Customizing Mac Patch Management tasks
Updated: 26 May 2010 | 16 comments
I would like to use the Mac Patch Management solution for our systems, however I would like it to run only on system boot, when no user is logged in, and I would like a script to run as part of it.
Is this possible? I created a copy of the "Install All Available Updates" job, so I can kind of see how things could be tweaked, but I'm not seeing how to make sure t only runs on startup and when a user is logged off.
For those who are curious, the script I'd like to run is below. It keeps network users from logging in to the system while the updates are taking place.
-------------------------------
#!/bin/sh #STEP1: Disable logins dseditgroup -o edit -d netaccounts -t group com.apple.access_loginwindow #STEP2: Tell the users they can't login and why defaults write /Library/Preferences/com.apple.loginwindow LoginwindowText -string "LOGIN TO THIS WORKSTATION HAS BEEN TEMPORARILY DISABLED. SOFTWARE UPDATES ARE BEING INSTALLED. SYSTEM WILL AUTOMATICALLY REBOOT WHEN FINISHED." killall loginwindow #STEP3: update the software ##softwareupdate -ia #STEP4: re-enable logins dseditgroup -o edit -a netaccounts -t group com.apple.access_loginwindow #STEP5: Remove text from login window defaults write /Library/Preferences/com.apple.loginwindow LoginwindowText -string "" #STEP6: unload and disable the job ##launchctl unload -w /Library/LaunchAgents/edu.csbsju.updatejob.plist #STEP7: reboot sudo reboot exit 0
discussion Filed Under:
Comments
Task Server
Hello Joseph,
Patch for Mac takes advantage of the Task Server technology and all of the flexibility of which it is capable. That said, the sky is pretty much the limit as to the customizations you can make. For example, I put together this client job, which in theory, will install all updates on a Mac that has nobody logged on, and after is has "locked" the screen (using your provided code). For the "UserLoggedOn" task, I used the Run Script template and put in some shell script code to check to see if a user was logged in or not (using the 'who' command combined with 'grep'). The "Disable Logins" and "Re-enable Logins" tasks also used the Run Script template and use the code you provided above. All of this started by cloning the "Install all available updates" job which is where you have started as well. Hopefully, this will help you a bit in your quest...:-)
------------------------------------
Principal SQA Engineer
Symantec
UserLoggedOn
BTW, the code I used for the UserLoggedOn script is this:
------------------------------------
Principal SQA Engineer
Symantec
This may be obvious...
Both of those "echo" commands need to be "exit" commands. I used the "echo" commands for testing and then changed them to "exit" commands when I put them in the script.
------------------------------------
Principal SQA Engineer
Symantec
Thank you very much for your
Thank you very much for your help, however the "Install all available updates_1" task keeps failing when I run the job. The first time I ran it the code was 3, the second time it was 2. All subsequent attempts error out with code 2
Odd...
It worked just fine for me. I have a MBP here that needed Safari 4.0.4 and the job worked like a charm. Is the Mac your testing configured to pull the updates from a local SUS or from apple.com directly?
------------------------------------
Principal SQA Engineer
Symantec
I rebuilt the job to be sure,
I rebuilt the job to be sure, and I'm still getting error 2 back on that task
Systems currently use Apple for their updates, not an internal SUS
Maybe?
Not sure if this would cause it or not, but the code I posted for the UserLoggedOn script isn't entirely correct. See above. The "echo" commands should be "exit".
------------------------------------
Principal SQA Engineer
Symantec
That change causes the
That change causes the UserLoggedOn script to fail out, oddly enough
I commented it out for now to eliminate it as a variable, and the "Install All Available Updates_1" task does still fail.
how do I boost the log level on the local client?
Use "aex-configure" to
Use "aex-configure" to increase the log level on the client. It can be found under /opt/altiris/notification/nsagent/bin. The NS agent will need to be stopped first so run './rcscript stop'. Then, simply run './aex-configure -iconfigure' and carefully go through the different prompts. One will ask you the level of logging you wish to enable.
------------------------------------
Principal SQA Engineer
Symantec
houston, we have a problem
When I attempt to enter interactive configuration, it seems to instantly errors, before I'm able to do anything
error from the client
not very informative:
ERRO 2009-11-16 13:28:38.988 13104 2685957920 Install > InstallCommand::Run() - commandEngine.Run() failed, rc = 2.
Technical Support
At this point I think the best approach would be to contact Technical Support and continue the troubleshooting. I'm not sure why your agent isn't working...
------------------------------------
Principal SQA Engineer
Symantec
Agent version?
Andrew, what version of the agent was running on your target Mac when you tested this? 7.0.4343 or 7.0.4372?
Good catch...
Here are my agent versions:
------------------------------------
Principal SQA Engineer
Symantec
Darn. That is not the
Darn. That is not the problem.
Took a system that was working but had lower versions of everything, updated it all, ran the job, it worked (I assume return code 0 means that there are no updates).
Ran it on a newly imaged system, and it worked; updates got installed, only the task got a -3 failure code at the end.
Ran it again as there were 4 more updates to install, worked again with the -3 failure code
So there is one specific system that is getting the -2 error
What do the various exit statuses mean for the "Install all available updates" task? I've tried finding documentation but there's nothing in the KB
Patch for Mac Return Codes
Here are the specific return codes that relate to Patch for Mac. If you are getting negative values for return codes, that might be Task Server specific or just generic UNIX system codes. What are the results of the "Obtain Console Output" sub task?
------------------------------------
Principal SQA Engineer
Symantec
Would you like to reply?
Login or Register to post your comment.