Setting up a local software update server for Macs is a great idea and well worth it. I have a slightly different (and I think simpler) method, though YMMV.

You still need a machine with Mac OS X Server (sorry) setup on a static ip address with the Software Update Server turned on (part of Mac OS X Server). Ideally you have your own DNS server so that you can map a DNS name to the IP address of this machine (for convenience).

The next step is to download "Software Update Client Configuration" from versiontracker.com or macupdate.com. This is a little program you run on each client machine which allows you to either temporarily (which is what we use) or permanently change the address of the software update server that the client gets its updates from (note... you have to press the "Save" button once you've entered in your temporary server address or this doesn't work) and then click the "Open Software Update" button. We use "temporarily" so that when our users our at home they can run software updates directly with Apple's servers (which is fine with us). You may choose to manage this differently.

Software update then runs normally but downloads updates available on the local server instead of Apple's server.

The advantages of this are 1) speed (it's a beautiful thing watching these updates download over 100Mb or Gigabit ethernet) 2) saves bandwidth on your WAN as you only have to download the updates once from Apple to your SU Server and 3) it only installs the updates that you have made available on your updates server.

We've been using this for about a year and it works beautifully, fabulously, flawlessly. Great solution.

I like the original idea a lot better - try your model in an organization with thousand of clients…

I appreciate all your comments, although I must say only few people understand my solution so I will emphasise what matters this time again:

This doesn't require any modifications on clients.

Most of the solutions suggested were already described in many places, for example here at macosxhints: 10.4: Manually add a Tiger Software Update Server

I agree that using e.g. defaults write com.apple.SoftwareUpdate CatalogURL "http://yoursus.yourdomain.com:8088/" is more simple. But let me think about some case studies:

1. If i had the server at home and a few macs, I would use defaults (or a freeware) - even on laptops, because the client seems to fall back to Apple's servers when it can't find local SUS.
2. Without a server, the suggested Squid proxy solution seems to be fine, although I would save hassle if I had just three home macs.
3. In a company with twenty macs, I would also use defaults, perhaps wrapped into an AppleScript and sent around in a mail, or using Remote Admin and its feature Send UNIX command as current user.
4. Yes, the right way to do it is with Open Directory. And yes, if you have 3000 clients, you gotta have it.
5. But we're a service centre where most of the client computers belong to customers, so we don't want to modify their and want to save our traffic. That's why we invested into the server software and one mini to do the job. If you are an internet cafe or have a lot of guests in general, you might profit, too. I can see in the log it does about ten updates a day, most of them worth ~300MB - the updates are downloaded from local SUS in cca one minute.

Yes, this is actually a DNS hack, but what I like is that the setup is very simple. Just the server, one Redirect and one zone on internal DNS. When I'm not that busy, I will try to find a solution without spare server, as DNS can listen on more IP addresses.

OK, I have this up and running on 10.6.1 server now...

Follow all the steps from the top post... (Great post BTW)
then also add 2 more redirects:

pattern: /content/catalogs/others/index-leopard.merged-1.sucatalog
path: http://yourserver.yourdomain.com:8088/index-leopard.merged-1.sucatalog

pattern: /content/catalogs/others/index-leopard-snowleopard.merged-1.sucatalog
path: http://yourserver.yourdomain.com:8088/index-leopard-snowleopard.merged-1.sucatalog

Then instead of using: lookupd -flushcache

use: dscacheutil -flushcache on the client

Now try running software update on the client computer...

Truly a great hack, thanks for that. Thought I would add that I have it up and running on Server 10.5.8, and it's happily serving updates to clients using 10.4, 10.5 and 10.6 (haven't tested older ones).

I wanted to share some troubleshooting I did regarding the message:

<Error>: Unable to download upstream catalog index (was looking for http://swscan.apple.com/content/meta/mirror-config-1.plist

I was getting this after I had the SUS up and running. I'm not entirely sure what causes it but it's not related to the DNS hack (I was careful to configure my services stepwise). There are several posts at discussions.apple.com relating to it with no real solution.

As it happens, in order to get Leopard server to serve Snow Leopard clients, I had to modify mirror-config-1.plist and put it on my local drive anyway. Although I reflected this change in swupd.plist, I couldn't get SUS to load the file from the local path (same error as above -- not sure if it was a permissions problem). Obviously the URL http://mySUS.mydomain.com:8088/content/meta/mirror-config-1.plist doesn't resolve from the server since it's using my ISP's DNS, so my solution was to just chuck mirror-config-1.plist on an external website and update swupd.plist so it looks there. Since doing that I haven't had a problem.

Thought I'd share in case anyone else ran into this.

Once again many thanks for the brilliant tip. I love it. We have many computers, most of which aren't administrated by me, and limited bandwidth, so doing this transparently was exactly what I needed.

Cheers,

Tom

Might try a simple entry in /etc/hosts to fix the issue with reverse dns. Of course this may have the side effect of pointing the server to itself for updates.

Cheers, yes it helpded. And no it doesn't check on itself, because it has external DNS so it bypasses the hacked DNS.

Actually, it didn't because it checks for DNS reverse record, not in FF (flat files). I might just run a DNS service there as I don't like cluttered logs (needles to say, this log helped us once to determine when the server crashed as the DNS error appears every 30 minutes).

3000 Mac's and you don't use OD??? WOW!
See my post below.. ;-)

---
/Marook

Hi All,

Ok, the right way to do this, is via the Open Directory on your server.
Here is what to do:

1: Setup a Mac OS X Server, and make sure it resolves to correctly back and forth.
That means: name.domain.tld should resolve to the static IP you have given it, and the IP should resolve to the hostname. You can use the internal DNS server to do this.

2: Make the server an Open Directory Master.
(Without this, you can't puch preferences to the clients)

3: Start the SUS.

4: In Workgroup Manager, make a Computer List, and add the Mac's you want this to happen to, to the list. Set the SUS preference for this list, to you own server.
A shame it's not possible to set this kind of thing in the Guest Computers list.

Ofcource, the DNS 'hack' above would mean every computer on the network will use your SUS, as long as you make sure to puch them the right DNS server via DHCP - but this method is the 'correct' way to do it.

Hope it helps,

---
/Marook

I'm using "a poor man's SUS" almost every day. Here's how:

I'm doing consulting and service at clients sites. And when I have to update the client's machines, I just plug my PowerBook into their network and start my customised Squid (proxy).
I am using Squidman (Mac OS X GUI for squid), made some changes to the default cachesize, increased the maximum file size to 300MB and the cachedir to 3GB. That's all.

On the client machines I just change the ProxySettings to MyPowerBook.local:8080 and off we go!

On a fast LAN it's a pleasure to see how fast it goes.

And I can even profit from my own Squid if I have to update my own PowerBook. I just change my own Proxy Setting to localhost:8080 and whoooosh! :)

OK - it needs a manual change in every client machine, but it's still faster than updating without a SUS.

By the way: No problem to fast-update Windows machines the same way... It just works! :)

this is smart - i've been thinking about the same, having all updates with me when going onsite! although i was planning to setup my apache to do it - swupd is just another apache server.

better yet, what about using radmind?

[ Reply to This | # ]

Most of our users have standard privileges, not administrative privileges.

Is there a way to allow a standard privilege user to run the "Software Update …" without knowing an administrative user's credentials? That is, how can a standard user perform a software update while keeping an administrative account's secret? If the standard user had the user name and password combination for an administrative account to run software update, then s/he could install anything on her/his software.

Thanks in advance for any suggestions!

changing suid of the app should help. i haven't tested it tho:

Thanks for sharing that trick. I have 70 users with laptops that are set to update from our local SUS. They all complain that they can't update when they take their computers home. This method will fix that.

The hint above is fantastic. Unfortunately, it breaks Software Update for 10.2 and 10.3. This is because the Software Update Server 10.4 only caches local copies of 10.4 software updates.

To keep the above functionality, but to pass 10.2 and 10.3 requests to Apple, add the following lines to your httpd config file, which probably lives at /etc/httpd/sites/0000_any_80_.conf.

        <IfModule mod_proxy.c>
                ProxyRequests Off
                ProxyPass /scanningpoints/scanningpointX.xml http://swscan.apple.com/scanningpoints/scanningpointX.xml
        </IfModule>

/content/catalogs/others/index-leopard.merged-1.sucatalog

Hi el doctor

Do you know if these "RedirectMatch" entries (for having the the server not point to itself) which has to be added on the "Default Web site" - do they still apply to Leopard 10.5.7 (both my server and clients are on Leopard 10.5.7) or has it changed?

The 3rd step mentioned in the instructions about creating a new record for this server - Does SUS really have to be on a separate/standalone server doing only Software update. I am right now testing it on our existing OD Master but it is not our DNS server. Any issues with this?

Anyone else reading this thread, please do feel free to comment on this.

i've just run DNS on the same server. or you could put external DNS in your TCP/IP config

This is a great post!!!.
I have like 30 macs in my environment and 60 windows pcs.
Im running WindowsSUS successfuly for about a year and i tought "this can be done to mac too".
So i installed like 3 month ago an OS X Server 10.4 in an old emac. Redirecting all the machines to the sus server manually was not the best option for me so when this post appeared on google saying that this could be done transparently i feel that this was going to be the right solution.
Well, i couldnt get this to work and i beg you for help.
First i started the Update Service and mirrored all the updates.
2. I started the Web service, enable the default site and added to the redirect:

Pattern: /content/catalogs/index-1.sucatalog
Path: http://yoursus.yourdomain.com:8088/index.sucatalog

Pattern: /content/catalogs/others/index-leopard.merged-1.sucatalog
Path: http://yoursus.yourdomain.com:8088/index.sucatalog
I added this line to serve the leopard updates.

3. Added a zone in myinternal DNS wich swscan.apple.com,swquery.apple.com, swcdn.apple.com, are pointing to 152.146.224.249 (my sus).

Thats all the settings i made.
When the mac clients now go to update, the progress bar is stopped almost inmediatley and after a few minutes it says it cant found something. So I think the redirect is working.

Something that i noticed is that in the updates service in the server has 0 updates and 0 mirrored now, and cant connect to apple. I think its looking the updates to himself.

Can you help me?
i hope this post isnt dead

OK, I have this up and running on 10.6.1 server now...

Follow all the steps from the top post... (Great post BTW)
then also add 2 more redirects:

pattern: /content/catalogs/others/index-leopard.merged-1.sucatalog
path: http://yourserver.yourdomain.com:8088/index-leopard.merged-1.sucatalog

pattern: /content/catalogs/others/index-leopard-snowleopard.merged-1.sucatalog
path: http://yourserver.yourdomain.com:8088/index-leopard-snowleopard.merged-1.sucatalog

Then instead of using: lookupd -flushcache

use: dscacheutil -flushcache on the client

Now try running software update on the client computer...

I am also using Snow Leopard Server (10.6.2)

Could you share with us exactly how you entered your DNS and redirect settings?

As far as I can see I have everything set up correctly. All 3 catalog files resolve to the local server when entered in a client browser, yet the client machines do not find any updates (and yes the software update service is started, updates downloaded and enabled).

I tested on several other machines today, and suddenly it works fine. Go figure....

Hello ,
I follow all instructions and i can't update my client . When i start sus from my client i get the message , Your software is up to date' . But when i go to system message on console i have several errors :
- Msg Id Software Update (1124) : " Can't instantiate distribution from http://MySus.local:8088/content/downloads/.."
If you can help me .....

Thx

A great tip, thanks for sharing!

You don't really need all the redirects in the web service. The standard caveat applies to be sure your Mac OS X Server is not using itself for DNS; otherwise, you'll never get any new updates in the Software Update service. All your clients, though, must be using your Mac OS X Server for DNS; otherwise, they'll always hit Apple's update server instead of yours.

1. Set up Mac OS X Server, and enable the Software Update, Web, and DNS services.
2. In the DNS service, add a master zone named "swscan.apple.com." (with the trailing dot!)
3. Create an A (machine) record that maps "swscan.apple.com." (with the trailing dot!) to the IP of your Mac OS X Server.
4. Create two CNAME (alias) records that point "swcdn.apple.com." and "swquery.apple.com." to "swscan.apple.com." (with the trailing dots!)
5. In a terminal window, run the following script to create all the necessary directories and symlinks:

Minor correction: The CNAME entries won't work properly, because they're not in the swscan.apple.com zone...so, you should ignore step 4 and, instead, repeat steps 2 and 3 for the other two hostnames (swcdn.apple.com. and swquery.apple.com.).

I have been following these steps to create a transparent local software update server, but it's not quite working right. Here are the steps I've taken:

1. Downloaded http://swscan.apple.com/content/meta/mirror-config-1.plist and copied it to /usr/share/swupd/html/content/meta/mirror-config-1.plist

2. Changed it to:

<key>PrimaryCatalog</key>
<string>http://swscan.apple.com/content/catalogs/index.sucatalog</string>
<key>CatalogsList</key>
<array>
<string>http://swscan.apple.com/content/catalogs/index.sucatalog</string>
<string>http://swscan.apple.com/content/catalogs/others/index-leopard.merged-1.sucatalog</string>
<string>http://swscan.apple.com/content/catalogs/others/index-leopard-snowleopard.merged-1.sucatalog</string>
</array>

3. Edited /etc/swupd/swupd.plist and changed the metaIndexURL entry to:

<key>metaIndexURL</key>
<string>http://mysus.mydomain.com:8088/content/meta/mirror-config-1.plist</string>
<key>portToUse</key>

4. Changed my *internal* DNS to point to swscan.apple.com, swcdn.apple.com, and swquery.apple.com to mysus.mydomain.com server at IP address 10.1.0.136.
* Verified connectivity by pinging these URLs from other computers and getting responses back from 10.1.0.136,
* and by surfing to http://swscan.apple.com:8088/index.sucatalog and pulling up my server's index.sucatalog page

5. Set mysus.mydomain.com's DNS to an *external* DNS server
* Added my local (internal) servers to the /etc/hosts file so it could communicate with them internally (Active Directory, Exchange, etc.)
* Verified it connects to the correct Apple servers both by pinging and by downloading the latest updates

6. After it generated the local catalog files, I added these symlinks:

cd /usr/share/swupd/html
ln -s /usr/share/swupd/html/content/catalogs/index.sucatalog
ln -s /usr/share/swupd/html/content/catalogs/others/index-leopard.merged-1.sucatalog
ln -s /usr/share/swupd/html/content/catalogs/others/index-leopard-snowleopard.merged-1.sucatalog

7. Started Web Service, and added the following redirects:

Pattern: /content/catalogs/index-1.sucatalog
Path: http://mysus.mydomain.com:8088/index.sucatalog

pattern: /content/catalogs/others/index-leopard.merged-1.sucatalog
path: http://mysus.mydomain.com:8088/index-leopard.merged-1.sucatalog

pattern: /content/catalogs/others/index-leopard-snowleopard.merged-1.sucatalog
path: http://mysus.mydomain.com:8088/index-leopard-snowleopard.merged-1.sucatalog

I am still not able to download updates to my workstations. When I try to check for updates, I get the message "Software Update can't check for updates because of a network problem." However, I can ping it, get the correct local IP using nslookup, and I can navigate to http://mysus.mydomain.com:8088/index.sucatalog.

So I've done a bit more poking around, and I found Apple.com's index.sucatalog file lists the URLs as http://swcdn.apple.com/content/downloads/etc… while my server's index.sucatalog file lists the URLs as http://mydomain.com:8088/content/downloads/etc… The URL is for the wrong server. My server should list the URLs as http://MYSUS.mydomain.com:8088/content/downloads/etc… I am clueless as to why my server lists the URLs incorrectly, and I don't know how to fix it. But, since the index.catalog file is pointing to the wrong server, I'm pretty sure this is the issue.

Does anybody have any suggestions? Ideas? Comments? Please help. My company has very limited T1 bandwidth (we are extremely rural), and the Apple updates just overwhelm us. My server is 10.5.8, mixed Windows/Mac network.

Thank you.

I've done a bit more testing, and the hostname missing from the FQDN is NOT the issue causing the network connection errors. (I corrected the FQDN in the *.sucatalog files, entered CLI command "defaults writes ..." to point my workstation to my server, and it was able to find the updates.

However, I also tested to see if it made any difference on my workstation whether the default writes CatalogURL pointed to http://mysus.mydomain.com:8088/index-leopard-snowleopard.merged-1.sucatalog or http://swscan.apple.com:8088/index-leopard-snowleopard.merged-1.sucatalog, and it does not. My workstation finds *my* server regardless of whichever FQDN I write to CatalogURL.

So, any ideas about why my workstations are unable to connect to my server without the defaults writes command? I don't believe it's a DNS issue because either FQDN works when using the CatalogURL, but I am at a loss as to what else to check.

After much screaming and cursing at the digital gods, I finally figured this out. Here is my solution:

I checked my web server settings. The default web server IP address was set to "any" and listed * (wildcard) for the IP address. I changed the IP address to my machine's address (10.1.0.136), stopped and restarted web services, stopped and restarted SUS services, and it worked.

I hope this information helps anyone else who may face this problem in the future.

It doesn't look that there will be a SWUS in Lion Server at all, but my colleagues bugged me to enable Lion updates as fresh Lion usually needs at least Java runtime to run older apps, so I added this one more redirect to Web server:

redirects to

That way Lion updates are read from Apple's servers.

Hi All,

I'm currently running a mini server with 10.6.8 running on it, with a variety of snow leopard and lion clients.

I've followed all the steps (I believe) and software update is pulling the catalog files from my SUS, however I've noticed the clients are still downloading from apple's servers (specifically a184-28-32-224.deploy.akamaitechnologies.com) rather then the mac mini. Do I need to setup a DNS zone for deploy.akamaitechnologies.com as well?

Thanks!

Hi All,

I figured out my issue. While all the clients were checking my SUS for the catalog files, they were pulling the actual downloads from Apple still. I needed to create a dns zone for swdownload.apple.com and point that to my sus' IP to ensure all the downloads came from the sus. I then edited my host file to point swdownload.apple.com to 17.250.248.91 so my sus could still download the proper updates.

Thanks!

As an original author of this hint, I feel I should add an update for Mountain Lion.

It turns out that ML does updates via the same swscan.apple.com but using HTTPS.

Managing OS X: Mountain Lion and Software Update

I don't see you could also combine to server older updates and sending new to Apple because software updates via IP address won't work either. If only Apple used another server but it looks it's using the same swscan.apple.com - the only way I see using a proxy server inbetween clients and SWUS.

Pity, I had fun setting this up a couple of times but I also appreciate Apple's attempts to protect against malware.

What a shame. This was incredibly useful for me in an environment containing ~10 client computers, most of which were also used on other networks. I wonder if there's another solution.

If the clients have "defaults" modification, they will try to use the local SWUS and if they won't find it, then they will fail-over to Apple's SWUS.

So if the clients are "yours" - eg people working for your company do the BYOD or sometimes take work machines home - it's not that serious issue. Just do defaults.

Or write a little Automator or AppleScript to flip the switch. Or use one of the freebie system preferences.

The original setup was the best solution for something like Apple repair shop (which it actually was, AASP in North London I worked a few years), where you wouldn't like to modify users' machines at all but still loved the convenience of SWUS.

Thanks to a software update today, Server X 2.2 (mountain lion) can now act as a transparent update server for snow leopard, lion, and mountain lion clients. To get it up and working for 10.6 and 10.7 clients, simply configure the dns and hosts files as you would have on a server running those OS files. The new "Caching" feature of Server 2.2 takes care of the rest for the mountain lion clients, as it caches all Software Updates (and APP STORE Downloads) for computers on the same network (as long as they share an external IP under NAT). While you lose the ability to enable/disable updates directly for 10.8.2 clients unless you set them up as managed users, this does work as a sort of transparent update server for them.