I run apt-get update -qq; apt-get upgrade -duyq daily. This will check for updates, but not do them automatically.
Then I can run the upgrades manually while I am watching, and can correct anything that might go wrong.
Besides the security concerns of maintaining a patched system, I find that if I leave it too long between patches, I end up with a whole bunch of packages that want to be upgraded, and that scares me a-lot more than just upgrading one or two every week or so. Therefore I tend to run my upgrades weekly, or if they are high priority, daily. This has the added advantage of knowing which package broke your system (ie. if you're only upgrading a couple at a time)
I always upgrade less critical systems first. I also have a "rollback plan" in place in case I can't fix the system. (since most of our servers are virtual, this rollback plan usually consists of taking a snapshot before the upgrade that I can revert to if necessary)
That being said, I think an upgrade has broken something only once or twice in the past 4 years, and that was on a highly customized system - so you don't have to be TOO paranoid :)
Best Answer
Defaults
The simplest method is to run a defaults command on the client Macs (easily pushed via Apple Remote Desktop):
for a user. If you run it via sudo it will set it for whenever you use softwareupdate as root.
The
HTTP_URL_FOR_CATALOG
has been changed with Mac OS X 10.6. If you use MCX it will automatically pick the new catalog - however if doing it manually the following URLs need to be used for whichever client version is in question:http://mysus.example.com:8088/index.sucatalog
http://mysus.example.com:8088/index-leopard.merged-1.sucatalog.sucatalog
http://mysus.example.com:8088/index-leopard-snowleopard.merged-1.sucatalog
http://mysus.example.com:8088/index-lion-snowleopard-leopard.merged-1.sucatalog
index-mountainlion-lion-snowleopard-leopard.merged-1.sucatalog
To double check this applied you can run the following command:
/usr/libexec/PlistBuddy -c Print /Library/Preferences/com.apple.SoftwareUpdate.plist
and
/usr/libexec/PlistBuddy -c Print ~/Library/Preferences/com.apple.SoftwareUpdate.plist
to see what settings are for the computer and user appropriately.
If this is working correctly when running Software Update (GUI) you should see the server address appear in parenthesis in the title of the window.
MCX
Another alternative is to use Workgroup Manager to manage the preferences via MCX from your server. This can be done for users, or for computers if they are bound to your Open Directory.
If you are using 10.5 Server or newer: you can simply use the Software Update section under Preferences.
Manually:
If this is working correctly when running Software Update (GUI) you should see the server address appear in parenthesis in the title of the window.