Mac OS X silent software updates on a schedule w/ forced reboots if necessary

mac-osxscheduled-taskupdate

I am in charge of about 40 Mac OS X computers on a predominantly PC network. The systems are running about an equal mix of Mac OS X 10.5 and 10.6.

We are instituting a new policy of forcing OS and software patches on all machines on a weekly schedule. We have some system management software in place that makes this pretty easy for the PCs, but I'm a little at a loss for a great solution on the Macs. Here is what I want to happen:

Every Friday at something like 9PM, all Macs should go out to Apple's software update server, download every patch, and reboot if necessary. This should happen automatically and on a schedule without any user or administrator interaction.

We don't have a Mac OS X Server, and purchasing one probably won't be an option for some time. I do however have the latest version of Apple Remote Desktop.

Any help would be appreciated.

Best Answer

Scott's answer is essentially correct, but a better method would be the following command (see the softwareupdate man page for full details):

/usr/sbin/softwareupdate --install --all --schedule off && /sbin/reboot

The addition of --schedule off will prevent the machine from checking & notifying the user of new updates the rest of the time. && /sbin/reboot will restart the machine if softwareupdate finished without error.

Also, I'd highly suggest that this be run from launchd for the sole reason that if the machine is asleep at the time it's supposed to fire, it'll be run as soon as the machine is woken up. It still won't fire off the job if the machine was off, but it's at least a little more intelligent than cron.

An example launchd plist file is as follows (see the launchd.plist man page for further details) and would need to be saved in /Library/LaunchDaemons/ as something like tld.domain.asu_reboot.plist:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC -//Apple Computer//DTD PLIST 1.0//EN http://www.apple.com/DTDs/PropertyList-1.0.dtd >
<plist version="1.0">
    <dict>
        <key>Label</key>
        <string>tld.domain.softwareupdate</string>
        <key>ProgramArguments</key>
        <array>
            <string>/usr/local/sbin/asu_reboot</string>
        </array>
        <key>StartCalendarInterval</key>
        <dict>
            <key>Hour</key>
            <integer>21</integer>
            <key>Minute</key>
            <integer>0</integer>
        </dict>
    </dict>
</plist>

And the command would be put into a bash script in /usr/local/sbin/asu_reboot (Apple Software Update Reboot) called by the above launchd plist, like so:

#!/bin/bash
/usr/sbin/softwareupdate --install --all --schedule off && /sbin/reboot

With those two items in place (the bash script and the launchd plist), you would run the following command to load the job (or reboot the machine and it'd load automatically):

sudo launchctl load -w /Library/LaunchDaemons/tld.domain.asu_reboot.plist

Defaults

The simplest method is to run a defaults command on the client Macs (easily pushed via Apple Remote Desktop):

defaults write com.apple.SoftwareUpdate CatalogURL 'HTTP_URL_FOR_CATALOG'

for a user. If you run it via sudo it will set it for whenever you use softwareupdate as root.

The HTTP_URL_FOR_CATALOG has been changed with Mac OS X 10.6. If you use MCX it will automatically pick the new catalog - however if doing it manually the following URLs need to be used for whichever client version is in question:

Mac OS X 10.4: http://mysus.example.com:8088/index.sucatalog
Mac OS X 10.5: http://mysus.example.com:8088/index-leopard.merged-1.sucatalog.sucatalog
Mac OS X 10.6: http://mysus.example.com:8088/index-leopard-snowleopard.merged-1.sucatalog
Mac OS X 10.7: http://mysus.example.com:8088/index-lion-snowleopard-leopard.merged-1.sucatalog
Mac OS X 10.8: index-mountainlion-lion-snowleopard-leopard.merged-1.sucatalog

To double check this applied you can run the following command:

/usr/libexec/PlistBuddy -c Print /Library/Preferences/com.apple.SoftwareUpdate.plist
and /usr/libexec/PlistBuddy -c Print ~/Library/Preferences/com.apple.SoftwareUpdate.plist
to see what settings are for the computer and user appropriately.

If this is working correctly when running Software Update (GUI) you should see the server address appear in parenthesis in the title of the window.

MCX

Another alternative is to use Workgroup Manager to manage the preferences via MCX from your server. This can be done for users, or for computers if they are bound to your Open Directory.

If you are using 10.5 Server or newer: you can simply use the Software Update section under Preferences.

Manually:

Choose the accounts, computers, or groups to have the preference applied to.
Click on Preferences, and then the Details tab
Press the Add... button and navigate to /Library/Preferences/com.apple.SoftwareUpdate.plist
Press Edit...
Under Often, add a New Key and enter the name CatalogURL
Make sure the type is string and then enter your SUS URL (eg. http://mysus.example.com:8088/index.sucatalog or if using 10.6: http://mysus.examle.com:8088/ - see above from the defaults section)
Press Apply Now, then Done. Once users/computers have refreshed their MCX settings (usually the next login or restart) the new settings will take over.

If this is working correctly when running Software Update (GUI) you should see the server address appear in parenthesis in the title of the window.

Why does Mac OS X Software Update not work when machine uses Active Directory

It appears that suhelperd is crashing and that explains why it doesn't work. I've submitted a bug report to Apple (radar://7408619).

Best Answer

Related Solutions

Mac OS X – How to Change the Software Update Server Address

Defaults

MCX

Why does Mac OS X Software Update not work when machine uses Active Directory

Related Topic