Apple Software Updates

bryanzak

unread,

Feb 18, 2014, 2:24:15 AM2/18/14

to munk...@googlegroups.com

I'm looking at the next step of our Munki deployment which is to integrate Apple Software Updates (likely via Reposado). A few questions I can't quite find the answers to in the documentation.

1. Are Apple Software Updates checked every time Munki checks for Munki updates? Or is it throttled back to something like once a day? I ask only because of the potential WAN impact (believe it or not, we have schools with literally 500+ computers on a 6 or 9 Mpbs WAN). If we don't use Reposado, then it's not unusual for a computer to take over two minutes to even just list available software updates from Apple's servers.

2. Our staff are configured to get daily notifications of Munki updates (at least those that aren't marked as unattended installable for silent installs). But all our student computers have notifications off. In this case would pending Apple updates be downloaded and cached just like pending updates to be installed at the LoginWindow when idle (or in our case at restart time as we have Munki configured to install all updates at restart).

3. I would want to configure many of the Apple updates to be unattended installs for background updates (ARD client, iTunes, etc.). Wondering if anyone has any advice on efficiently getting notified of Apple updates and generating the Apple Update Metadata - something almost like autopkg but for Apple Updates

4. I've wondered if we really want to integrate Apple Software Updates into Munki. This would mean that Apple releases would be available immediately to our staff and students. Most of the time that's probably exactly what we want, but this would eliminate the ability for us to do any kind of integration test on new updates. It'd almost be nice if there was a way of saying what catalog Apple Software Updates were associated with. So for example, by default it might just offer and install updates for computers that have manifests using the "testing" catalog, but then once we have a chance to test a given update we could add a meta data pkg info for the item moving it to production. I might be overthinking this and really, these days I'm not sure of the value.

Thanks,

Bryan

Hannes Juutilainen

unread,

Feb 18, 2014, 4:37:02 AM2/18/14

to munk...@googlegroups.com

On 18.2.2014, at 9.24, bryanzak <brya...@mac.com> wrote:

I'm looking at the next step of our Munki deployment which is to integrate Apple Software Updates (likely via Reposado). A few questions I can't quite find the answers to in the documentation.

1. Are Apple Software Updates checked every time Munki checks for Munki updates? Or is it throttled back to something like once a day? I ask only because of the potential WAN impact (believe it or not, we have schools with literally 500+ computers on a 6 or 9 Mpbs WAN). If we don't use Reposado, then it's not unusual for a computer to take over two minutes to even just list available software updates from Apple's servers.

Munki will skip the check if the sucatalog is unchanged on the server side and I think updates are downloaded only once and cached for installation.

2. Our staff are configured to get daily notifications of Munki updates (at least those that aren't marked as unattended installable for silent installs). But all our student computers have notifications off. In this case would pending Apple updates be downloaded and cached just like pending updates to be installed at the LoginWindow when idle (or in our case at restart time as we have Munki configured to install all updates at restart).

Yes with a few corner cases. For example, if you have some apple updates imported to your repo as regular installer items (dmg and a pkginfo) and they are scheduled for installation, munki will postpone the "real" Apple software update installation and only install items from your munki repo.

3. I would want to configure many of the Apple updates to be unattended installs for background updates (ARD client, iTunes, etc.). Wondering if anyone has any advice on efficiently getting notified of Apple updates and generating the Apple Update Metadata - something almost like autopkg but for Apple Updates

It's fairly easy to get the information munkiimport needs If you're running your own reposado installation. You can get the product ID's with "repoutil --products" and additional information with "repoutil --product-info <ProductID>". Then just feed those to munkiimport.

However, I've been (slowly) working on a project to help admins in this exact situation. It's called SUS Inspector and it's an OS X application to display information about Apple software updates. It can also export updates as pkginfo (.plist) files for munki or create a munkiimport command for manual running.

https://github.com/hjuutilainen/sus-inspector

It's in very early stages but I'll upload a prebuilt version to the releases page later today.

4. I've wondered if we really want to integrate Apple Software Updates into Munki. This would mean that Apple releases would be available immediately to our staff and students. Most of the time that's probably exactly what we want, but this would eliminate the ability for us to do any kind of integration test on new updates. It'd almost be nice if there was a way of saying what catalog Apple Software Updates were associated with. So for example, by default it might just offer and install updates for computers that have manifests using the "testing" catalog, but then once we have a chance to test a given update we could add a meta data pkg info for the item moving it to production. I might be overthinking this and really, these days I'm not sure of the value.

We have been very happy with the integration. But if you're going to install apple updates with munki, you'll want to use reposado too to get some form of control over the update schedule and testing. I wouldn't just blindly let Munki install everything Apple is offering since things can always break. Older firmware updates have been problematic.

We have three catalogs in our reposado; testing, production and firmware. Everything is always added straight to the testing catalog and we can instantly see from your MWA and Munkireport server that updates are installing correctly.

--

Hannes Juutilainen

Thanks,
Bryan

--
You received this message because you are subscribed to the Google Groups "munki-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to munki-dev+...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Gregory Neagle

unread,

Feb 18, 2014, 9:03:33 AM2/18/14

to munk...@googlegroups.com

On Feb 17, 2014, at 11:24 PM, bryanzak <brya...@mac.com> wrote:

4. I've wondered if we really want to integrate Apple Software Updates into Munki. This would mean that Apple releases would be available immediately to our staff and students.

Not if you run your own SUS or especially Reposado -- part of the point of running your own SUS is _you_ choose which updates are made generally available. (The other points are to conserve upstream bandwidth and shorten local client download times).

-Greg

Kris Lou

unread,

Feb 18, 2014, 12:23:18 PM2/18/14

to munk...@googlegroups.com

3. I would want to configure many of the Apple updates to be unattended installs for background updates (ARD client, iTunes, etc.). Wondering if anyone has any advice on efficiently getting notified of Apple updates and generating the Apple Update Metadata - something almost like autopkg but for Apple Updates

With Reposado, I use a script that essentially compares the newly-synced repository to previous runs, and emails me the differences (which would be the downloaded updates). I can then move the new updates to catalogs at my leisure, although it would be trivial to automatically add them as well.

From Reposado archives: https://groups.google.com/d/topic/reposado/F8-rTWdb5ho/discussion

Kris Lou
kl...@themusiclink.net

Reply all

Reply to author

Forward