Automating Client Maintenance

The idea behind successful maintenance of images relies on two key points: updates, and remote access to several machines simultaneously.

Controlling Software Updates

You can use the Software Update utility and the softwareupdate command-line utility (which must be run as root) to automatically download and install the latest updates to Mac OS X. By default, these utilities look to the public Apple update server for the latest software, and users with administrative rights can run them from their machines any time they wish. The softwareupdate command-line utility has a variety of flags with which to manage it. For example, the l flag lists all available updates, the d is to download the updates if necessary for later use, and i is used to install the updates. Updates can be chosen explicitly by name or by using a for installing all available updates. The line

 sudo softwareupdate i a

will install all available updates.

With Mac OS X Server v10.4, you have the option of providing a local Software Update Server to deliver updates that have been collected from the Apple update server. This gives you an opportunity to stage your updates. Rather than having your users download and install the updates as they are released, running the risk of incompatibilities with existing software or third-party hardware, download the update to a testing environment and validate it before allowing your users to install it. Once you are satisfied that the update is safe and compatible with your particular environment, you can enable that update on your local software update server via the Server Admin utility. Environments with tight firewall restrictions can also benefit from using a local software update server. This benefit comes from no longer needing to allow every computer access to the public software update servers. Instead, they only need to talk to one software update server, which may be located inside your firewall. Software Update server handles updates in two different ways. You can choose to mirror an update from Apple and then decide which updates to offer your users. Not all mirrored updates need to be offered. When troubleshooting the Software Update service, all downloaded updates are placed in /usr/share/swupd/html/.

The easiest way to configure a computer to use your local software update server instead of the public Apple servers is to use Workgroup Manager to configure managed preferences in Mac OS X for that computer. If you are not using managed preferences for your computers, you can also issue this command on a computer to configure where it checks for software updates:

 sudo default write com.apple.SoftwareUpdate CatalogURL http://xxx.xxx.xxx.xxx/index.sucatalog

substituting the IP address of your local software update server in the URL.

Note

A local software update server can only serve Apple-provided software updates. You cannot add your own packages to the software update server.

Using Apple Remote Desktop

Apple Remote Desktop (ARD) is another excellent tool for maintaining systems. With it, you can remotely install packages, set the network startup disk, run UNIX commands, and schedule various configuration and reporting tasks.

ARD gives you the flexibility of installing software updates without user intervention (as seen in the image below), installing custom installation packages, or installing packages that simply change user settings. If your user is downloading and installing updates from a software update server, it requires the user to take action. However, as an administrator, you can download the update onto your computer and use the Remote Desktop administration utility to update many other Mac OS X computers with no interaction required by your users.

Remote Desktop (the actual application software used to control ARD) also provides a solution for automatically delivering custom installation packages, a feature not supported by the Software Update Server in Mac OS X Server v10.4. This feature allows you to create your own installation packages for the applications and files that are unique to your organization. You can also install packages that modify the settings on other Mac OS X computers. For example, it might be necessary to create a package that configures a Mac OS X computer to bind to a directory service, which is often better than expecting the user to make those configuration changes manually, especially if he or she is not an administrator.

If you configure new NetBoot or Network Install images and want your users to make the transition to those images, use Remote Desktop to change the network startup disk on any of the computers that are managed with the Remote Desktop administration tool. This lets you stage your deployments of updated images and makes the transition transparent to the users.

Remote Desktop allows you to schedule tasks such as delivering updates, running a shell script, or copying files to one or many computers. You can wait until the remote computers are ready to receive updates or information, either at low-usage times or, in the case of portables, when the computers are actually connected to the network. Furthermore, the data reporting in Remote Desktop is automated so that you can collect data on the state of any of your Remote Desktop-managed computers at regular intervals. These reports help you make decisions about which updates are necessary for each system and the best time to deploy changes.

Maintaining with Shell Scripts

Shell scripts are a good option for repetitive tasks to keep systems up-to-date. Many of the tools mentioned previously have a command-line equivalent and can easily be scripted to automate your updates, as shown below. For instance, a machine's crontab can be edited to include the softwareupdate command. Use the softwareupdate command to search for, download, and install software updates from either a local Software Update server or from the public Apple update server. Putting the command in crontab allows you to specify when the script will be run. You can also put scripts in a number of other locations to have them run automatically. /etc/periodic contains three subdirectories to run scripts daily, weekly, or monthly. Simply drop your script into the appropriate directory, and it will be run on that schedule.

For more control of when scripts are run, third-party utilities such as anacron (www.alastairs-place.net/anacron.html) let you defer scripts to low-usage times. To run scripts remotely, either use ssh or Send UNIX Command in Remote Desktop. The command in Remote Desktop allows you to run a UNIX command, set of commands, or shell script on any number of selected Mac OS X computers. Automate this process by defining these as tasks and scheduling them.

When running UNIX commands, you also have the option to display all the output from the commands. This is the output that normally would be echoed on the screen or sent to the screen via stdout or stderr.

Warning

Use caution when automating scripts that may affect the user environment because users are not given any warning if a script run from cron will modify their system. The softwareupdate command will not automatically reboot the user's system after an update is installed. After a major update, this could leave the computer in an unstable state until it is rebooted, such as when a kernel is replaced by the update.