Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

A script to manage networked software updates System
This shell script is run as a cron job that I use to control what updates my workstations get at work. Because it is launched from cron, it is root so it can install any needed updates. The panther.txt file that sits on the web server is just a file with a single line that has all the approved updates listed one after another with spaces between them. You can get the list to put in there by running softwareupdate -l on a machine that needs patches.

Before using the script, change the three instances of in the script to match your own company or school.

[robg adds: Due to some very wide lines that weren't easily breakable, I've uploaded the script to the macosxhints' downloads folder. Click the link to open the script in a new window, from where you can copy and paste it into a Terminal editor. Remember to make it executable (chmod 755 script_name), and setting it up as a cron task is left as an exercise for the reader...]
  • Currently 1.00 / 5
  • 1
  • 2
  • 3
  • 4
  • 5
  (1 vote cast)

A script to manage networked software updates | 8 comments | Create New Account
Click here to return to the 'A script to manage networked software updates' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
A script to manage networked software updates
Authored by: Greedo on Apr 16, '04 12:31:55PM

Just a quick clarification: just because a script runs as a cron job, doesn't mean it runs as root, as this hint might seem to suggest.

Each normal user as a cronjob as well, which you can see by doing crontab -l from a shell.

To see the root user's cron jobs, do sudo crontab -l, and to edit them, do sudo crontab -e.

[ Reply to This | # ]
A script to manage networked software updates
Authored by: jlevitsk on Apr 20, '04 12:51:39PM

Actually in my case it does because I am using Fink with Anacron to run it so when I put it in /sw/etc/cron.daily it does. Also if it was put as /etc/daily.local it would run as root as well. I would not use a user crontab for this because it should run independent of any user being logged in.

[ Reply to This | # ]
downloading files from local server?
Authored by: redjar on Apr 16, '04 01:35:23PM

This is pretty cool. The clients unfortunately still have to download the packages from a remote server (over a slow internet connection). It would be nice if they could grab the packages from a local server. Anyone tried to tackle this?

The commandline softwareupdate tool doesn't appear to have an option to install a package that is already on the machine, or on a server other than apple's. It'd be nice if Apple released software to do this (similar to Microsoft's Software Update Server or whatever it's called.)

Maybe someone will come up with one independently. Looks like it checks for the updates and then downloads them from an akamai server

[ Reply to This | # ]
A script to manage networked software updates
Authored by: macubergeek on Apr 16, '04 05:59:10PM

you can pull this script down easiest with wget


[ Reply to This | # ]
A script to manage networked software updates
Authored by: jlevitsk on Apr 20, '04 12:53:01PM

I have an updated script at

that has better error catching and more funtionality.

[ Reply to This | # ]
Almost there
Authored by: ssevenup on Apr 16, '04 07:41:01PM

I have been onto this process for several months now. We have gone through many iterations to get to where I am now. I wrote mine to accomodate both Jaguar and Panther. We use ssh to harvest the approved updates from the server and only allow one update at a time. I am ultra conservative on this situation. We run permission repair before and after the update and never put OS revisions on the approve list (too risky). The connectivity checking is a good idea and I even check the subnet so it does not run unless they are at work. In addition I won't allow the updates to run unless the user is logged out. I also prevent login while the update is running and force the reboot after. On the server side we are using SQLite with a combination of perl, shell and Cocoa to manage the approval process. I hope to have a "kit" to release at some point after we go live. I have purposely avoided anything but software update for security reasons and kept things a simple as possible. The ability to have an alternate source for updates is unsupported by Apple so far though it has been made clear to them it's on the wish list.


Mark Moorcroft
Sys. Admin.

[ Reply to This | # ]
Almost there
Authored by: Anonymous on Apr 20, '04 05:54:45AM

I've been looking for a way to stop users from logging in during the update. How do you achieve this?

[ Reply to This | # ]
A script to manage networked software updates
Authored by: jmao on Apr 17, '04 08:54:37AM

We have a controlled image,...and a ton of laptops, I made a start up item that pulls down packages that I place on a local server. When the system boots, it checks for packages. If it finds one it doesn't have, it downloads and installs it. Since I know exactly what is on the laptops, we can place our Apple updates or any other custom package on the server. Packages are installed in order as they are listed in the text file that is curl-ed first. Installs that need a reboot are not active until the next install, but since we have over 600 student laptops, this works fine for us,....


. /etc/rc.common

#This script is a low-tech software update setup.
#To prepare a script for the server:
#sudo tar -czvf filename.pkg.tar.gz filename.pkg

ConsoleMessage "Updating Computer"

#Get date
TODAY=`/bin/date +%m-%d-%y`

#Check to see if directory exist, if not make it
if ( ! test -d /usr/local/myupdate ) then
mkdir /usr/local/myupdate

cd /usr/local/myupdate

#curl packages list from http server
curl -Os http://ipaddress/path/to/directory

#for each item in updates list, go get it
for listitem in `cat updates`; do

#set variables
downloadname=`echo $listitem | cut -f1 -d:`
pkgname=`echo $listitem | cut -f1 -d:| sed -e 's/.tar.gz//'`
receiptname=`echo $listitem | cut -f2 -d:`

#if package receipt does not exist, then get package and install it
if (! test -d /Library/Receipts/$receiptname) then
curl -sO http://ipaddress/path/to/directory/$downloadname
tar -xzf $downloadname
rm $downloadname
installer -verbose -pkg $pkgname -target / >&log_$pkgname-$TODAY.txt
rm -R $pkgname


[ Reply to This | # ]