It’s the middle of a sleepy summer afternoon, when suddenly that dual-T1 you fought so hard for feels like dial-up. Apple’s released another OS update, and now each and every Macintosh in the company is trying to suck down several hundred megabytes of “improved performance and stability”. To make matters worse, this is brand-new software, untested in your environment and released just minutes before. If it breaks essential workflow or impacts network functionality, there’s no uninstall or roll-back feature built into OS X.

In Open Directory installations, managed clients can be configured to use a local server to download and install only updates you’ve approved. Without a directory server, though, it’s still possible to take advantage of this functionality, reserving all that bandwidth and protecting the integrity of your install base. All it takes is your existing OS X Server and a little knowledge of the command line.

Deploying the Software Update service:

To get some control over the Software Update process, the first step is to configure and enable the service locally. Open the Server Admin tool on your OS X Server (or pointed at your server if you work remotely), and select Software Update from the list of services along the left hand side of the window. Select “Settings” from the choices at the bottom left of the right hand panel, then “General” from the choices at the top center.

Uncheck the boxes to “Automatically mirror updates from Apple” and “Automatically enable mirrored updates”. This will allow you to decide on a case-by-case basis which updates are available to your machines. You may wish to regulate the amount of bandwidth used for updates on your local network, in which case simply check this box and set your preferred limit. Leopard Server even contains an option to automatically purge unused and legacy updates. Save your settings, then start the service with the enormous green button in the toolbar.

Now select the “Updates” pane. Click the “Update List” button to receive the update listings, then choose which updates you’d like to mirror with the “Copy Now” button. Once updates are downloaded, you can allow your client machines to download and install by checking the “Enable” box. If you aren’t sure which software to offer, you can always get updates manually at the Apple Support Downloads page and test them prior to deployment.

Assigning a local Software Update server:

Once your local server is offering updates, it’s simply a matter of directing your workstations to use it. This makes very little sense for medium to large sized installations, which can utilize Open Directory managed preferences instead, but can be a valuable tool for administrators with just a small number of Macintoshes on a larger network. On each machine, open the Terminal as an administrative user and type:

defaults write /Library/Preferences/com.apple.SoftwareUpdate \
CatalogURL "SERVER-URL"

When you do so, replace SERVER-URL with the catalog URL of the local server, so that if your server’s name is xserve.example.com, the SERVER-URL would be http://xserve.example.com:8088/. This can also be deployed to all your machines at once, using the “Send UNIX Command” feature of Apple Remote Desktop, or programmatically set with management products like the JAMF Casper Suite or LANrev.

With very little administrative work, users can now download and install approved updates from your server using the graphical Software Update tool. When you run Software Update from the Apple menu (though not the System Preferences), the name of your local update server should now appear in the menu bar above.

Triggering the Software Update process:

Finally, some administrators may wish to take this process one step further, controlling when updates are applied to each machine. This requires a deeper level of knowledge than one short article can cover, but is included here for those who wish to manage the update process beginning to end.

While updates can’t be “pushed” to clients, it is possible to initiate updates using the softwareupdate command. In these circumstances, you’ll first want to disable “Check for updates” under System Preferences in the Apple menu, or remove the Preference pane at /System/Library/PreferencePanes/SoftwareUpdate.prefPane/ entirely. Then you’ll need to set the update preferences for the root user on each machine, replacing SERVER-URL as you did above:

defaults write com.apple.SoftwareUpdate CatalogURL "SERVER-URL"

Once this is in place, any available updates from your server can be installed on client machines from the command line:

sudo softwareupdate --install --all

You can accomplish this by logging into each machine individually using SSH, as a scheduled task preformed on a list of computers using the “Send UNIX Command” feature in Apple Remote Desktop, or even as a periodic script run out of launchd.

If you take this more advanced route, be sure to run the script at a time when the machines won’t be in use, and provide a mechanism to restart after the update process.

Now for a small additional investment of time, you can manage the entire Software Update process beginning to end, freeing up your internet connection and preventing update-related failures in the future.