create a cascading Apple software update server

Having an internal Apple Software Update Server is great since it let’s you test each update before unleashing it, and managed clients will only pull the updates that you approve on the internal server, rather than going out to the public Apple SUS and downloading whatever is available. However, as more and more remote sites have started using Macs it’s become necessary for me to stand up software update servers at each remote site. After all, I wouldn’t want clients in Shanghai coming back to the US to download updates!

Since we don’t want to manage all these software update servers independently but we still want to have control over which updates are sent out to clients, it’s necessary to cascade these software update servers. This will allow internal control of a single, central SUS and the changes made here will be replicated to each satellite SUS automatically. Perk: We don’t have to sit and the same checkbox to approve an update a bunch of times. It might not seem like a big deal if you only have two or 3 servers to manage, but if you have a dozen or more it can quickly get cumbersome.

In order to set up cascading software updates from a central server, you need to make sure of a few things first:

  1. Each server that will cascade from the central server is at the SAME OR LOWER patch level as the central server. If they are a higher patch level (ie: your cascading servers are 10.6.8 and the central server is 10.6.3) cascading will not work.
  2. All servers must be at patch level 10.5.8 or 10.6.3 or higher.

Follow the below steps on each Cascading Software Update Server:

  1. In the Software Update > Settings pane of Server Admin on the cascading server, make sure to enable updates using port 8088, Copy All updates from Apple, and automatically enable copied updates.
  2. On the cascading server, make a backup copy of the /etc/swupd/swupd.plist (sudo cp /etc/swupd/swupd.plist /etc/swupd/swupd.plist.bak).
  3. On the cascading server edit the swupd.plist file like so:
    1. Change “<string></string>&#8221; to “<string>http://your.central.SUS:8088/catalogs.sucatalog</string>”
  4. Stop and restart the Software Update service.
  5. The Cascading server will now point to the central server and copy all enabled updates from the central server and make them available to clients.

On the Central Software Update server, DO NOT change the swupd.plist file. We want this to still point to Apple’s update servers in order to enable new updates. Do not automatically enable new updates in order to maintain control over what updates are made available to clients, but do Copy All updates from Apple.

After syncing with the central server, the cascading servers should only have copied updates that are enabled on your central server, and since they are set to automatically enable all copied updates they should be greyed out.

About this entry