Monitoring Update Status of Mac Through SCCM

Old No Comments on Monitoring Update Status of Mac Through SCCM 15

It is well known in the IT industry that one of the best ways to secure a system is to keep it updated.  Saying that one of the first things that is important is knowing the current update status of a Mac.  This gets to be harder if you are responsible for several hundred machines.

One of the benefits of System Center Configuration Manager is the ability to use Compliance settings to monitor your machines. Technet already has an article outlining the basics of doing this http://blogs.technet.com/b/scd-odtsp/archive/2013/05/29/system-center-configuration-manager-2012-sp1-automatic-updates-on-a-mac-2.aspx (take a moment to read their method before so my points will make more sense)

In practice I’ve found a few issues with this the script they provide.

1.  The /tmp folder is cleared every 3 days or after a reboot. Why this is a big deal is if your log is missing configuration manager will consider the machine to be out of compliance.

2. If pushing this script out to several hundred machines it may prove to be problematic if  200 – 300 machines all need to contact Apple’s update servers at 30 minutes after the hour every hour. (Your users may notice)

To address these two issues we can do a few things. First we need to put the log in a folder that exists on every machine and that is not locked down by restrictions.  For this I use the /Users/Shared/ Folder, and to keep eyes off it I change the file to hidden. The next thing I do is I create a Variable with a random number in it to keep my WAN traffic spaced out through the hour.  My environment has a lot of laptops and are mobile, because of this I want to make sure I have the chance to catch the machine awake and connected to my Network. If you’re dealing with desktops you may choose to have them instead check daily instead of hourly.

Well enough talk, time for the finished script:

x=$[RANDOM%59]
if [ -e testfile]
 then
  if grep /usr/sbin/softwareupdate /etc/crontab
   then
    echo entry exist waiting for cron to run.
   else
   echo “$x * * * * root /usr/sbin/softwareupdate -l &> /Users/Shared/softwareupdate.log” >> /etc/crontab
 fi
else
  echo “SHELL=/bin/sh”> etc/crontab
  echo “PATH=/bin:/sbin:/usr/bin:/usr/sbin”>> /etc/crontab
echo “$x * * * * root /usr/sbin/softwareupdate -l &> /Users/Shared/softwareupdate.log” >> /etc/crontab
fi
/bin/cat /Users/Shared/softwareupdate.log
chflags hidden /Users/Shared/softwareupdate.log
Unfortunately for the purposes of this post I can’t get all the script to format properly here. Take some time to learn the expected format of the crontab file before adopting this into your environment.

Author

Related Articles

Leave a comment

Back to Top