon installation, the Software Update would register for the RSS feed and install updates through the same mechanism the OS updates use.

Re:Mac OS X Updates (1)

yabos (719499) | more than 7 years ago | (#16121733)

There's no update manager. It checks in the background to a URL that replies with the current version. App checks own version against this. How hard is that? It's a lot easier than having to write code to tie into some OS managed service. You even say the software provider has to provide the current latest version number. Why not have the application do it itself with probably less than 10 lines of code(Thanks to Cocoa it's really easy) than some other convoluted method. Apple even has an example of how to do this on their developer website.

Re:Mac OS X Updates (1)

mrchaotica (681592) | more than 7 years ago | (#16121861)

There's no update manager. It checks in the background...

The code that does those checks in the background is what I meant by an "update manager."

Why not have the application do it itself with probably less than 10 lines of code...

Those ten lines of code still need to be debugged, maintained, etc., and last I checked, 10 is still greater than zero. More importantly, we're not really talking about 10 lines of code. We're talking about 10 lines of code for each and every app that runs on Mac OS. Collectively, it's still a hell of a lot of wasted effort!

(By the way, your second question is missing it's question mark (sorry; it's my pet peeve).)

Re:Mac OS X Updates (1)

Figaro (20471) | more than 7 years ago | (#16119640)

Check the manpage for softwareupdate.

I just used it to block those AirPort updates for the card I don't have (softwareupdate --ignore AirPort)

dp

Re:Mac OS X Updates (1)

RAMMS+EIN (578166) | more than 7 years ago | (#16119658)

Thanks for the tip! I will look into it next time I boot OS X (I rarely do so, because I find Debian much more comfortable).

Re:Mac OS X Updates (1)

MaximXygo (757609) | more than 7 years ago | (#16120342)

Actually, Mac OS X DOES take into account what you already have installed. You keep seeing iTunes in Software Update because you don't have it installed, and Apple wants you to have it installed (it's a full installer you're prompted with, not necessarily an updater). If you don't want to see it, simply disable the update (in the File menu). OS X doesn't have the "dependancy" dance you have to take into account with your Linii. Try to learn more about what you're discussing before you knock it. It turns out your main gripe with OS X was only partially founded (Apple's Software Update only updates Apple software... that part is true, but many actually prefer that).

Re:Mac OS X Updates (1)

Lucien (24198) | more than 7 years ago | (#16120603)

It also depends on the packages. I've been using http://macports.com/ [macports.com] (nee DarwinPorts) and it's a great package manager: install dependencies, update to the latest versions, deactivate without installing and so on.

There's also Fink, but I found it a harder to use. Check what packages they support and see what suits you.

Re:Mac OS X Updates (2, Informative)

tverbeek (457094) | more than 7 years ago | (#16120697)

it keeps telling me there's an update for iTunes, even though I don't have iTunes installed
Yeah, that's because Apple believes that iTunes and QuickTime Player should be standard components of any Windows or OS X system.

it only updates the software that ships with the system - anything you install separately will have to be updated separately.
Incorrect. Apple's Software Update program detects and installs updates for any Apple software you have installed, whether it came with the system or not. For example, recently after installing Final Cut Pro on a fully-updated system, it gave me another half-dozen updates to download for the apps in the Final Cut package. In this sense it performs the same function as Microsoft Update, or Adobe's Update Manager: providing updates for all of that vendor's products (regardless of when you installed them).

While it would certainly be nice if Apple's Software Update also updated Adobe, Microsoft, and other developers' apps (instead of having to use the inferior update tools those companies provide, or ye olde stand-alone updater), it should hardly be surprising that commercial software developers aren't as chummy and free with their updates as the open-source community is.

Re:Mac OS X Updates (1)

koryn (76105) | more than 7 years ago | (#16121634)

it doesn't seem to take into account what software you have installed (it keeps telling me there's an update for iTunes, even though I don't have iTunes installed)

It's telling you what is available for install, not what updates are out there for already installed software. Subtle distinction, and if it really bugs you then select the package you're not interested in and use the "Update > Ignore Update..." menu item to stop seeing updates for those packages.

it only updates the software that ships with the system - anything you install separately will have to be updated separately.

Apple's software uses Software Update too - e.g. if you buy iWork and install it separately, you see updates to Keynote and Pages in Software Update.

This is one of my main gripes with OS X, in fact. On Debian and Ubuntu, I have a great package manager that automatically takes care of dependencies, and keeping software up to date is as simple as apt-get update && apt-get upgrade (with graphical front ends available for those who want them).

Um, on Mac OS X keeping software up to date is as simple as 'sudo softwareupdate --install --all' (with a graphical front end available for those who want them). Try 'man softwareupdate' some time. There are other package managers available for non-Apple software.

Re:Mac OS X Updates (1)

RAMMS+EIN (578166) | more than 7 years ago | (#16121888)

``It's telling you what is available for install, not what updates are out there for already installed software. Subtle distinction, and if it really bugs you then select the package you're not interested in and use the "Update > Ignore Update..." menu item to stop seeing updates for those packages.''

Ok, thanks. I find it really annoying when that window pops up, advertising updates for software I don't have or want.

``
it only updates the software that ships with the system - anything you install separately will have to be updated separately.


Apple's software uses Software Update too - e.g. if you buy iWork and install it separately, you see updates to Keynote and Pages in Software Update.''

Alright, in that case, not "the software that ships with the system", but "software made by Apple". At any rate, the problem is that it doesn't keep _all_ installed software up to date; this means that you have to deal with several mechanisms, usually including manual checking, downloading, and installing.

``Um, on Mac OS X keeping software up to date is as simple as 'sudo softwareupdate --install --all'''

Only it isn't, because that only updates _part_ of your software. On Debian and derived systems, all software is typically installed through the package manager (thanks to the fact that Debian packages the bulk of software that works with it), and also kept up to date through it. This is a major maintainability win.

Re:Mac OS X Updates (2, Informative)

Johnny Mozzarella (655181) | more than 7 years ago | (#16130729)

Simply deleting an .app from the Applications folder is not enough.
Software update is able to quickly determine what software it needs to update by looking at the receipts in the Library/Receipts/ folder.
If you delete the receipt for iTunes in there, Software Update will no longer check for updates for iTunes.

One solution (3, Informative)

Espen (96293) | more than 7 years ago | (#16119621)

This problem would be far simpler if it were possible to simply instruct client machines to run Software Update and install all available updates

That's trivial. In ARD, create a Unix command task to execute as root with the command:

softwareupdate -i -a

This will install all the updates you would otherwise see in the GUI Software Update on the selected clients. Schedule it if you are so inclined, and don't forget to set a reboot task if one of the updates require it.

Re:One solution (2, Informative)

phillymjs (234426) | more than 7 years ago | (#16119793)

Schedule it if you are so inclined, and don't forget to set a reboot task if one of the updates require it.

If all the machines you want to update are running Tiger, just do softwareupdate -ai && shutdown -r now to install all available updates and reboot when complete with a single command.

Of course, that doesn't work correctly with Macs running Panther, then you would have to do softwareupdate --install --all and schedule the reboot separately in ARD because IIRC the single-letter switches don't seem to work for the softwareupdate command in Panther, and Panther won't wait until softwareupdate is done to execute the reboot.

The above commands are better when used with an OS X Server running the Software Update service, so you can pick and choose which ones are made available to all of your managed Macs.

~Philly

Re:One solution (2, Insightful)

Marcion (876801) | more than 7 years ago | (#16119988)

Cron-ning "shutdown -r now" is a bit too simple. Imagine that some user is doing important work and their machine silently reboots, that's not good. This also creates extra work for your helpdesk, "my machine reboots, come and fix it".

I would personally use some kind of pop-up dialog saying your computer is about to be reboot.

There are lots of different ways you can do this, the original bash programs were called dialog and xdialog, there are lots of equilivents these days, basically the idea is that they let you produce an OK/Cancel box within a bash script. You could also use something a little more powerful than bash such as Python or AppleScript or whatever.

Re:One solution (1)

phillymjs (234426) | more than 7 years ago | (#16120411)

I never push out updates anywhere near business hours, so a silent reboot is not a problem. In fact, I usually set all the machines in my care to power on/wake up for a period late on Sunday night just for maintenance time.

~Philly

Re:One solution (1)

sheldon (2322) | more than 7 years ago | (#16123093)

Until you have that guy who is running a process over night, and you reboot his computer 12 hours into job that takes 16 hours to complete.

Re:One solution (2, Insightful)

Espen (96293) | more than 7 years ago | (#16120470)

Of course, that doesn't work correctly with Macs running Panther, then you would have to do softwareupdate --install --all and schedule the reboot separately in ARD because IIRC the single-letter switches don't seem to work for the softwareupdate command in Panther, and Panther won't wait until softwareupdate is done to execute the reboot.

The single letter switches work fine in Panther, but you can't merge them, ie. it has to be exactly as specified in the original post: softwareupdate -i -a not softwareupdate -ia.

Wow. Start with the basics!!! (1)

neuroklinik (452842) | more than 7 years ago | (#16119992)

"What's the best way to manage updates for an office of about 150 Macs of various models with different releases of Mac OS X installed?


First, you have to get all of your hardware on the same OS. Create a master system image of a template machine. (Take a machine, customize it the way you want, add your apps, etc. Create an asr ready disk image of the template machine using Disk Utility or Mike Bombich's fantastic NetRestore (http://bombich.com/). Distribute it however suits your environment best. NetInstall-NetRestore sets hosted on a NetBoot server work great.

Once you've got all of your hardware on the same OS and same environment, distributing software updates becomes much much easier. I recommend distributing all updates with Apple Remote Desktop 3. The client is free, and part of Mac OS. All you need is a seat of the administative tool for each admin who might need to remotely administer your Macs. Using a combination of ARD and PackageMaker (from the XCode tools), you can not only distribute standard software updates from Apple, but also repackage third-party updaters and installers into the .pkg or .mpkg format used by ARD. It works really well.

I would assume the solution involves Apple Remote Desktop Administrator which makes it possible to install updates on client machines without interrupting the user -- but then the question becomes how do you keep track of which updates to install? Does Apple have some page squirreled away that lists updates they've released in chronological order with the ability to filter based on OS version and model?


Yes, there are dependencies, and you can test for them using pre- and post-action scripts stored as the contents of each package. Do as much research as you can on PackageMaker, and be prepared to do shell scripting. Information about installed updates is stored in /Library/Receipts. Every package has a Bill of Materials file that you can read with lsbom. It states exactly what gets installed by the package in question and where it gets installed, as well as the target ownership and privilege attributes.

Is there an RSS feed or mailing list that announces new updates? For the uninitiated, ARD Admin only lets you install specified packages, so you have to download the updates manually from Apple's website, then queue the packages to be installed on a particular set of machines. This problem would be far simpler if it were possible to simply instruct client machines to run Software Update and install all available updates, or even better, if Apple included automatic update functionality within the OS, a la Windows XP."


Mac OS X does offer the ability to periodically check for and install software updates. However, installing updates requires administrative rights, which your end users should not have. You could use Mac OS X Server's software update cache, which periodically checks with Apple's main software update servers and then caches any new updates. You also gain more fine grained control over which updates get installed when. It's not always smart to install new updates immediately. Better to wait a few days or a week and see how the rest of the world fairs. Then, you can make the updates available over your internal software update cacheing servers. One other thing to remember about the Mac OS X Server software update service. You cannot offer your own pre-packaged updates, as softwareupdate checks to make sure every package has been signed with Apple's key. Packages you create yourself still need to be deployed with ARD.

That's the basics, though.

1) Make sure every machine is imaged with the same template. This is crucial. Having machines with different operating systems and software suites installed is the first stumbling block to a managed platform. Enable the ARD client on your template, of course.
2) Try to have users authenticate from a centralized directory service. That way, you don't need to worry about setting up local accounts. Active Directory works quite well, as does Apple's own Open Directory. You can use just about any LDAP directory store you want. If you extend the LDAP schema, you can even use Apple's MCX attributes to apply policies, etc. Works great.
3) Learn PackageMaker, bash scripting and javascript. These are crucial to the successful repackaging of third-party updates that use non-standard installers.
4) Deploy your updates with ARD. You can use ARD to schedule and deploy anything packaged in .pkg or .mpkg (metapackage) format.

I've managed groups of over 200 Macs using these techniques, with machines spread out across several states and three countries.

It will be interesting to see if Apple embraces Intel's vPro platform for even better remote administration and diagnostics.

Re:Wow. Start with the basics!!! (1)

toekneeshops (727799) | more than 7 years ago | (#16120771)

First, you have to get all of your hardware on the same OS.
If it were only that easy! That might make it easier for administrators, but it's not realistic in a work environment with different departments needing different apps, and older equipment using an older OS version (and working fine-- why risk breaking it?). Keeping it to 3 or 4 images is more realistic. It is still pretty with ARD to create groups broken into different images, though. And using a scheduled script in ARD as mentioned above is still pretty easy to allow the clients to download their own updates.

Re:Wow. Start with the basics!!! (1)

ktappe (747125) | more than 7 years ago | (#16122255)

That might make it easier for administrators, but it's not realistic in a work environment with different departments needing different apps, and older equipment using an older OS version (and working fine-- why risk breaking it?). Keeping it to 3 or 4 images is more realistic.
Keeping 3 or 4 images is only realistic if you are willing to pay to increase your I.T. staffing. At the large company where I am MacOS administrator, it takes nearly all my time to maintain our single image; if we had 3 or 4 I would absolutely need to hire a second me. Besides, you contradict yourself; you claim the images are "working fine", but obviously they are not or the original poster would not have posted his question; they are not "working fine" if they need patching and management and support, as all systems eventually will. Yes, there is a delicate balance to be struck between the needs of the user and the needs of the I.T. department, but it seems as though his employer has given all the power to the users and none to I.T. He needs to assert his needs and insist on one single image. If they need to customize the image after deployment with their own apps, so be it, but the base image must be the same on all Macs or the nightmare will continue forever. I personally would not accept a Mac administrator position in which the users were allowed to dicatate to me what OS they ran; that is a higher level corporate decision than end-users are in a position to decide. Without central decision making about OS deployments, security is truly impossible as is competent, professional support. Ad hoc OS deployment begets ad hoc I.T. support.

-Kurt

osascript (1)

nbvb (32836) | more than 7 years ago | (#16120059)

Write a quick AppleScript to pop up a dialog box and then run softwareupdate from the command-line ...

This way, the user knows what's going on, and the patches get installed.

Do a "man osascript" from the commandline. Good stuff.

Re: Managing Mac OS Updates in an Enterprise (0)

Anonymous Coward | more than 7 years ago | (#16120126)

Use Apple's Software Update Server to house locally all the updates so every Mac isn'to using your gateway and bandwidth to update itself. Then use the Server Admin tools to "enabled" and "set required" various updates on the SUS. Finally, when you are ready to initiate the updates (or on a weekly schedule via the task server) fire off a "softwareupdate -ir" (or whatever options you deem appropriate) to all the clients and they will go to your SUS and update themselves in the background.

Relevant products:

Mac OS X Server (SUS functionality) - http://www.apple.com/server/macosx/softwareupdates erver.html [apple.com]
Apple Remote Desktop 3 - http://www.apple.com/remotedesktop/softwaredistrib ution.html [apple.com]

As mentioned before, ARD 3 can be used to install anything in a pkg format, so if you can get enough consistency in your load set to make it worth packaging up your 3rd party apps with something like PackageMaker or logGen and iceBerg, you can use ARD to install them too.

Before you go to all this trouble though, make standard image so all your hardware is on the same OS. Mike Bombich has some nice tools (http://bombich.com) or use Apple's Mac OS X Server tools such as "System Image Utility" http://www.apple.com/server/macosx/netbootnetworki nstall.html [apple.com] . Installing over the network is the best method, but if your network is slow, or configured in such a way that it can't work with netboot/netinstall you can do it via external disk (ie Firewire) if you want too. (Or you can buy a cheap gig switch and "image" your macs at a workbench with its own little network in your lab before sending them out to users).

While you are at it you might as well install and configure a central antivirus server. Symantec has one of these guys too.

You could also try FileWave (1)

Dhrakar (32366) | more than 7 years ago | (#16120769)

Our local admin swears by FileWave http://www.filewave.com/ [filewave.com] It allows you to do unattended updates, push out specific files and run install packages remotely. It is a commercial package, though...

Learn from someone with experience (1)

guruevi (827432) | more than 7 years ago | (#16121317)

Since anything before 10.3 is not actively supported towards updates anymore, you can ignore those systems except for their monthly automatic updates.

Get Mac OS X Server 10.4 and ARD 3.0 or if you have time, wait for OS X 10.5 and for the 10.4 systems you then actually have a server-based automatic update system which shouldn't be too hard to maintain if you have basic knowledge.

I have a lab with all Mac OS'es I am supposed to support and all software we use on them. If an update comes out, I basically test it out there. If it works, I go and download the update packages from the Apple website and then schedule a package installation in ARD3 through the task server for the 10.3 systems and activate the 10.4 updates in Software Update Server. This makes sure that all my updates get done (through the task server, it just does them as computers become available).

I have a 50-client environment with about 3 servers and 4 laptops. I know what I'm talking about. Oh: don't forget to take away admin rights from your users, it will be a great help.

Enterprise macs (1)

briancnorton (586947) | more than 7 years ago | (#16123316)

I got in an arguement about this recently. What does an enterprise mac system look like? What software do you run that makes these macs different from home PCs? (this is ignorance, not mac bashing) Is there an equivalant administrative construct to a windows domain? Do you just use the same handlers as BSD? I've done quite a bit of enterprise work, but I've never seen a mac integrated with an enterprise architecture.

Re:Enterprise macs (1)

scottdmontreal (1003416) | more than 7 years ago | (#16126038)

Read up: OS X Server http://www.apple.com/server/macosx/ [apple.com] Yes, it's called Open directory, it works in a big way. Most enterprises that run OS X server don't want you to know about them. You have no business there.

Re:Enterprise macs (0)

Anonymous Coward | more than 7 years ago | (#16135359)

There's no difference whatsoever on the client side. Mac OS X Server is a radically different operating system than Mac OS X, but if you're talking about one server and 500 workstations, on the server is special.

When you boot a Mac, it automatically checks (via DHCP) to see if there's an Open Directory server on its network. Open Directory is similar to the Windows Domain thing. If the Mac finds an Open Directory server, it configures itself automatically in ways that vary wildly depending on how the server is set up. For instance, you might be using network log-ins. If you are, then the Mac will pop up a login window that allows you to type a username and password. As the computer logs you in, it'll automatically mount that user's home directory and any other shares that happen to be configured, and so forth and so on.

In order to set up a Mac enterprise, you have to configure at least one Mac OS X Server computer, and precisely zero Mac OS X computers. To integrate your Macs into the enterprise, you simply turn them on.

It's pretty neat, really.

Filewave! (1)

Axello (587958) | more than 7 years ago | (#16126168)

If you have a couple of hundred Macs to update, you not only have to worry about the OS, but also the applications. That's where the third-party file distribution application help you. There is the open source 'rsync' ofcourse, but that doesn't really help you with the packaging of say, the upgrade of Adobe Photoshop 7 to CS, nor the distribution of it. The program I'm most fond of is FileWave http://www.filewave.com/ [filewave.com] . With this you can distribute any software package, update, document to any number of Macs, with any different number of persons or workgroups. It's quite costly, but if the number of Macs exceeds the hundred and/or you have different, far stretched locations, it could save you a bundle. Once the package is distributed, also to any laptop users, you can set a time in the future to activate the new package, and optionally deactivate the old package. This way you can distribute the software in advance, handy on slow uplinks, but activate it all at the same time.

There is also NetOctopus http://www.netopia.com/software/products/netoctopu s/ [netopia.com] , but I have no experience with that.

Couple this with ARD for remote support.

Some thoughts on automatic updates of mac clients (1)

MacQ (1003501) | more than 7 years ago | (#16128590)

Having quite a lot of experience with macs in an enterprise environment, I can assure you:
You do not want your clients to update automatically!
1. When you are responsible that hundreds of persons can work using the clients you are responsible for, you will want to check if an update has any unwanted impact on those clients before you update them.
Maybe you cannot imagine the trouble you get in if one of your major application does no longer work with the newest update that was installed automatically.
If you just for example look at the dependencies between Micorsoft Office 2004 and Mac OS X then you know what I'm talking about.
You will want to test those updates first. Believe me.
2. If you have a lot of clients then you will definitely want to set up your own software update server.
Otherwise your clients will eat away you internet bandwith. Just imagine your 100 clients each downloading that 150MB 10.4.8 update from apple.com. It will block your network for hours...
3. For a method on 'Auto-Update using Apple's Software Update' there's an interesting article here http://macenterprise.org/content/view/198/84/ [macenterprise.org]

But you are definitly wrigth. There should be some sort of mechanism so that once set up, a mac client can be forced to update all of its software to the newest releases.
I would also like to see an uninstaller that allows me to uninstall an update that has side-effects...
I don't like to admit it but at this point windows offers better solutions.

Take a look at radmind (1)

macshome (818789) | more than 7 years ago | (#16139024)

You should take a look at radmind [umich.edu] from U-Mich for total control of the OS and apps on your Macs and other *NIX machines. Essentially it is a tripwire that can restore the entire filesystem to a known, or new, state. As Mac OS X is a primary platform for radmind it has great support and tools.

In a typical update scenario you would:

1. Install the update on a freshly radminded Mac.
2. Use the radmind tools to create a difference transcript from the updated filesystem against the copy on the server.
3. Upload, again using the radmind toolset, the new transcript and files to the radmind server.
4. Then on the server you add the new transcript to the command file for the workstations you wish to update and they get the new filesystem the next time radmind runs on them.

I'm deploying it at work right now and it's been great. I know other Fortune 50 admins that are deploying it or use it as well. The largest deployments are in the edu space and I know admins there that use radmind to manage upwards of 10,000 Macs.

It's an open project that lives at sourceforge if that strokes your geek ego as well. I'm using it as a wedge to push acceptance of OSS at work.

True it is a very different philosophy, file system management vs. package management, than using an ARD task server, but it gives you things like rollback that ARD or the system Installer can't provide.

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...