Keeping our Mac’s patched

In an effort to keep all the Apple OS X Mac’s on campus patched and running all the latest and greatest software, we had to come up with a good way to remotely manage them. Apple’s Remote Desktop app comes in very handy and helps, but we wanted a more scriptable way to do it and this is what we came up with.

First, we enabled ssh and ARD on all the computers and restricted who could access those services. For ssh we added a line like this to the end of /etc/sshd_config:

AllowUsers ourAdminUsername

Once we were able to ssh into each computer, we wanted to be able to have a script be able to do that. It makes it much easier if that script does not need a password. To do that, we placed a copy of authorized_keys with our servers ssh key in it in /var/root/.ssh/

Once that file is in place, we can now ssh from our server into any of our OS X machines and run any command. So, lets say we want to run Software Update on a computer. All we have to do now is this:

ssh "root@hostname.example.com" "/usr/sbin/softwareupdate -i -a"

To do this to a large number of computers, you just need a script that will run that command once for each of your systems. Right now we do that with a simple text file containing a list of IP addresses for each system, loop over them and run that command. In the future we plan to generate that list of IP’s from an inventory database so that they are always up to date.

One other issue is that if the computer is not awake when we want to do the maintanance, ssh won’t work. So before we ssh we need to run ether-wake on our linux box that has an interface on each subnet on campus. From there it can send a magic packet to each computer and tell it to wake up. Once it is awake, we can ssh in and run our maintanance script.

This setup has also allowed us to update Firefox on all the Mac’s since all we have to do is scp the application. For example we did it something like this:

/usr/bin/scp -pr /tmp/Firefox-test.app "root@hostname.example.com:/Applications/";
/usr/bin/ssh "root@hostname.example.com" "mv /Applications/Firefox.app /Applications/Firefox-old.app";
/usr/bin/ssh "root@hostname.example.com" "mv /Applications/Firefox-test.app /Applications/Firefox.app";
/usr/bin/ssh "root@hostname.example.com" "rm -rf /Applications/Firefox-old.app";

And just like that, the computer has a new version of Firefox all ready to use. Of course it is best to do the upgrade when no one is using Firefox. To help with that we use Apple’s Remote Desktop software which will easily allow you to see if someone is logged in to the computer and let you know what they are running.


Comments

Leave a Reply

Your email address will not be published. Required fields are marked *