pipboy-2000

Q: Software Update Service: Push updates to clients

Hi all,

 

I have just configured OS X 5.0 for the first time, so it is still all fairly new to me. Is it possible to push out OS updates from Server to enrolled clients? I've been reading about differences between caching server and software update service and since one can't run both at the same time and believe that update service is more practical if one only plans to deliver updates to OS X clients. My understanding is that users have to request update from the app store, but is there any way to push out updates to the clients instead? Even a command would be helpful, hence I can remotely run terminal commands on any client, but really I'm open to any suggestions.

 

Many thanks,

E.

OS X El Capitan (10.11.4), Server X 5

Posted on Apr 5, 2016 8:50 AM

Close

Q: Software Update Service: Push updates to clients

  • All replies
  • Helpful answers

Page 1 Next
  • by Strontium90,Solvedanswer

    Strontium90 Strontium90 Apr 6, 2016 2:41 AM in response to pipboy-2000
    Level 5 (4,067 points)
    Servers Enterprise
    Apr 6, 2016 2:41 AM in response to pipboy-2000

    Welcome to the forums.

     

    So there are two ways to look at this.  You can "push" updates to clients or you can tell the clients to "pull" updates.  Let's look at a few options.

     

    If you go the "push" mentality, you need to visit Apple's website and download the individual installers or use a master machine to pull updates from the App Store.  Then, you can use tools ranging from Apple Remote Desktop to JAMF to deliver these updates to the client devices.  This can exert an ultimate level of control as only you, the gatekeeper, determine when devices are updated.  However, many updates require reboots so you need to be selective in your timing as you don't want to pull the carpet out from under a user.  Also, pushing the updates still require local execution of the installer.  If you don't have a command admin account on all the devices, you will not be able to authorize the installation.

     

    Now, you can also "pull" updates.  Effectively, this is what is done when running software update manually.  Ah, but there are options as you have found.  You can just pull everything from Apple but if you have a slow Internet connection and a lot of devices, you can cripple yourself.  You can deploy Software Update Server, but then you get everything from Apple from the last 8 years, 90% of which you don't want.  Oh, and Software Update server means you need to customize each device with the custom update path.  If you are deploying portables, that means they must be on your LAN to get updates as the override supports one URL.  The final method is through Caching Server.  Caching Server requires no client side customization and only caches what you request.  The first device to request will require a download from Apple but all subsequent devices will pull from your caching server.  Very efficient.

     

    So, you decide to allow a client "pull" and realize that Caching Server is likely the easiest way to do this.  Ah, but you still don't want to visit every machine.  You can use the softwareupdate command line tool to run a software check across the entire fleet (man softwareupdate for details).  For example, say you have 10 machines and you have Apple Remote Desktop.  You can send a Unix command to all 10 machines such as:   softwareupdate -i -a

     

    That command will tell each machine to install (-i) all (-a) available updates.  You can also target specific updates so if you need to be selective (Apple released iTunes and an OS update on the same day and you only want to push iTunes until you validate the OS update for example).  softwareupdate -i NameOfiTunesUpdate.pkg.

     

    Reid

    Apple Consultants Network

    Author - "El Capitan Server – Foundation Services"

    Author - "El Capitan Server – Control & Collaboration"

    Author - "El Capitan Server – Advanced Services"

    :: Exclusively available in Apple's iBooks Store

  • by pipboy-2000,

    pipboy-2000 pipboy-2000 Apr 6, 2016 1:13 AM in response to Strontium90
    Level 1 (9 points)
    Servers Enterprise
    Apr 6, 2016 1:13 AM in response to Strontium90

    This is exactly the kind of answer I was hoping for. Caching server it is then. Via our Internet Security software I have an option to send any command to any mac, so "softwareupdate -i -a" should do the trick. Furthermore, I have an admin account on every Mac in the office. My next question is around installing the update itself. While as you have pointed out I do not want to pull the carpet out from under a user." (I like that!), I'm wondering how to initiate the installation, so that the end user is only presented with 'restart now, remind me later' option? Also, not all users have admin rights on their machines, will this make any difference, considering that I'm requesting the download using admin account?

  • by Bosco1983,

    Bosco1983 Bosco1983 Apr 6, 2016 1:53 AM in response to pipboy-2000
    Level 1 (61 points)
    Servers Enterprise
    Apr 6, 2016 1:53 AM in response to pipboy-2000

    I ran both Software Update and Caching on my domain. Caching is great for iOS Apps and add-hok updates, where as Software Update i prefer for our desktop clients.

     

    To update desktop clients, Ive set them to point at our update server using profile manager, and then I send out this terminal command as root via Apple Remote Desktop

     

    softwareupdate -i -r

     

    checks for required updates, hits our internal server.

     

    I reboot at the end also as larger updates require reboot (if not you get a white screen of doom!)

  • by pipboy-2000,

    pipboy-2000 pipboy-2000 Apr 6, 2016 2:12 AM in response to Bosco1983
    Level 1 (9 points)
    Servers Enterprise
    Apr 6, 2016 2:12 AM in response to Bosco1983

    Okay, I'm looking after relatively small environment (40 laptops) so catching server will do the trick, plus I have only one old mac mini for this project and you can't run both on the same PC. Since you send the command as root, does this mean that the laptop will automatically reboot, while other users are logged in / using the machine? How do you get away with this? I would be crucified here

  • by Bosco1983,

    Bosco1983 Bosco1983 Apr 6, 2016 3:14 AM in response to pipboy-2000
    Level 1 (61 points)
    Servers Enterprise
    Apr 6, 2016 3:14 AM in response to pipboy-2000

    Laptop wont automatically reboot.  The command tells the client to check which updates are available from the local software update server (or ASUS if not configured locally), then downloads and installs them with Root permissions. 

    I then send out a terminal command to reboot the machine.

     

    I only do desktop updates during times when the machines aren't used, e.g. school holidays.  Gives you time to fix any new quirks also

  • by pipboy-2000,

    pipboy-2000 pipboy-2000 Apr 6, 2016 4:48 AM in response to Bosco1983
    Level 1 (9 points)
    Servers Enterprise
    Apr 6, 2016 4:48 AM in response to Bosco1983

    OK I have tested it and using ssh, I have requested updates, followed by remote restart command. The only problem I can see now, is the lack of "Sharing" option in profile manager. I would like to enroll all machines and apply profile where Screen Sharing & Remote login are enabled. Unfortunatelly, (unless I'm going blind) there is no way to customise this part of OS. Any command? Thanks.

  • by Bosco1983,

    Bosco1983 Bosco1983 Apr 6, 2016 5:58 AM in response to pipboy-2000
    Level 1 (61 points)
    Servers Enterprise
    Apr 6, 2016 5:58 AM in response to pipboy-2000

    The command requests updates and installs them.  When using Apple Remote Desktop it will tell you when the updates have finished, and then you can reboot.

     

    No settings in profile manager to enable Root and screen sharing - I set this locally in "sharing" and "Directory Utility" before taking an image.

  • by Strontium90,

    Strontium90 Strontium90 Apr 6, 2016 10:27 AM in response to pipboy-2000
    Level 5 (4,067 points)
    Servers Enterprise
    Apr 6, 2016 10:27 AM in response to pipboy-2000

    Profile Manager is for setting policies, not for enabling services.   That being said, you can use tools to enable the services.  Ah, but one needs to be on in order for the other to work.  For example, if you machine has SSH enabled, you can use the kickstart command to enable and configure ARD or edit a plist and then use launchctl to enable Screen Sharing.  If ARD is already enabled, you can use the Remote Desktop admin console to enable SSH.  It is even a template in the Send Unix window.  You can also use Remote Desktop to create a preference package that can be sent to each device.

     

    As for alerting the end user, pipboy's advice is sound.  If possible, do the tasks when the user is away from the device.  But, that is easier in a controlled environment.  If the end users are all on laptops and the devices are not always around, sending a mass update is next to impossible.  Remote Desktop does have a feature called Task Server.  This will allow tasks to remain active, allowing devices not present the opportunity to return the the environment.

     

    You could craft a script that alerts the user of upgrade activity, prompting the user that an update is being applied.  You can then perform the upgrade and at the end send another prompt to the user.  In theory, this is possible to do.  It would be a lot of work, but possible.

     

    Case in point.  I have a machine running 10.11.3.  I used Remote Desktop to tell the system to update required items.  Remote Desktop returned this when complete:

     

    Finding available software

     

    Downloaded iTunes

    Downloading OS X El Capitan Update

    Downloaded OS X El Capitan Update

    Installing OS X El Capitan Update, iTunes

    Done with OS X El Capitan Update

    Done with iTunes

    Done.

     

    You have installed one or more updates that requires that you restart your

    computer.  Please restart immediately.

     

    But the unit did not reboot.  The logged in user is a standard user.  Nothing popped up on screen.  However, apps not running get wonky and the user experience will suffer.  However, you can send a message or notification stating reboot now. 

     

    "Also, not all users have admin rights on their machines, will this make any difference, considering that I'm requesting the download using admin account?"


    If you are executing the commands as the local admin, then the end user's rights are unimportant.


    For 40 systems that are mobile, you might want to take a look at JAMF.  All of these tasks become very easy and user friendly.  Updates can be triggered on many events, including log out, log in, network change etc.  You can even have standard users initiate a software update from the self-service portal. 

     

    Reid

    Apple Consultants Network

    Author - "El Capitan Server – Foundation Services"

    Author - "El Capitan Server – Control & Collaboration"

    Author - "El Capitan Server – Advanced Services"

    :: Exclusively available in Apple's iBooks Store

  • by pipboy-2000,

    pipboy-2000 pipboy-2000 Apr 7, 2016 2:09 AM in response to pipboy-2000
    Level 1 (9 points)
    Servers Enterprise
    Apr 7, 2016 2:09 AM in response to pipboy-2000

    Up so far, thanks to your help, I have decided to do the following:

     

    - Enroll all devices

    - Activate Remote Desktop and SSH

    - Deploy Caching Service

    - 'Pull' updates via SSH terminal command as administrator

    - Inform users about the update and give them a chance to manually reboot

    - Schedule automatic reboot after 24 hours

     

    Thanks chaps for all your help. Thumbs up

  • by Leopardus,

    Leopardus Leopardus Apr 7, 2016 4:27 AM in response to Strontium90
    Level 4 (1,087 points)
    Desktops
    Apr 7, 2016 4:27 AM in response to Strontium90

    Reid,

     

    Massive advice, as always!

     

    Leo

  • by pipboy-2000,

    pipboy-2000 pipboy-2000 Apr 7, 2016 6:52 AM in response to pipboy-2000
    Level 1 (9 points)
    Servers Enterprise
    Apr 7, 2016 6:52 AM in response to pipboy-2000

    Okay, since I have such a capable group here, couple of questions:

     

    - what's the best way / tool or preparing a corporate image of OS X (with extra software packages, printer drivers etc)

    - I've applied profile to one of the test macs and it works like a charm, but on the desktop there is Macintosh HD icon. Where can I disable it in the profile manager?

     

    Thanks in advance

  • by Strontium90,

    Strontium90 Strontium90 Apr 7, 2016 12:21 PM in response to pipboy-2000
    Level 5 (4,067 points)
    Servers Enterprise
    Apr 7, 2016 12:21 PM in response to pipboy-2000

    Oh boy.  You have opened up a can of worms! 

     

    First, there is no best way.  I've struggled to find it and it is an elusive mythical beast.  Your environment, needs, device issuance policy, and about 400 other factors will influence the methods (not the plural) that you use.  Here are some thoughts and options.  And, by the way, I really believe Apple is listening to the community and they are working on solving these challenges.  But, when it comes to imaging/deployment/etc topics, there is always exceptions to the rules.  Let's start with some topics to sink your teeth into.

     

    First, you should be checking out Apple's DEP and VPP programs.  If you don't know about them, head on over to https://deploy.apple.com.  Ok, how does this help you?  In a perfect world, IT creates an infrastructure of infinite efficiency and everything resonants with hints of harmony.  With DEP and VPP this is closely achievable for initial deployments.  Let's go through the process.  You set up an MDM solution (Profile Manager, JAMF, AirWatch, etc).  You enroll your company in DEP and start buying direct from Apple or from a DEP capable authorized reseller. No Apple Stores allowed here unless you are working with the business teams.  Now, all devices that you purchase are linked to your organization.  Through the DEP portal, you can assign these devices to your MDM(s).  Now, logging into your MDM you see the devices, allowing you to set on enrollment policies.  This allows you to do some magical things.  For example, you get a stack of new laptops.  Simply hand them out to the end user.  Let the user unwrap the unit and get the power on rush.  Setup Assistant will ask to join a network.  Once it does, it will reach out to Apple, realize the device is part of DEP, discover the URL for the assigned MDM server, and then route to the MDM server asking the user to enroll the device.  The user enters a domain credential set (more on this later) and the device will then receive all policy and packages defined on the enrollment policy.   IT is removed from the actual device setup and configuration.  All you need to do is build the foundation.  End users do the rest.  Ah, harmony.

     

    Ah, but this method has some obvious holes.  They can be overcome, but it is more work.  Here are a few.  First, the user is the local admin account.  Many organizations prohibit users from being admin.  Next, while the units are enrolled by using domain credentials, the device is not bound to a domain.  Now, if the user account is local, this obviously is useless, but you are now managing policies on local accounts on a per machine basis instead of doing in one place on the domain server.  Now, on the flip side, for companies deploying mostly laptops, binding to a domain only ends up being a pain anyway.  After all, who reboots their Mac?  The domain is only truly negotiated during login window.  This is the Apple push to a domain-less deployment world.  But as usual, Apple is about a year or more ahead of the rest of the world.  Right now, this is being met with resistance (yet the resistance is easing, partly due to the "success" being promoted by IBM).

     

    Whoa you say.  I can let my end users have at it on machines.  I need to control them and I want to do imaging.  There are a few ways you can pull this off.  You can do full blown monolithic imaging.  You sit down, craft a master machine to be everything you want for your workforce.  You install the OS, patch it, manage core AppStore apps, install print drivers, define printers, install and serialize 3rd party apps, and customize the initial user experience by customizing the User Template.  You capture this pristine work of art to a DMG and you start cloning it to your other devices.  Life is great.  Cloning on modern gear takes less than 10 minutes so you are feeling pretty good about going from shrink-wrapped box to user's desk in about 20 minutes.  And then Apple releases updated hardware.  The hardware runs on a newer version of the OS and your image kernel panics the machine.  Argh.  Time to start all over again.  Monolithic imaging is great when deploying tens or hundreds of machines during a narrow deployment windows.  Monolithic requires a lot of management if you are deploying one or two machines at a time.  Because, the minute you finish it, some one (Adobe Flash, Firefox, Chrome, Acrobat, iTunes...) will release an update, rendering your perfect image not so perfect.

     

    Ok, so those are two extreme ends of the spectrum.  There are many places to stand in between these polar opposites.  For example, with JAMF you can achieve a hybrid thin imaging process.  One argument Apple always uses against monolithic imaging is "why replace perfectly good bits with the same bits."  Meaning every machine ships with an OS and a bunch of apps.  Cloning an image over the OEM OS is effectively overwriting what is already there.  With tools like JAMF, you can take a hybrid approach, allowing the shipping OS to remain in place while adding only your changes, including a consistent initial local admin, User Template modifications, core application installation, etc.  By doing this method, you avoid the constant creation or management of a monolithic image and instead focus on managing the application versions.  Now, when you have to prep a machine in the first week of the month, the machine gets Flash 21.0.0.123 but when you prep a machine in the final week of the month it will get Flash 21.0.0.999.  You maintain the menu of options, delivering a consistent set of tools to the unit regardless of the shipping OS.  So that new laptop that will only boot 10.11.5 will be fine (assuming no application incompatibilities...) because you are not trying to overwrite an OS.

     

    Next this goes into the topic of setting preferences.  I am all about the "initial user experience."  Maybe because of the education deployments.  Maybe because of complying with never-ending corporate device policies.  However, there is comfort in knowing that every user will start off with the same experience.  This make documentation and self help document easier to create.  By crafting a consistent initial user experience you can also guide usage of the device.  Don't want users discovering devices via Bonjour... Hide Bonjour Computers in the side bar.  Don't want anyone Air Dropping... Hide Airdrop.  Don't want .DS_Store files littering the enterprise Windows server... Prevent creation of the files.  Want to stop every user from being prompted to login with her Apple ID... suppress Setup Assistant.  Ah, but these are no configurable outside of some defaults commands and the customization of the User Template.

     

    And finally (Sorry, you got me on a free afternoon and I just don't feel like starting something new) there is the question about lifecycle management.  A Mac issued to a user may come back to you.  And then what?  If you are using DEP and the user set up the machine initially, you can't just hand the machine to the next user.  You need to reset the machine.  But how?  Let's say it was purchased in 2015 and shipped with Yosemite.  Since, it was updated to El Cap.  You get it back and... Reinstall from recovery partition?  Now you are missing your iApps.  If you converted them to VPP license, then fine, let the next invited user install them.  If you are not using VPP, then you need to go and get them using which Apple ID?  Yours?  A generic "enterprise" ID?  And then how do you update them later?

     

    On the flip side, maybe you built the machines with monolithic images.  You bought/leased a fleet of devices in 2015 and your image is Yosemite 10.10.5.  You have not purchased any new gear but since purchase, everyone is not on El Cap.  A machine comes back to you.  Do you re-image using the 10.10.5 image that you built nearly a year ago and then go through the process of upgrading everything to get it back up to date?  Ouch, there goes a whole day. 

     

    Once again, sorry for the rant.  I think, all this above is just saying there really is no one way to do this.  You likely should employ a number of strategies to satisfy different phases on the Mac's life.  Using an MDM like JAMF can make things a lot easier.  But managing the environment with a monolithic image can be fast and simple when it is time to image or reset.  You need to analyze the needs of your deployment and also look at what type of infrastructure you want to build.  Monolithic can be accomplished with a bootable external volume.  Anything from an SD card to a Thunderbolt drive will work.  Thin and zero touch needs infrastructure.  Monolithic is great for initial consistency but you need to make up the continuing management on your own.  Thin can provide continued management efficiently.

     

    Ok, I need to stop.  I think I can go on about this for hours.  Hope this helps.  The only way you will know is to start experimenting and trying out different methods.  See which works best for you, your business, and your users.

     

    Reid

    Apple Consultants Network

    Author - "El Capitan Server – Foundation Services"

    Author - "El Capitan Server – Control & Collaboration"

    Author - "El Capitan Server – Advanced Services"

    :: Exclusively available in Apple's iBooks Store

  • by Bosco1983,

    Bosco1983 Bosco1983 Apr 8, 2016 12:43 AM in response to pipboy-2000
    Level 1 (61 points)
    Servers Enterprise
    Apr 8, 2016 12:43 AM in response to pipboy-2000

    Okay, since I have such a capable group here, couple of questions:

     

    - what's the best way / tool or preparing a corporate image of OS X (with extra software packages, printer drivers etc)

     

    Deploy Studio - Free fast and straight forward

     

    - I've applied profile to one of the test macs and it works like a charm, but on the desktop there is Macintosh HD icon. Where can I disable it in the profile manager?

     

    This is under the "finder" settings, and you can show/hide network shares etc on the desktop.

  • by pipboy-2000,

    pipboy-2000 pipboy-2000 Apr 8, 2016 1:54 AM in response to Strontium90
    Level 1 (9 points)
    Servers Enterprise
    Apr 8, 2016 1:54 AM in response to Strontium90

    Hi Reid,

     

    I have quickly learnt that you like to give very thoughtful answers, but this exceeded my expectations in every shape and form (yes, that is a complement). By the sound of it, there is no one universal solution and I will have to tailor my approach to business needs. I deal with relatively small number of new laptops (usually 1-2 per month), therefore profile manager is a good starting point. Since I usually know at least a week before the new starter joins the business, I have enough time to set up all parameters myself. Asking end users to enroll themselves to profile manager is a no-go as this will be met with moderate resistance (we all want more power, not less and asking them to simply update the OS is already a big fuss). 'Monolitic imaging' as you have correctly pointed out is not going to be very efficient due to constant updates being rolled out. Our company policy requires from me to securely wipe entire HDD when a laptop is recycled, so currently I have a bootable USB with El Capitan image. I guess, making sure that this USB contains the latest version of OS X would be a good starting point and all additional 3rd party apps (there aren't that many of them) can be installed manually. For SMB this is feasible. I will explore DEP & VPP further as well as Deploy Studio as suggested by Bosco1983. I'm a newbie to this whole apple world, so no doubt, there will be more posts from my side

     

    Thanks a lot !

Page 1 Next