Software Update Service is part of OS X Lion server (and Mountain Lion server) that allows you to download OS updates and serve them to multiple clients on a local network (similar to Red Hat’s Satellite server, for Red Hat Enterprise Linux). I’ve had to play with this because we’re bandwidth-restricted at the church, and there are a lot of macs there, all of which need security and bugfix updates. Attempting to download each of these updates, online, is a painful experience, so Lion Server was a logical route to take. Except that it’s annoying as all get out, and was painful to get up and running. So this is just some notes on how I managed to get it to work.
First, you need (Mountain) Lion Server, and you need the Server Admin application, from where you can enable SUS (Software Update Server). I attempted to do it transparently because I control DNS on the local network, but while this seemed to work with Lion, it doesn’t seem to work with Mountain Lion… not quite sure why yet.
I followed this tutorial: Transparent Software Update Server using Mac OS X Lion Server 10.7 to get me up and running. I did notice, however, that I was not getting any updates downloaded that had been posted after May 2012, and eventually tracked it down to the IP address it recommends putting in /etc/hosts. Do NOT use 17.250.248.95 for swscan.apple.com! The line to add to the SUS server’s /etc/hosts file is this:
17.164.1.22 swscan.apple.com
That will get you all current updates, including Mountain Lion updates. A few other things to note (since I need SUS to handle OS X 10.6, 10.7, and 10.8). The mod_rewrite section on /etc/swupd/swupd.conf should look like this:
<IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTP_USER_AGENT} Darwin/9 RewriteRule ^/index\.sucatalog$ http://%{HTTP_HOST}/cgi-bin/SoftwareUpdateServerGetCatalog?/index-leopard.merged-1.sucatalog RewriteCond %{HTTP_USER_AGENT} Darwin/10 RewriteRule ^/index\.sucatalog$ http://%{HTTP_HOST}/cgi-bin/SoftwareUpdateServerGetCatalog?/index-leopard-snowleopard.merged-1.sucatalog RewriteCond %{HTTP_USER_AGENT} Darwin/11 RewriteRule ^/index\.sucatalog$ http://%{HTTP_HOST}/cgi-bin/SoftwareUpdateServerGetCatalog?/index-lion-snowleopard-leopard.merged-1.sucatalog RewriteCond %{HTTP_USER_AGENT} Darwin/12 RewriteRule ^/index\.sucatalog$ http://%{HTTP_HOST}/cgi-bin/SoftwareUpdateServerGetCatalog?/index-mountainlion-lion-snowleopard-leopard.merged-1.sucatalog </IfModule>
(Sorry, the above looks a bit messed up, but you should be able to copy-n-paste it). And my /etc/swupd/swupd.plist looks like:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>PurgeUnused</key> <true/> <key>autoEnable</key> <true/> <key>autoMirror</key> <true/> <key>autoMirrorOnlyNew</key> <false/> <key>limitBandwidth</key> <false/> <key>otherCatalogs</key> <array> <string>index-leopard.merged-1.sucatalog</string> <string>index-leopard-snowleopard.merged-1.sucatalog</string> <string>index-lion-snowleopard-leopard.merged-1.sucatalog</string> <string>index-mountainlion-lion-snowleopard-leopard.merged-1.sucatalog</string> </array> <key>portToUse</key> <integer>8088</integer> <key>syncBandwidth</key> <integer>0</integer> <key>updatesDocRoot</key> <string>/var/db/swupd/</string> <key>valueBandwidth</key> <integer>0</integer> </dict> </plist>
With those changes, I can serve the updates to my mac clients, but not on Mountain Lion. On Mountain Lion clients you need to run this command to explicitly point to the SUS server:
$ sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CatalogURL http://[SUS_SERVER]:8088/index.sucatalog
Now when you launch the App Store and check for updates, it will find any new Mountain Lion updates.
For transparent updates on earlier versions of OS X, I added the following to my DNS server’s named.conf:
zone "swscan.apple.com" { type master; file "master/swscan.apple.com.zone"; };
and the swscan.apple.com.zone file contains:
$TTL 86400 @ IN SOA swscan.apple.com. root.mydomain.com. ( 2012060201 ; serial (d. adams) 12H ; refresh 15M ; retry 1W ; expiry 1D ) ; minimum IN NS dns.mydomain.com. IN MX 10 smtp.mydomain.com. localhost IN A 127.0.0.1 swscan.apple.com. IN A 192.168.0.10
I suspect there is another domain name that needs to be resolved somewhere in addition to swscan.apple.com, but I’ve not had the time to track it down as of yet. An easy way to check is on Lion and earlier if you run “sudo softwareupdate -l” and watch the logs on your SUS, you’ll see the connections from that client. The same does not happen with Mountain Lion clients unless you do the “defaults write” command noted earlier.
If anyone knows how to make Mountain Lion clients connect to the SUS transparently, I would love to hear about how you got it to work.