Software Updates

Frequent software updates have become a fact of life, thanks to Apple continually rolling out new versions of the software in order to fix bugs and plug security holes. Apple has put a great deal of effort into making it easier for Macs and iOS devices to discover, download, and install various updates, for both individuals and groups.

In this chapter, I’ll focus on groups, since OS X Server contains a pair of services that help you manage these updates for your home, office, or entire organization. In particular, OS X Server aims to give administrators two important capabilities:

• Limit bandwidth usage: Software updates keep increasing in size, with major updates to OS X and iOS hitting multiple gigabytes. iOS apps and Mac apps from the Mac App Store are also an issue, given the number that users download and how often they’re updated. All that data adds up, and while you can’t avoid downloading one copy of each item, if you have a few devices in a household, or a number of users in an office or school, there’s no reason to tax your Internet connection by downloading multiple copies of each item simultaneously as users update en masse.
• Control update distribution: Although Apple and independent developers always intend for their updates to address bugs, it’s not uncommon for an update to cause its own unanticipated problems. I’ve seen OS X and security updates break printing, prevent certain fonts from displaying, and cause certain apps to crash on startup. In each case, a subsequent update resolved the problems, but if you support numerous users, vetting updates before allowing them to be installed can save you significant headaches.

These ideas—caching software updates to reduce bandwidth usage and giving administrators control over which updates are made available to users—underpin two services in OS X Server: Caching and Software Update. They do roughly similar things but don’t overlap entirely, so you may want to run one, the other, or both, depending on your needs.

Decide Which Update Services to Use

Both the Caching service and the Software Update service are designed to download updates from Apple and provide them to users on your local network. But that’s where the similarities end, so let’s look at each in turn so you can decide which to run.

About the Caching Service

OS X Server’s Caching service is one of the easiest to configure and provides an immediate benefit to any network that hosts Apple devices. The Caching service caches all updates from Apple on your server, and all Macs and iOS devices download from your server rather than directly from Apple. This offers two big benefits: reduced bandwidth and faster updating for users.

The Caching server downloads only a single copy of each update, and each device that needs the update gets it from the server rather than from Apple. So if Apple releases a new version of iOS or an update to the iWork apps for OS X, your Internet connection won’t bog down as each device struggles to download those large updates.

Similarly, because each device gets updates from the server over the fast local network rather than over a much slower Internet connection, users shouldn’t have to wait nearly as long for updates to download.

Other than music and video from the iTunes Store, the Caching service makes a local copy of nearly everything a Mac or iOS device can download from Apple, including:

• OS X and iOS updates
• Mac apps from the Mac App Store and updates
• iOS apps and updates
• Books from the iBooks Store
• Apps and books from iTunes U
• Internet Recovery software

Running the Caching service is a no-brainer, since any home, school, or company with more than a couple of Apple devices will benefit, and it takes only moments to set up. The only thing the Caching service doesn’t do is let you choose which updates your users see; for that, turn to the Software Update service.

About the Software Update Service

It’s less clear whether you should run the Software Update service, since it works only with Mac software from Apple (not apps from the Mac App Store) and requires more configuration, in terms of both choosing which updates to release on the server and pointing client devices at the server.

The main reason to run the Software Update service is if you want more control over which Mac updates are made available to users on your network. This likely isn’t important in a home environment and might not be worth the effort in a small office, but once you’re at the enterprise level it’s essential for ensuring that users don’t install an update before you’ve had a chance to vet it.

That said, if you’re serious about centralizing software updates for your organization, you may want to investigate a third-party option. In my experience, the Software Update service has three limitations:

• Software Update cannot be configured to serve update packages from other vendors, such as Microsoft and Adobe. If you want to centralize those updates, Software Update won’t help.
• You can’t release updates to only a group of Macs, making it hard to maintain a testing group.
• Although this isn’t OS X Server’s fault, many Apple updates require the user to enter an administrative password. If you haven’t given your users administrator accounts on their Macs, you’ll need another tool (such as Apple Remote Desktop) for automatic installing.

Many organizations have addressed these issues with third-party solutions, such as the comprehensive Absolute Manage, FileWave, and JAMF’s Casper Suite, all of which are commercial software and offer a wide variety of features. (Full disclosure: I am currently employed by JAMF.) On the open-source side, there’s Reposado, a replacement for Software Update that can run on any Unix-based system and lets you create an unstable/testing/release workflow.

But don’t get me wrong; overall, the Software Update service is easily configured and managed, and works well for deploying updates. It is what it needs to be for many OS X Server administrators.

So which should you use? Everyone should enable the Caching service, but only those who need to approve Mac updates before they’re presented to users need to turn on Software Update.

Configure the Caching Service

To get started with the Caching service, open the Server app and click Caching in the sidebar. There are only three settings: where the cached data should live, how large the cache should be, and whether or not to cache content for users on other subnets. Configure them before you click the ON button (Figure 118).

First, decide whether you want the cached data to live on the volume that contains service data for OS X Server (generally the startup drive). If not, click the Edit button to the right of Volume and choose a new volume for the cached content.

I recommend choosing a drive with plenty of free space, since your cache size should be at least 100 GB. It’s best to do this before turning the Caching service on, to avoid needing to move gigabytes of data.

Once you’ve chosen the appropriate destination, drag the Cache Size slider to the desired amount of space. Allot at least 100 GB, but since the slider doesn’t allow for much precision, you may not be able to choose the exact size you want. The smaller the cache, the more likely that older updates will be deleted to make room for new ones, forcing the Caching service to download them again when requested. You can always increase the size later, as long as there’s room on the drive.

Most people should leave the “Only cache content for local networks” checkbox selected; deselect it only if you have a complex local network with multiple subnets and you want to provide cached content for users on other subnets.

That’s it. Click the ON button to enable the Caching service, and it starts downloading updates and purchases from Apple as they are requested. Each downloaded update then becomes available to other devices on the network.

Nothing needs to be done to alert Macs and iOS devices on the network to the presence of the Caching server; they discover and use it automatically, taking advantage of high-performance Wi-Fi and Ethernet connections and leaving the Internet connection free for what’s important: Netflix!

Configure the Software Update Service

Enabling the Software Update service isn’t significantly more difficult than enabling the Caching service, but it requires a bit more thought, and potentially quite a bit more time.

To begin, open the Server app and select the Software Update service in the sidebar. By default, Software Updates works in Automatic mode, in which it mirrors Apple update servers, making every OS X update Apple publishes available to your users unless you disable it manually. Plus, when updates are no longer supported by Apple, they’re removed automatically, which often isn’t desirable (since you likely want to keep an older update available while you test the new one).

Instead, I assume you want more control over which updates are offered to your users; to get that control, select Manual. Then click the ON button to enable the service and start downloading the list of updates (Figure 119).

Click the Updates button to see them, but don’t expect anything to appear right away. It can take 15–30 minutes to download just the list of updates from Apple, even with a decently fast Internet connection, so go read your email or get a cup of coffee. I’ll wait.

Once the Updates pane has populated with the list of updates from Apple (there are a lot—773 as of this writing!), you need to decide whether you want to store them all locally or not. If so, you’ll select the “Automatically download new updates” checkbox—but read on before you do.

The problem is that Software Update needs a lot of space—assume at least several hundred gigabytes—and you can’t easily control how much space is used. Annoyingly, unlike with the Caching service, you can’t relocate just the Software Update data; it is always kept with the rest of OS X Server’s service data.

Now it’s time to work with individual updates (Figure 120). With so many items, it’s essential to remember that you can sort the list by clicking the header of any of the columns: Name, Version, Date, Size, and Status. Click the column header a second time to reverse the sort. Equally useful is the Filter Updates field, which limits the updates listed to those that match an specified search term.

Each individual update can have one of four statuses:

• Available: If “Automatically download new updates” isn’t selected, this status means that the update is available to download but isn’t currently stored locally.
• Waiting: While an update is being downloaded, the status changes to Waiting. You’re more likely to see it for large updates.
• Enabled: When an update’s status is Enabled, it has been downloaded and is available for users to install.
• Disabled: An update with the Disabled status remains local but isn’t available for users to install.

To change the status and control the storage of each update, you have the following options, available from the gear menu at the bottom of the screen and from the pop-up menu to the right of each item:

• Download: You can download Available updates manually; they remain disabled after downloading and must be enabled separately.
• Download and Enable: This option downloads and enables available updates in one action.
• Enable: Updates that have been downloaded and are disabled can be made available to users with this command.
• Disable: If you want to prevent users from accessing an update that was previously enabled, choose Disable.

• Remove: To reclaim the space used by an update, whether it’s enabled or disabled, choose Remove. Needless to say, removing an enabled update disables it as well.
• View Update: To read the release notes for a selected update, choose View Update (or just press Return). The status and gear menu are replicated in the Update Summary view (Figure 121).
  

  Figure 121: Learn more about an individual update by selecting it and pressing Return.

Once you’ve configured all the appropriate updates as desired (which takes time, since there are many to go through), it’s time to configure client Macs.

Point Clients at the Software Update Service

There are two ways to configure client Macs to look to your Software Update server instead of Apple’s, but neither is particularly pretty. If you’re using Profile Manager and distributing profiles to each Mac, the best approach is to add a custom setting to the profile. If that’s not possible, you’ll have to Configure Software Update via the Command Line on each client Mac.

Configure Software Update with a Profile

If you haven’t already, run through the steps in Mobile Device Management, to Enable Profile Manager and Enroll Devices. Then follow the instructions in Manage Devices to edit the settings for the appropriate group, after which you can follow these steps:

1. Scroll to the bottom of the list of settings and click Custom Settings.
2. On the Configure Custom Settings screen, click Configure.
3. In the Preference Domain field, enter com.apple.SoftwareUpdate.
4. Click Add Item to add a key/value pair.
5. In the Key field, change New Item to CatalogURL.
6. Leave the Type pop-up menu set to String.
7. In the Value field, enter the URL of your server, on port 8080 and with index.sucatalog appended, as in http://mavserver.pretendco.lan:8080/index.sucatalog (Figure 122).
   

   Figure 122: Use a custom setting to point Macs at your Software Update server via Profile Manager.

   Note: The 8080 port is essential; Software Update runs on that port.

8. Click OK, and then click Save to save your changes.

Configure Software Update via the Command Line

This approach is conceptually simpler, but it requires touching each individual Mac. Open Terminal and enter a command like this one, replacing mavserver.pretendco.lan with the hostname of your server:

sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CatalogURL http://mavserver.pretendco.lan:8080/index.sucatalog

To verify that you entered the right information, check your work with this command:

defaults read /Library/Preferences/com.apple.SoftwareUpdate CatalogURL

To switch back to using Apple’s default Software Update server again, enter this command:

sudo defaults delete /Library/Preferences/com.apple.SoftwareUpdate CatalogURL

Check for Updates

Once all this is done, open the App Store app and click Updates to see the updates that you’ve made available for that particular Mac. Remember that only the updates that are necessary for that Mac will appear, so if it was up to date before you set up the Software Update service, you may not see anything until a new update appears.