Centralized patching for Mac OSX?

We're working on our Mac patch management strategy/tool
use.  99% of our 
desktops are windows and we are more familiar with
supporting those.  
We've been using a monthly "Patch 2nd Tuesday"
cycle using WSUS for 
windows, internal security scans/RHN/newsgroups for
linux/bsd servers, 
and manual "software update" on OS X desktops. 
We also process pressing 
security alerts out of that cycle when needed.

Is anyone using System Update Server for Mac OS X?
http://www.apple.com/server/macosx/features
/softwareupdateserver.html

Can you set your clients to automatically install approved
updates like 
you can with Windows SUS/WSUS?  Does it needs to run on a
actual apple 
server as oppose to serving flies from a different bsd box? 
Is there a 
campus Mac SUS server available for campus clients to use
(it's overkill 
to run our own OS X server for this)?

While our windows desktops need patches constantly, at least
we have our 
WSUS server and policies to automatically install the
patches we approve 
and report their status.

We have a small number of Mac desktops, but visiting each
workstation 
and approving updates is a hassle.  I suppose we could
enable ssh and 
run softwareupdate from the command-line...  possibly we
could set a 
cronjob to email us automatically if downloaded updates are
waiting for 
install (since we are out of touch OS X updates)...

What are other people doing?

Thanks,
Mike

------------------------------------------------------------
------------
The following was automatically added to this message by the
list server:

For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.be
rkeley.edu/>.

Mike Patterson wrote:
> We're working on our Mac patch management
strategy/tool use.  99% of our 
> desktops are windows and we are more familiar with
supporting those.  
> We've been using a monthly "Patch 2nd
Tuesday" cycle using WSUS for 
> windows, internal security scans/RHN/newsgroups for
linux/bsd servers, 
> and manual "software update" on OS X
desktops.  We also process pressing 
> security alerts out of that cycle when needed.
> 
> Is anyone using System Update Server for Mac OS X?
> http://www.apple.com/server/macosx/features
/softwareupdateserver.html
> 
> Can you set your clients to automatically install
approved updates like 
> you can with Windows SUS/WSUS?  Does it needs to run on
a actual apple 
> server as oppose to serving flies from a different bsd
box?  Is there a 
> campus Mac SUS server available for campus clients to
use (it's overkill 
> to run our own OS X server for this)?
> 
> While our windows desktops need patches constantly, at
least we have our 
> WSUS server and policies to automatically install the
patches we approve 
> and report their status.
> 
> We have a small number of Mac desktops, but visiting
each workstation 
> and approving updates is a hassle.  I suppose we could
enable ssh and 
> run softwareupdate from the command-line...  possibly
we could set a 
> cronjob to email us automatically if downloaded updates
are waiting for 
> install (since we are out of touch OS X updates)...
> 
> What are other people doing?

I don't think the Software Update Server helps with your
client problem; it 
allows you to store the updates locally rather than each
client getting them 
from Apple, but you still need to visit each machine (or
give the user 
Administrator access and have them type in their password)
to actually install 
the updates.  (Note that Apple's language is:
"Workgroup Manager allows 
administrators to control when and to whom the updates
become available").

There is a command-line interface to Software Update; it
would be possible to 
roll your own cron job to install updates as root.  The
problem with that is 
that it doesn't interface with the user to get the system
rebooted (if 
necessary); you can either call the Unix
"reboot", which will blow away 
whatever the user has open and unsaved, or you could write
your own 
AppleScript or something that would prompt the user to
reboot.

We're looking at FileWave as a product which can manage Mac
system updates and 
software installation; that might be overkill if you have
just a few Macs.

-- 
Tom Holub (tom_holubLS.Berkeley.EDU, 510-642-9069)
Director of Computing, College of Letters & Science
249 Campbell Hall
<http://LS.berke
ley.edu/computing/>

------------------------------------------------------------
------------
The following was automatically added to this message by the
list server:

For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.be
rkeley.edu/>.

Hi Folks:

This is something we're facing, too.  Just 5 Mac OS X
machines and 
need to visit each to update.  Please reply to the group on
any other 
solutions - I'm interested!

Thanks, Michael

At 07:56 AM 3/17/2006, you wrote:
>Mike Patterson wrote:
>>We're working on our Mac patch management
strategy/tool use.  99% 
>>of our desktops are windows and we are more familiar
with supporting those.
>>We've been using a monthly "Patch 2nd
Tuesday" cycle using WSUS for 
>>windows, internal security scans/RHN/newsgroups for
linux/bsd 
>>servers, and manual "software update" on
OS X desktops.  We also 
>>process pressing security alerts out of that cycle
when needed.
>>Is anyone using System Update Server for Mac OS X?
>>http://www.apple.com/server/macosx/features
/softwareupdateserver.html
>>Can you set your clients to automatically install
approved updates 
>>like you can with Windows SUS/WSUS?  Does it needs
to run on a 
>>actual apple server as oppose to serving flies from
a different bsd 
>>box?  Is there a campus Mac SUS server available for
campus clients 
>>to use (it's overkill to run our own OS X server
for this)?
>>While our windows desktops need patches constantly,
at least we 
>>have our WSUS server and policies to automatically
install the 
>>patches we approve and report their status.
>>We have a small number of Mac desktops, but visiting
each 
>>workstation and approving updates is a hassle.  I
suppose we could 
>>enable ssh and run softwareupdate from the 
>>command-line...  possibly we could set a cronjob to
email us 
>>automatically if downloaded updates are waiting for
install (since 
>>we are out of touch OS X updates)...
>>What are other people doing?
>
>I don't think the Software Update Server helps with
your client 
>problem; it allows you to store the updates locally
rather than each 
>client getting them from Apple, but you still need to
visit each 
>machine (or give the user Administrator access and have
them type in 
>their password) to actually install the updates.  (Note
that Apple's 
>language is: "Workgroup Manager allows
administrators to control 
>when and to whom the updates become available").
>
>There is a command-line interface to Software Update; it
would be 
>possible to roll your own cron job to install updates as
root.  The 
>problem with that is that it doesn't interface with the
user to get 
>the system rebooted (if necessary); you can either call
the Unix 
>"reboot", which will blow away whatever the
user has open and 
>unsaved, or you could write your own AppleScript or
something that 
>would prompt the user to reboot.
>
>We're looking at FileWave as a product which can manage
Mac system 
>updates and software installation; that might be
overkill if you 
>have just a few Macs.
>
>--
>Tom Holub (tom_holubLS.Berkeley.EDU,
510-642-9069)
>Director of Computing, College of Letters & Science
>249 Campbell Hall
><http://LS.berke
ley.edu/computing/>
>
>--------------------------------------------------------
----------------
>The following was automatically added to this message by
the list server:
>
>For information about Micronet, including subscribing to
>or unsubscribing from its mailing list and finding out
>about upcoming meetings, please visit the Micronet Web
site:
><http://micronet.be
rkeley.edu/>.

------------------------------
Michael Rimar
Administrative Assistant
UC Botanical Garden
200 Centennial Drive #5045
Berkeley, CA  94720-5045
510-642-0849
fax 510-642-3012
http://botanicalg
arden.berkeley.edu 


------------------------------------------------------------
------------
The following was automatically added to this message by the
list server:

For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.be
rkeley.edu/>.

Mike,

At MIT I used Apple Remote Desktop to manage 250+ Macs
spread across the 
entire campus (try running out to the boathouse on the
Charles River 
every time you need to do updates...in a blizzard).  I used
it for OS 
updates / security patches, but also software distribution,
user support 
/ training, inventory, etc.  The unlimited Academic license
is only 
$299, while the 10 client is $149.  Check it out to see if
it fills your 
needs.  It may seem overkill for just patching, but I'm
sure you'll find 
many uses for it.  The one caveat is that you'll need a Mac
to run the 
admin on.  Simple VNC can be done from any platform, but the
client 
management features require the ARD admin app which is OS X
only.

http://www.apple.
com/remotedesktop/

John

Mike Patterson wrote:
> We're working on our Mac patch management
strategy/tool use.  99% of our 
> desktops are windows and we are more familiar with
supporting those.  
> We've been using a monthly "Patch 2nd
Tuesday" cycle using WSUS for 
> windows, internal security scans/RHN/newsgroups for
linux/bsd servers, 
> and manual "software update" on OS X
desktops.  We also process pressing 
> security alerts out of that cycle when needed.
> 
> Is anyone using System Update Server for Mac OS X?
> http://www.apple.com/server/macosx/features
/softwareupdateserver.html
> 
> Can you set your clients to automatically install
approved updates like 
> you can with Windows SUS/WSUS?  Does it needs to run on
a actual apple 
> server as oppose to serving flies from a different bsd
box?  Is there a 
> campus Mac SUS server available for campus clients to
use (it's overkill 
> to run our own OS X server for this)?
> 
> While our windows desktops need patches constantly, at
least we have our 
> WSUS server and policies to automatically install the
patches we approve 
> and report their status.
> 
> We have a small number of Mac desktops, but visiting
each workstation 
> and approving updates is a hassle.  I suppose we could
enable ssh and 
> run softwareupdate from the command-line...  possibly
we could set a 
> cronjob to email us automatically if downloaded updates
are waiting for 
> install (since we are out of touch OS X updates)...
> 
> What are other people doing?
> 
> Thanks,
> Mike
> 
>
------------------------------------------------------------
------------
> The following was automatically added to this message
by the list server:
> 
> For information about Micronet, including subscribing
to
> or unsubscribing from its mailing list and finding out
> about upcoming meetings, please visit the Micronet Web
site:
> <http://micronet.be
rkeley.edu/>.

-- 
===================================
John D. MacDonald
Helpdesk Analyst

U.C. Berkeley - School of Law

troublelaw.berkeley.edu
510-643-6862
===================================

------------------------------------------------------------
------------
The following was automatically added to this message by the
list server:

For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.be
rkeley.edu/>.

I've been using OS X since it came out, and have upgraded
through all 
versions to the latest version.  In all this time, I've had
software 
updates basically just automatically running, with some
exceptions for 
things I knew I didn't need.  In the past few years that
I've been doing 
this I have only twice seen any issues with an update.  So
unlike the 
windows patch and pray cycle, it's one thing that apple
does very well.  
They're not perfect, but they don't drop bombs on you with
anything like 
the regularity that MS has.  (I also use windows, when I
have to, which 
thankfully is a declining trend).  So, not to start yet
another boring 
platform flame war (please don't bother), but just to let
you know what 
my experience has been on both platforms.  If you have just
a few of 
them, I'd just let them auto update and deal with any rare
issues as 
they arise. 

I think it would be a great idea for the campus to have a
campus-wide 
update server, if one doesn't already exist. 

-Jay

Mike Patterson wrote:
> We're working on our Mac patch management
strategy/tool use.  99% of 
> our desktops are windows and we are more familiar with
supporting 
> those.  We've been using a monthly "Patch 2nd
Tuesday" cycle using 
> WSUS for windows, internal security
scans/RHN/newsgroups for linux/bsd 
> servers, and manual "software update" on OS
X desktops.  We also 
> process pressing security alerts out of that cycle when
needed.
>
> Is anyone using System Update Server for Mac OS X?
> http://www.apple.com/server/macosx/features
/softwareupdateserver.html
>
> Can you set your clients to automatically install
approved updates 
> like you can with Windows SUS/WSUS?  Does it needs to
run on a actual 
> apple server as oppose to serving flies from a
different bsd box?  Is 
> there a campus Mac SUS server available for campus
clients to use 
> (it's overkill to run our own OS X server for this)?
>
> While our windows desktops need patches constantly, at
least we have 
> our WSUS server and policies to automatically install
the patches we 
> approve and report their status.
>
> We have a small number of Mac desktops, but visiting
each workstation 
> and approving updates is a hassle.  I suppose we could
enable ssh and 
> run softwareupdate from the command-line...  possibly
we could set a 
> cronjob to email us automatically if downloaded updates
are waiting 
> for install (since we are out of touch OS X updates)...
>
> What are other people doing?
>
> Thanks,
> Mike
>
>
------------------------------------------------------------
------------
> The following was automatically added to this message
by the list server:
>
> For information about Micronet, including subscribing
to
> or unsubscribing from its mailing list and finding out
> about upcoming meetings, please visit the Micronet Web
site:
> <http://micronet.be
rkeley.edu/>.
>

-- 
-Jay Bryon
Senior Network Engineer, CNS
U.C. Berkeley

jayberkeley.edu
2-5636



------------------------------------------------------------
------------
The following was automatically added to this message by the
list server:

For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.be
rkeley.edu/>.

Jay,

I think the issue is that the user account aren't admins,
and Software 
Update requires an admin to authenticate, even when it's
set to 
automatically update. (Unless there's some setting I've
missed?)

John

Jay Bryon wrote:
> I've been using OS X since it came out, and have
upgraded through all 
> versions to the latest version.  In all this time,
I've had software 
> updates basically just automatically running, with some
exceptions for 
> things I knew I didn't need.  In the past few years
that I've been doing 
> this I have only twice seen any issues with an update. 
So unlike the 
> windows patch and pray cycle, it's one thing that
apple does very well.  
> They're not perfect, but they don't drop bombs on you
with anything like 
> the regularity that MS has.  (I also use windows, when
I have to, which 
> thankfully is a declining trend).  So, not to start yet
another boring 
> platform flame war (please don't bother), but just to
let you know what 
> my experience has been on both platforms.  If you have
just a few of 
> them, I'd just let them auto update and deal with any
rare issues as 
> they arise.
> I think it would be a great idea for the campus to have
a campus-wide 
> update server, if one doesn't already exist.
> -Jay
> 
> Mike Patterson wrote:
>> We're working on our Mac patch management
strategy/tool use.  99% of 
>> our desktops are windows and we are more familiar
with supporting 
>> those.  We've been using a monthly "Patch
2nd Tuesday" cycle using 
>> WSUS for windows, internal security
scans/RHN/newsgroups for linux/bsd 
>> servers, and manual "software update"
on OS X desktops.  We also 
>> process pressing security alerts out of that cycle
when needed.
>>
>> Is anyone using System Update Server for Mac OS X?
>> http://www.apple.com/server/macosx/features
/softwareupdateserver.html
>>
>> Can you set your clients to automatically install
approved updates 
>> like you can with Windows SUS/WSUS?  Does it needs
to run on a actual 
>> apple server as oppose to serving flies from a
different bsd box?  Is 
>> there a campus Mac SUS server available for campus
clients to use 
>> (it's overkill to run our own OS X server for
this)?
>>
>> While our windows desktops need patches constantly,
at least we have 
>> our WSUS server and policies to automatically
install the patches we 
>> approve and report their status.
>>
>> We have a small number of Mac desktops, but
visiting each workstation 
>> and approving updates is a hassle.  I suppose we
could enable ssh and 
>> run softwareupdate from the command-line... 
possibly we could set a 
>> cronjob to email us automatically if downloaded
updates are waiting 
>> for install (since we are out of touch OS X
updates)...
>>
>> What are other people doing?
>>
>> Thanks,
>> Mike
>>
>>
------------------------------------------------------------
------------
>> The following was automatically added to this
message by the list server:
>>
>> For information about Micronet, including
subscribing to
>> or unsubscribing from its mailing list and finding
out
>> about upcoming meetings, please visit the Micronet
Web site:
>> <http://micronet.be
rkeley.edu/>.
>>
> 

-- 
===================================
John D. MacDonald
Helpdesk Analyst

U.C. Berkeley - School of Law

troublelaw.berkeley.edu
510-643-6862
===================================

------------------------------------------------------------
------------
The following was automatically added to this message by the
list server:

For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.be
rkeley.edu/>.

Jay Bryon wrote:
> I've been using OS X since it came out, and have
upgraded through all 
> versions to the latest version.  In all this time,
I've had software 
> updates basically just automatically running, with some
exceptions for 
> things I knew I didn't need.  In the past few years
that I've been doing 
> this I have only twice seen any issues with an update. 
So unlike the 
> windows patch and pray cycle, it's one thing that
apple does very well.  
> They're not perfect, but they don't drop bombs on you
with anything like 
> the regularity that MS has.  (I also use windows, when
I have to, which 
> thankfully is a declining trend).  So, not to start yet
another boring 
> platform flame war (please don't bother), but just to
let you know what 
> my experience has been on both platforms.  If you have
just a few of 
> them, I'd just let them auto update and deal with any
rare issues as 
> they arise.

The problem is, to "let them auto update" you
need to give users 
administrative privileges, and the user needs to be expected
to interact with 
the system and do the right thing when dialog boxes come up.
 That doesn't 
seem like good practice.

-- 
Tom Holub (tom_holubLS.Berkeley.EDU, 510-642-9069)
Director of Computing, College of Letters & Science
249 Campbell Hall
<http://LS.berke
ley.edu/computing/>

------------------------------------------------------------
------------
The following was automatically added to this message by the
list server:

For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.be
rkeley.edu/>.

Back in March I was looking for something analogous to WSUS
for windows 
systems to keep our small minority of Mac's patched.
We didn't find a way to centrally manage mac updates, but
we did find a 
way to make the Macs update themselves.  Our solution
probably won't 
work for everyone, but in our environment we typically
approve all of 
the mac updates, people don't have admin rights on their
own systems, 
people don't remotely connect to their macs, and they
don't work in the 
wee hours on Sundays.

The solution we came up with involves:
---------------------------------------
1) OS X Power Management
2) crontab
3) softwareupdate command

What happens:
---------------
1) Computer automatically powers on at 3AM Sundays
2) crontab calls a "softwareupdate" command to
automatically download 
and install updates, if any are needed, at 3:10AM Sundays
3) Computer power management powers off at 5AM Sundays

To set this up:
Power Management:
---------------------
1) Click the "Apple Icon" in far left corner
-> Choose "System Preferences"
2) Click "Show All" in upper left corner.
3) Choose "Energy Saver" (Lightbulb icon)
4) Set start and stop times.

Crontab
---------
Note: crontab is a common unix tool used to schedule events
(tutorial 
http://linuxweblog.com
/node/24).
1) As root get to a terminal window (e.g.  Macintosh HD
==>Applications 
==>Utilities ==>Terminal)
2) type:
 crontab -l
to list your current crontab settings.

3) as root type:
crontab -e
to edit your settings.  Note you'll be using the default
editor "vi" 
(tutorial here: http://ma
th.la.asu.edu/vi_tutorial/vi3.html).
Add these entries (#comments not needed).  Make sure not to
erase other 
crontabs you may have (e.g. symantec).

#DOWNLOAD AND INSTALL UPDATES.
#created on 01 May 2006 by Chuck Harris
10 3 * * 0 /var/root/scripts/download_install_updates

4) Make a folder called scripts and create a script file
called 
"download_install_updates".

5) Make that file executable (e.g. chmod +x
download_install_updates)

6) paste this data into the file:
/var/root/scripts/download_install_updates:
-------------------------------------------
#created on 01 May 2006 by Chuck Harris
#purpose: install updates, then shutdown when done
#called by cron job once per week
#
echo "Update script run. Any updates installed?"
>> /var/root/softupdate.log
date >> /var/root/softupdate.log
/usr/sbin/softwareupdate -l -i -a >>
/var/root/softupdate.log

7) Your done, you can look at the softwareupdate.log to see
how it's 
doing and what patches, if any, it installed.

Note these scripts could do more (e.g. mail someone, log
rotate, check 
if someone is really logged and if not reboot, etc..).  Also
we could 
have added a shutdown command to the script instead of
having power 
management do it for us, but wanted friendly shutdown
warnings provided 
by power management just in case.

-- 
Mike Patterson
Systems Manager
UC Berkeley Extension


------------------------------------------------------------
------------
The following was automatically added to this message by the
list server:

For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.be
rkeley.edu/>.

Mike: How does your script react to the passwords or
acceptance of 
license agreements required by some OS X updates?

~ Steve

Steve McConnell
Web news editor, UC Berkeley
smcconnellberkeley.edu
* * * * * * * * * * * * * * * * * * * *
UC Berkeley NewsCenter
http://NewsCenter.berk
eley.edu
* * * * * * * * * * * * * * * * * * * *



Mike Patterson wrote:

> Back in March I was looking for something analogous to
WSUS for 
> windows systems to keep our small minority of Mac's
patched.
> We didn't find a way to centrally manage mac updates,
but we did find 
> a way to make the Macs update themselves.  Our solution
probably won't 
> work for everyone, but in our environment we typically
approve all of 
> the mac updates, people don't have admin rights on
their own systems, 
> people don't remotely connect to their macs, and they
don't work in 
> the wee hours on Sundays.
>
> The solution we came up with involves:
> ---------------------------------------
> 1) OS X Power Management
> 2) crontab
> 3) softwareupdate command
>
> What happens:
> ---------------
> 1) Computer automatically powers on at 3AM Sundays
> 2) crontab calls a "softwareupdate" command
to automatically download 
> and install updates, if any are needed, at 3:10AM
Sundays
> 3) Computer power management powers off at 5AM Sundays
>
> To set this up:
> Power Management:
> ---------------------
> 1) Click the "Apple Icon" in far left
corner -> Choose "System 
> Preferences"
> 2) Click "Show All" in upper left corner.
> 3) Choose "Energy Saver" (Lightbulb icon)
> 4) Set start and stop times.
>
> Crontab
> ---------
> Note: crontab is a common unix tool used to schedule
events (tutorial 
> http://linuxweblog.com
/node/24).
> 1) As root get to a terminal window (e.g.  Macintosh HD

> ==>Applications ==>Utilities ==>Terminal)
> 2) type:
> crontab -l
> to list your current crontab settings.
>
> 3) as root type:
> crontab -e
> to edit your settings.  Note you'll be using the
default editor "vi" 
> (tutorial here: http://ma
th.la.asu.edu/vi_tutorial/vi3.html).
> Add these entries (#comments not needed).  Make sure
not to erase 
> other crontabs you may have (e.g. symantec).
>
> #DOWNLOAD AND INSTALL UPDATES.
> #created on 01 May 2006 by Chuck Harris
> 10 3 * * 0 /var/root/scripts/download_install_updates
>
> 4) Make a folder called scripts and create a script
file called 
> "download_install_updates".
>
> 5) Make that file executable (e.g. chmod +x
download_install_updates)
>
> 6) paste this data into the file:
> /var/root/scripts/download_install_updates:
> -------------------------------------------
> #created on 01 May 2006 by Chuck Harris
> #purpose: install updates, then shutdown when done
> #called by cron job once per week
> #
> echo "Update script run. Any updates
installed?" >> 
> /var/root/softupdate.log
> date >> /var/root/softupdate.log
> /usr/sbin/softwareupdate -l -i -a >>
/var/root/softupdate.log
>
> 7) Your done, you can look at the softwareupdate.log to
see how it's 
> doing and what patches, if any, it installed.
>
> Note these scripts could do more (e.g. mail someone,
log rotate, check 
> if someone is really logged and if not reboot, etc..). 
Also we could 
> have added a shutdown command to the script instead of
having power 
> management do it for us, but wanted friendly shutdown
warnings 
> provided by power management just in case.
>

------------------------------------------------------------
------------
The following was automatically added to this message by the
list server:

For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.be
rkeley.edu/>.

Steve,

The softwareupdate command, running as root user, doesn't
need a password. 

I suppose you would want to su to root and then set root's
crontab if 
you didn't log in directly as root (this is probably better
than setting 
a crontab for a non-root user and then passing it a password
for sudo).

We haven't encountered a license acceptance problem yet in
the short 
time we've been running it... 
I'm not sure whether or not softwareupdate from the
commandline requires 
a license acceptance step with the flags we used.

I suppose if we have a problem we can track it down in the
log file.  
I wouldn't recommend a "set and forget"
strategy.  We still audit from 
time to time.

Please also note that most of our experience is with unix
and windows, 
we don't spend much time using Macs or supporting them. 

Our log files usually look like this (note we scheduled this
one for 
11:30AM Monday, instead of our typical 3:10AM Sunday):
------
Update script run. Any updates installed?
Mon May 15 11:30:01 PDT 2006
Software Update Tool
Copyright 2002-2005 Apple

Downloading QuickTime
Downloading QuickTime 0..20..40..60..80..100
Expanding QuickTime
Downloading Security Update 2006-003 (PowerPC)
Downloading Security Update 2006-003 (PowerPC)
0..20..40..60..80..100
Expanding Security Update 2006-003 (PowerPC)
Installing QuickTime 0..20..40..60..80..100
Installing Security Update 2006-003 (PowerPC)
0..20..40..60..80..100
Done.
------

-- 
Mike Patterson
Systems Manager
UC Berkeley Extension


------------------------------------------------------------
------------
The following was automatically added to this message by the
list server:

For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.be
rkeley.edu/>.