System Center Configuration Manager 2012 SP1: Automatic Updates on a Mac

This is blog post from the work done by Kevin Saye...

Overview:

Unlike Windows clients and servers, Microsoft does not provide "Windows Update" for Apple products. This article discusses how to configure System Center Configuration manager 2012 SP1 to leverage the Apple "Software Update" feature to ensure that Macs are up to date, as defined by Apple.

How it works:

Using the Configuration Manager client for Mac and "Compliance Settings" (formerly called Desired Configuration Manager), we can configure "Windows Update" like functionality. The diagram below shows the components and dependencies. Notice how we use the client to check and verify updates with Apple's site directly, which is different from our architecture with Windows Update, where Configuration Manager talks (and downloads) updates from Windows Update.

The steps used by this solution are:

  1. Configure Configuration Manager to support Mac clients.
  2. Install the Configuration Manager 2012 SP1 client on the Mac.
  3. Configure a Compliance Setting to check for updates and deploy to the All Macs Collection
  4. The Configuration Item will check the update status (checks /tmp/softwareupdate.log).
    1. If the log file does not exist, it configures CRON and reports non compliance
    2. If the file exist:
      1. Check for "No new software available." In the log file.:
        1. If text exist = compliant
        2. If text does not exist = non-compliant

You can also configure a deployment that targets non complaint Macs, and the update can simply run the "/usr/sbin/softwareupdate" command with an install switch.

Setting it up:

For this article, I will assume you have the Configuration Manager Environment setup and the Mac client deployed. There are numerous TechNet articles that discuss this.

Configuring Compliance Settings:

  1. In the Configuration Manager Console under Assets and Compliance -> Compliance Settings -> Configuration Items right click and select "Create Configuration Item". Name it "Mac OS Software Update Check" or the like and specify "Mac OS X" as they type and click next.

  1. Select the Supported Platforms and click next.

  1. Click New on the setting screen, name the setting "Check /tmp/softwareupdate.log" set the type to "Script" and set the data type to "String".

  1. Click Add Script in the Discovery script section, and type the script as shown below. Click OK.

A few items of note:

  • The echo lines that write to /etc/crontab contains tabs, not spaces.
  • The echo lines that write to /etc/crontab is one line, even though the UI seems to word wrap it.
  • I am applying the setting where we run softwareupdate every hour at 30 minutes past the hour, as evident by the 30 written to the crontab file, followed by asterisks.
  • To get the script to work correctly, I typed it up in notepad (shown below) and just copied and pasted or click the open button.
  • From a compliance checking perspective, all we care about is the last line. All the lines before it ensure that cron is running.

  1. Click "Compliance Rules" on the top tab and then click "New" to create a compliance rule.

  1. In the "Edit Rule" screen of the Compliance Rule:
    1. Name the rule Check for "No new software available."
    2. Set the setting to Contains and type the value No new software available.
    3. Check the Report noncompliance checkbox.
    4. Set the severity as Warning.
    5. Click OK.

  1. Click OK to close the Create Settings screen and click Next 3 times and then Closed.
  2. In the Configuration Manager Console under Assets and Compliance -> Compliance Settings -> Configuration Baselines right click and select "Create Configuration Baseline". Name it "Mac OS Software Update Baseline" or the like. Click Add to add the Configuration Item you just created named Check /tmp/softwareupdate.log.

  1. Right click on the "Mac Software Update Baseline" and deploy it to your collection. Check the remediate and set this script to run every hour.

Seeing it in action:

To start with, we will look at a Mac without the baseline installed.

Notice that there is not a /etc/crontab file which is the default. Also, if I run the softwareupdate –l command, we see that there are 2 updates that are recommended.

Once I applied the Baseline, I can go to the client and click Connect Now, the baseline will be applied to my system.

Notice now that even though the baseline is applied, it is showing non-compliant because the /tmp/softwareupate.log file is missing. We are waiting on cron to run and check with Apple.

 

Once cron has run and the baseline has run, it shows me that my Mac is missing 2 recommended updates, which is what I wanted.

Lastly, once cron runs, the /tmp/softwareupdate.log file looks like this:

And Configuration Manager shows compliance: