[SOLVED]: SUS connectivity issues when installing Apple updates w/ MCX-managed CatalogURL

[Pepijn Bruienne]

Since this just came up in our environment and we were able to resolve it with Greg's help I'm writing this up for others' benefit.

When Apple in all its omniscience decided to remove the --CatalogURL switch from the softwareupdate CLI tool Mac admins had to change their methods of pointing clients to an internal SUS, including Munki.

Like others, we had been setting this CatalogURL in our environment using MCX. So far this had never caused any trouble but when 10.9.4 showed up earlier this week we experienced unexpected behavior from the updater. On test machines that were offline after a logout (no wired networking, logged out of 802.1x-authed Wifi) the post-logout update would start and almost immediately finish without any clear errors, and then reboot. After reboot OS X was still at 10.9.3 as if no update was performed. A check of install.log showed that softwareupdated attempts to connect to and download content from our internal SUS but because no network was available it failed and skipped the install. The errors look something like this:

Error encountered in scan: Error Domain=NSURLErrorDomain Code=-1009 "Can't connect to the Software Update server (my_SUS_URL.org), because you are not connected to the Internet."

(...)

SUCatalogFetchOverrideURLString=http://my_SUS_URL.org/index_testing.sucatalog

(...)

Removing client SUUpdateServiceClient pid=83598, uid=0, installAuth=YES rights=(system.install.apple-software, system.install.software, com.apple.SoftwareUpdate.modify-settings), transactions=1 (/usr/sbin/softwareupdate)

Upon consultation with Greg it became clear that setting CatalogURL using MCX overrides the Munki-provided workaround to this problem (setting CatalogURL to 'file:///') causing problems for Macs that are not connected to a network or Macs that are outside of an organization's firewall.

The solution was to stop using MCX to set CatalogURL and instead directly modifying the CatalogURL key in /Library/Preferences/com.apple.SoftwareUpdate.plist to the desired setting. This will make SU use our custom URL when we need it to, i.e. during scheduled MSU runs or having users manually check for updates, but will have the needed override applied by Munki when MSU performs installs of Apple SUS items.

Hopefully this will help someone else out there with similar problems.

Thanks,

Pepijn.

-- 
Pepijn Bruienne
Sent with Airmail

[Gregory Neagle]

Thanks, Pepijn for documenting this.

The factors that must be in place to encounter this issue:

1) Running 10.9 or later (so no --CatalogURL flag for /usr/sbin/softwareupdate)

2) No internet/network connectivity when a machine is at the loginwindow. (More specifically, no network access to the CatalogURL set below)

3) The use of MCX or Profiles to set SoftwareUpdate's CatalogURL

4) An Apple software update that requires a logout or restart.

It's not clear if ALL Apple software updates that require logout or restart are affected by this, but I suspect they are.

-Greg

-- 
You received this message because you are subscribed to the Google Groups "munki-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to munki-dev+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Erik]

Ouch. Thanks for the info!