• Home
  • Blog
  • Software Update Service on OS X Lion Server

Software Update Service on OS X Lion Server

Vincent Danen

August 23, 2012

Software Update Service is part of OS X Lion server (and Mountain Lion server) that allows you to download OS updates and serve them to multiple clients on a local network (similar to Red Hat's Satellite server, for Red Hat Enterprise Linux). I've had to play with this because we're bandwidth-restricted at the church, and there are a lot of macs there, all of which need security and bugfix updates. Attempting to download each of these updates, online, is a painful experience, so Lion Server was a logical route to take. Except that it's annoying as all get out, and was painful to get up and running. So this is just some notes on how I managed to get it to work.

First, you need (Mountain) Lion Server, and you need the Server Admin application, from where you can enable SUS (Software Update Server). I attempted to do it transparently because I control DNS on the local network, but while this seemed to work with Lion, it doesn't seem to work with Mountain Lion... not quite sure why yet.

I followed this tutorial: Transparent Software Update Server using Mac OS X Lion Server 10.7 to get me up and running. I did notice, however, that I was not getting any updates downloaded that had been posted after May 2012, and eventually tracked it down to the IP address it recommends putting in /etc/hosts. Do NOT use 17.250.248.95 for swscan.apple.com! The line to add to the SUS server's /etc/hosts file is this:

17.164.1.22 swscan.apple.com

That will get you all current updates, including Mountain Lion updates. A few other things to note (since I need SUS to handle OS X 10.6, 10.7, and 10.8). The mod_rewrite section on /etc/swupd/swupd.conf should look like this:

<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{HTTP_USER_AGENT} Darwin/9
    RewriteRule ^/index\.sucatalog$ http://%{HTTP_HOST}/cgi-bin/SoftwareUpdateServerGetCatalog?/index-leopard.merged-1.sucatalog
    RewriteCond %{HTTP_USER_AGENT} Darwin/10
    RewriteRule ^/index\.sucatalog$ http://%{HTTP_HOST}/cgi-bin/SoftwareUpdateServerGetCatalog?/index-leopard-snowleopard.merged-1.sucatalog
    RewriteCond %{HTTP_USER_AGENT} Darwin/11
    RewriteRule ^/index\.sucatalog$ http://%{HTTP_HOST}/cgi-bin/SoftwareUpdateServerGetCatalog?/index-lion-snowleopard-leopard.merged-1.sucatalog
    RewriteCond %{HTTP_USER_AGENT} Darwin/12
    RewriteRule ^/index\.sucatalog$ http://%{HTTP_HOST}/cgi-bin/SoftwareUpdateServerGetCatalog?/index-mountainlion-lion-snowleopard-leopard.merged-1.sucatalog
</IfModule>

(Sorry, the above looks a bit messed up, but you should be able to copy-n-paste it). And my /etc/swupd/swupd.plist looks like:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>PurgeUnused</key>
    <true/>
    <key>autoEnable</key>
    <true/>
    <key>autoMirror</key>
    <true/>
    <key>autoMirrorOnlyNew</key>
    <false/>
    <key>limitBandwidth</key>
    <false/>
    <key>otherCatalogs</key>
    <array>
        <string>index-leopard.merged-1.sucatalog</string>
        <string>index-leopard-snowleopard.merged-1.sucatalog</string>
        <string>index-lion-snowleopard-leopard.merged-1.sucatalog</string>
        <string>index-mountainlion-lion-snowleopard-leopard.merged-1.sucatalog</string>
    </array>
    <key>portToUse</key>
    <integer>8088</integer>
    <key>syncBandwidth</key>
    <integer>0</integer>
    <key>updatesDocRoot</key>
    <string>/var/db/swupd/</string>
    <key>valueBandwidth</key>
    <integer>0</integer>
</dict>
</plist>

With those changes, I can serve the updates to my mac clients, but not on Mountain Lion. On Mountain Lion clients you need to run this command to explicitly point to the SUS server:

$ sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CatalogURL http://[SUS_SERVER]:8088/index.sucatalog

Now when you launch the App Store and check for updates, it will find any new Mountain Lion updates.

For transparent updates on earlier versions of OS X, I added the following to my DNS server's named.conf:

zone "swscan.apple.com" {
    type master;
    file "master/swscan.apple.com.zone";
};

and the swscan.apple.com.zone file contains:

$TTL    86400
@       IN SOA  swscan.apple.com. root.mydomain.com. (
                    2012060201      ; serial (d. adams)
                    12H     ; refresh
                    15M     ; retry
                    1W      ; expiry
                    1D )        ; minimum
            IN NS       dns.mydomain.com.
        IN MX       10 smtp.mydomain.com.

localhost   IN A        127.0.0.1
swscan.apple.com. IN A      192.168.0.10

I suspect there is another domain name that needs to be resolved somewhere in addition to swscan.apple.com, but I've not had the time to track it down as of yet. An easy way to check is on Lion and earlier if you run "sudo softwareupdate -l" and watch the logs on your SUS, you'll see the connections from that client. The same does not happen with Mountain Lion clients unless you do the "defaults write" command noted earlier.

If anyone knows how to make Mountain Lion clients connect to the SUS transparently, I would love to hear about how you got it to work.

Leave a Comment

Comments use MarkDown. Need help? MarkDown Cheatsheet