Mac software updates for Unmanaged clients on a different network

Question

Level 1

35 points

Mac software updates for Unmanaged clients on a different network

Hi,

I'm trying to set up a Mac update server and point unmanaged clients to it, the problem it works local but i need this to work across subnets,

I set my server to send updates using port 8088 and change the com.apple.SoftwareUpdate CatalogURL to point to my update server, Change the access permissions to accept any communication using TCP/UDP 8088 to all the networks on the Server App and y test locally and it works.

Once I try to access from a different network I don't see any progress.

Thanks.

MacBook Pro (13-inch Mid 2012), OS X Yosemite (10.10.5)

Posted on Nov 24, 2016 12:28 PM

Reply

Answer 1

Ajmaq Author

Level 1

35 points

Apr 12, 2017 8:13 AM in response to Ajmaq

Hi Everyone,

I manage to set it up changing the server and the clients:

sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CatalogURL http://osxserver.krypted.com:8088/index.sucatalog

I discover you can push this using a GPO from Active Directory with Centrify.

then I can run the following command to see the list of updates enable:

softwareupdate -l

then to install I can use the command:

softwareupdate -i -a

now I'm looking around a way to invoke this command in a GPO for the macs, but Centrify is not running the commands, therefore I will create a script and run it every time the mac reboots and display some info to the users with some pop-up windows only if the updates are about to install.

Reply

Answer 2

Nov 25, 2016 10:54 AM in response to Ajmaq

Whilst the Software Update Server function is officially discontinued in Sierra and Server.app it is still possible to use it with Mac clients if you have an alternate SUS server - either an older version or an alternative like Reposado.

The process of getting your Macs to look at your own SUS server is as you describe to define a specific URL in that plist file. Depending on your choice of SUS server software and how you configure it you can use other TCP/IP ports but 8088 is the standard choice.

Therefore the process for a Mac client to access a SUS server on a different subnet is down to a combination of a DNS lookup and being able to access port 8088 via the router linking the subnets.

You should first do a DNS lookup on a client Mac on the problem subnet to make sure the DNS lookup works and returns the correct TCP/IP address. Then do a ping test to see if the client Mac can reach that server. Then any remaining problem is likely to be down to a firewall rule blocking port 8088 between the two subnets.

Reply

Answer 3

Ajmaq Author

Level 1

35 points

Nov 25, 2016 11:01 AM in response to John Lockwood

Hi John,

Thanks for your help, I can see the results of the nslookup and they are right, I check the port configuration for the firewall and it permit any communication using port 8088, I can see this because if I go to the mac X (is my remote mac unmanaged on a different subnet) and i open the browser i can see it can reach http//:my.server:8088/ and the index for the catalogs.

the problem is when I open the MacStore ... there are no updates coming. I check the CatalogURL and it points to the server correctly.

Server version 5.2 running on MacOs Sierra.

Thanks.

Reply

Answer 4

Nov 28, 2016 9:51 AM in response to Ajmaq

You can try doing the software update via the command line and this may at least give more information, it is also worth using Console to view the System log and see if it shows anything helpful.

sudo softwareupdate -l

Reply

Answer 5

Ajmaq Author

Level 1

35 points

Nov 28, 2016 9:57 AM in response to John Lockwood

Hi John,

Thank you for your answer, It works... I see that the mac computer on the same network gets the update via MacStore app, but the mac computer was not getting the Macstore app to work.

I can see the list of updates, I will see create a script for the macs to install to run the Softwareupdate -iva command, the only problem is some applications like safari needs to be close during the update, maybe there is a way to run the command once the mac is rebooted.

Thanks for your help.

Reply

Answer 6

Nov 28, 2016 10:32 AM in response to Ajmaq

If you want to automate installing Apple software updates on your client Macs then consider installing and setting up Munki along with Reposado.

Reposado is a replacement for Apple's SUS server component of Server.app which Apple no longer include in Server.app. See - https://github.com/wdas/reposado

Munki allows you to push both applications, application updates and SUS updates to Macs. It does not require the user to enter an admin account and password to allow it to work. The updates can install automatically. See - https://www.munki.org/munki/

With Munki if the Mac is at the login window then updates like Safari etc. will not be blocked, otherwise updates will if not blocked happen immediately, or get queued for when they log out.

Reply

Answer 7

Ajmaq Author

Level 1

35 points

Nov 29, 2016 5:32 AM in response to John Lockwood

Hi John,

Thanks again, I tested Munki before and this software works very good. the problem is I cannot use any open source software to address the updates.

It's a great Challenge because when I enable an update on the Mac Server it becomes available for a couple of hours and then is not on the list anymore. The other problem is some of the updates needs to reboot the Macs, therefore I need to push updates late at night so users don't get their Macs rebooted or their applications close suddenly.

I will see if I can do something with Automator and Apple Remote Desktop.

Thanks,

Reply

Answer 8

Nov 29, 2016 5:42 AM in response to Ajmaq

It is very unusual to have a policy prohibiting using open source software as even government departments use this. In fact I am not sure how you can actually get away with this. You need to realise that even OS X from Apple includes many open source programs including Apache, Bind, PHP, bash, openssl, openldap and so on. Linux of course is effectively 100% open source.

About the only option that may not include any open source software would be a pure Windows environment and clearly you are not doing that.

In the meantime consider JAMF Casper Suite which is a commercial Mac management solution. IBM use this to manage about 100,000 Apple devices.

Reply

Answer 9

Ajmaq Author

Level 1

35 points

Nov 30, 2016 5:35 AM in response to John Lockwood

Hi John,

Yes, i know but policies are policies... at this time I will check with Centrify to see if we can get something from them to push and manage applications.

Thanks again and have a good day

Reply