User profile for user: Mojoscream
Mojoscream Author
User level: Level 1
9 points

Install Software Updates without Admin Rights

Hello all;


I've recently setup a software update server for the company I'm working for. I'm trying to get a patch/test cycle fired off for all Software Updates applied to our Mac environment. Currently I have a test bed of machines looking at our Mac Server (OS X 10.8.4 running Latest Server version), and would like to know if there's a way that I can "bless" our end users to be able to install the updates from that server.


For example, the server downlaods a new update. We put it thorugh a 2 week test cycle to make sure it doesn't adversly affect anything. After it passes we enable it on the server and it gets advertised out to the end users to install. From here I'd like to allow the end users to install the updates that are available form our server so that they are up to date. Is there a way to grant this to our group? All of our Mac users are in a collective AD group that is showing up on the server when searched, I can create a mirrored or nested group on the Open Directory side if needed.


Any and all help is appreciated, and I will provide as much information as I can.


Thank you!

Posted on Jul 25, 2013 7:30 PM

Reply
5 replies
User profile for user: Mojoscream
Mojoscream Author
User level: Level 1
9 points

Aug 12, 2013 12:05 AM in response to Mojoscream

Found a fix!


From under the admin account created on each computer for ARD management, rights push, third party software install, etc. I opened a terminal window and ran the following commands.


sudo defaults write /Library/Preferences/com.apple.appstore restrict-store-softwareupdate-only -bool yes


sudo security authorizationdb write com.apple.SoftwareUpdate.scan allow


sudo security authorizationdb write system.install.apple-software allow


I then logged on under a user account and was able to install the advertised software from our Internal Software Update server.


WARNING: I recommend only doing this if there is some form of Software Administration pushing to the end users. Updates such as firmware, and such can render a system non-operational. Make sure you test all updates prior to enabling them to the end users, disable any updates that may render a computer non-operational, and avoid headaches later on.

Reply
User profile for user: John Lockwood
John Lockwood
User level: Level 6
13,697 points

Jul 26, 2013 3:00 AM in response to Mojoscream

If you have Apple Remote Desktop (purchased from the App Store), you can manually download available Apple updates from http://apple.com/swupdates and then use Apple Remote Desktop to 'run' the installer over the network on the client Macs. This approach will not require the users to authorise the install.


Another approach is to use 'Munki'. As part of Munki it includes software you install on the client Mac. This work with the Munki server software. The client software can automatically install Apple software updates it received from the Munki server and does not require the user to authorise this. This can also be scheduled to occur automatically when the user shuts down their client Mac.


With regard to testing, this would not require being able to remove the need to enter admin level details, a tester should have admin level details or have the install done for them by an admin level user. I can however see why after testing you would like to push the update out to users who do not have admin level access.


For a larger size userbase I would look at the Munki solution.


See http://code.google.com/p/munki/

and http://www.amsys.co.uk/2012/blog/using-munki-to-manage-apple-software-updates/#. UfJIspypd5c

Reply
User profile for user: Camelot
Camelot
User level: Level 9
58,233 points

Jul 26, 2013 1:13 AM in response to Mojoscream

Given the nature of certain Software Updates, and the fact they can change/overwrite system files, the Software Update process will require admin user rights on the host system.

That doesn't matter whether the update comes from Apple directly, or from some local software update server, the user still needs admin privileges on the host system in order to install them.


So there are two potential solutions. One is to give your users admin rights on their machines (and, of course, you might not want to do this), the other is to use Apple Remote Desktop (ARD).

ARD give a central administrator user the ability to control remote machines on the LAN, including pushing out software updates. It's really the preferred solution for this kind of setup.

It doesn't save the sysadmin from doing the install, but at least s/he doesn't have to walk the halls to touch every machine, and they can all be done in parallel.

Reply
User profile for user: Mojoscream
Mojoscream Author
User level: Level 1
9 points

Jul 26, 2013 1:26 AM in response to Camelot

Thank you for the reply and information!


Is there a way to actually trigger off the remote funtionality for installing the updates? Or is this something where I'd have to go through and manually control and install the software on each computer? I'm looking for a way to install updates when users are on site with their laptops, as we have a lot of mobile users that I can't always touch either physically or through remote functions.


As a side note: Unadminstered installs is why we testing, to make sure there is nothing that goes off the rails when a new update comes in. We've had issues in the past with fonts and kerning issues from updates, so all patches are thouroughly tested. Due to this testing it doesn't really leave a lot of time for a one-to-one update process. I'd like to think that this is why we've been given control over which updates are available to users via Software Update, so we can test and then make available patches that we, as admins, have blessed. 🙂

Reply
User profile for user: MrHoffman
MrHoffman
Community+ 2025
User level: Level 10
144,749 points

Jul 26, 2013 6:28 AM in response to Mojoscream

Subscribe to the OS X Server MacEnterprise mailing list, a forum where managing and deploying updates and OS X in larger environments is discussed fairly regularly, and also dig through the mailing list archives available over there, as there have been various discussions of this and related topics in the past.


There's no way for a non-privileged user to install updates, but a privileged user can push out updates; Munki (as mentioned, and as is discussed in the MacEnterprise archives) is one of the more common means of deploying updates on OS X, as is ARD. Reposado is also useful in certain environments; that's an open-source software update server for OS X.

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Install Software Updates without Admin Rights

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up