krypted.com

Tiny Deathstars of Foulness

The software patching configuration built into most operating systems is configured so all that a user has to do is open a box at home, join the network and start using the computer right away. As environments grow from homes to small offices and then small offices grow into enterprises, at some point software updates and patches need to be managed centrally. OS X Server 5 (for El Capitan and Yosemite), as with its OS X Server predecessors has a Software Update service. The service in the Server app is known as Software Update and from the command line is known as swupdate.

The Software Update service, by default, stores each update in the /var/db/swupd directory. The Software Update servie is actually comprised of three components. The first is an Apache server, invoked by the /Applications/Server.app/Contents/ServerRoot/System/Library/LaunchDaemons/com.apple.swupdate.host.plist LaunchDaemon. This LaunchDaemon invokes a httpd process and clients access updates from the server based on a manifest of updates available in the sucatalog.

These are synchronized with Apple Software Updates via /Applications/Server.app/Contents/ServerRoot/usr/sbin/swupd_syncd, the LaunchDaemon for swupdate at /Applications/Server.app/Contents/ServerRoot/System/Library/LaunchDaemons/com.apple.swupdate.sync.plist.

Clients can be pointed at the server then via a Profile or using the defaults command to edit the /Library/Preferences/com.apple.SoftwareUpdate.plist file. The contents of this file can be read using the following command:

defaults read /Library/Preferences/com.apple.SoftwareUpdate.plist

To point a client to a server via the command line, use a command such as the following:

sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CatalogURL http://osxserver.krypted.com:8088/index.sucatalog

But first, you’ll need to configure and start the Software Update service. Lucky you, it’s quick (although quick in a hurry up and wait kind of way). To get started, open the Server app and then click on the Software Update service.

Screen Shot 2015-09-10 at 11.48.04 AM

By default, updates are set to simply mirror the Apple servers, by default, enabling each update that Apple publishes, effectively proxying updates. You can use the Manual button if you would like to configure updates to either manually be approved and manually synchronized or just manually approved but automatically copied from Apple. Otherwise click on the ON button and wait for the updates to cache to simply mirror the Apple servers.

If you would like to manually configure updates, click on the Manual option and then click on the Updates tab.

The first item in the Updates tab is the “Automatically download new updates” checkbox. This option downloads all of the updates but does not enable them. The Updates tab also displays all available updates. click on one and then click on the cog-wheel icon towards the bottom of the screen to configure its behavior (Download, Enable, Disable, Remove and View Update).

Note: The only option for updates in an Automatic configuration environment is disable.

The service can be managed using serveradmin. To start Software Update, use the start option, followed by the swupdate service identifier:

sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin start swupdate

To stop the service, replace start with stop:

sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin stop swupdate

To see the status of the service, including the location of updates, the paths to log files, when the service was started and the number of updates running, use the fullstatus option:

sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin fullstatus swupdate

The output of which appears as follows:

swupdate:state = "RUNNING"
swupdate:lastChecktime = 2015-08-07 01:25:05 +0000
swupdate:syncStatus = "INPROGRESS"
swupdate:syncServiceState = "RUNNING"
swupdate:setStateVersion = 1
swupdate:lastProductsUpdate = 2015-08-16 04:02:16 +0000
swupdate:logPaths:swupdateAccessLog = "/var/log/swupd/swupd_access_log"
swupdate:logPaths:swupdateErrorLog = "/var/log/swupd/swupd_error_log"
swupdate:logPaths:swupdateServiceLog = "/var/log/swupd/swupd_syncd_log"
swupdate:readWriteSettingsVersion = 1
swupdate:pluginVers = "10.11"
swupdate:checkError = no
swupdate:updatesDocRoot = "/Library/Server/Software Update/Data/"
swupdate:hostServiceState = "RUNNING"
swupdate:autoMirror = no
swupdate:numOfEnabledPkg = 0
swupdate:servicePortsAreRestricted = "NO"
swupdate:numOfMirroredPkg = 0
swupdate:autoMirrorOnlyNew = no
swupdate:startTime = 2015-08-07 01:25:05 +0000
swupdate:autoEnable = no

There are also a number of options available using the serveradmin settings that aren’t exposed to the Server app. Available Settings include:

swupdate:checkError = no
swupdate:limitBandwidth = no
swupdate:PurgeUnused = yes
swupdate:portToUse = 8088
swupdate:autoEnable = yes
swupdate:valueBandwidth = 0
swupdate:syncStatus = “Initializing”
swupdate:autoMirror = yes
swupdate:syncBandwidth = 0
swupdate:updatesDocRoot = “/Library/Server/Software Update/Data/”
swupdate:autoMirrorOnlyNew = no

These include a feature I used to use a lot in the beginning of deployments with poor bandwidth, only mirroring new updates, which is available to swupdate via the autoMirrorOnlyNew option. To configure:

sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin settings swupdate:autoMirrorOnlyNew = yes

Also, the service can throttle bandwidth for clients. To use this option, run the following command:

sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin settings swupdate:limitBandwidth = yes

And configure bandwidth using the syncBandwidth option, as follows:

sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin settings swupdate:syncBandwidth = 10

To automatically sync updates but not enable them (as the checkboxes allow for in the Server app, use the following command:

sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin settings swupdate:autoEnable = no

The port (by default 8088) can be managed using the portToUse option, here being used to set it to 80 (clients need this in their catalog URL from here on out):

sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin settings swupdate:portToUse = 80

Finally, administrators can purge old packages that are no longer needed using the PurgeUnused option:

sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin settings swupdate:PurgeUnused = yes

One of the biggest drawbacks of the Software Update service in OS X El Capitan Server in my opinion is the fact that it does not allow for serving 3rd party packages (not that Apple has much control over this, since these aren’t sourced from the App Store), from vendors such as Microsoft or Adobe. To provide those vendors with a manifest file and a quick little path option to add those manifest files, a nice middle ground could be found between the Mac App Store and the built in software update options in OS X. But then, we wouldn’t want to make it too easy.

Another issue many have had is that users need administrative passwords to run updates and don’t have them (technically this isn’t a problem with the OS X Server part of the stack, but it’s related). While many options have come up for this, one is to just run the softwareupdate command for clients via ARD or a similar tool.

Many environments have used these issues to look at tools such as Reposado or third party patch management tools such as JAMF Software’s the Casper Suite (JAMF also makes a reposado-based VM that mimics the swupdate options), FileWave, and others (or a combination of some of these). Overall, the update service in Server 5 is easily configured, easily managed and easily deployed to clients. It is what it needs to be for a large percentage of OS X El Capitan (10.11) Server administrators. This makes it a very viable option and if you’ve already got an El Capitan or Yosemite computer sitting around with clients not yet using a centralized update server, well worth enabling.

September 21st, 2015

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , ,

  • iamaquab

    Great write up thanks, is there a limit on how far back in versions this will serve? In the early days you had to jump through hoops to get it to serve clients 2 or so releases back. Will this do 10.7 machines? Dare I ask for 10.6?

  • Richard Smith

    I have found that sudo softwareupdate –set-catalog http://osxserver.krypted.com:8088/index.sucatalog is more reliable than than using defaults write on the plist, especially on the newer OS X versions.

  • Andrew

    For Server 5, should this be …/index.sucatalog or …/catalogs.sucatalog. I get a 404 for index.sucatalog

  • Pchen

    Thanks for this guide! Seems like you’re missing “settings” in the PurgeUnunsed command.

    sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin setting swupdate:PurgeUnused = yes

    • krypted

      Corrected. Thanks for the heads up!

  • Navek01

    Thank you for the guide.
    I do have one question that your guide does not cover.
    Is there a quick way to reset software updates service to blank so it can start over fresh on a machine. We are seeing a bug that has our software update server every two hours reseting some updates to disabled. I run the service in manual mode so I can control what goes out and when. I do not want to wipe the whole machine for this one service. This bug is happening on three servers.

    • krypted

      If the server is just running that service, then I’d just nuke the /Library/Server folder and set it up again. Or rm the contents of the folder that the updates are in with the service stopped. Then start it again and it should rebuild the directory on its own. Hope that helps!

      • Navek01

        Thank you for the information. I nuked the Server folder. Reinstalled server software. It re-downloaded everything last night and I enabled everything this morning. But it is still disabling updates on it’s own after 2 hours.

        • MacBain

          OS X Server 5.0x is having issues with disabling updates after they are enabled. I thought about nuking the folder also. Have you found a fix for this? They chat about it on JAMF also with no luck. https://jamfnation.jamfsoftware.com/discussion.html?id=17437

          • Navek01

            No fix yet. Nothing I have tried has worked. In fact if you Nuke the folder and depending how long it take to repopulate. You could now be having issues with more or different updates then you originally started.

            I have been following the Jamfnation information as well. My bug report was closed by Apple as a duplicate report to “Duplicate of 23256171” All I can see is that it is still open.

            Good luck and I hope they get this fixed soon.