With Apple recently releasing macOS 11.0.1, many Mac Admins over at the MacAdmins.org Slack started to see password prompts like the above.
Some digging has revealed that this password prompt is shown when the softwareupdate binary is called, and only on Apple Silicon devices.
Calling the softwareupdate binary is something which we Mac Admins have done for years, and it’s likely folks have workflows in place calling the softwareupdate binary which is then triggering this prompt.
So, what’s the fix? Short term, don’t call the softwareupdate binary on Apple Silicon devices and raise this issue with Apple.
Longer term? Unsure. There is still documentation around Apple Silicon devices to be posted by Apple, and until we have documentation we can but guess.
In starting to write a blog post on how to block and delay the latest macOS release, I realised that the subject of delaying updates via Managed Software Updates was probably worthy of its own post.
This its that post, see below the break for details.
At the recent London Apple Admins, I mentioned that with macOS Catalina setting a custom Software Update catalog URL is now noted as deprecated.
This took some folks by surprise, despite setting a custom Software Update catalog URL.
Below is more details on this deprecation.
Recently we found that the JSS was setting our clients Software Update Catalog URL to http://:/index.sucatalog.
Well, as detailed previously, we moved from using Software Update servers to Caching.
The move to caching servers actually meant I shot myself in the foot some & caused my own issue. JAMF Support got me things sorted & below is how & my guess work as to what was happening.
After upgrading my Mac servers to 10.9, I found that my 10.9 clients still were not seeing updates served via Apple Software Update Server (read:ASUS), this was due to the servers only having the catalog URLs for 10.6 – 10.8.
As we cascade our ASUS, I thought this was just an issue due to the fact that I hadn’t updated my Master ASUS to 10.9 from 10.8 (with 10.8 hosting 10.6 – 10.8 updates & 10.9 needed to add 10.9 updates).
However, once I updated the Master ASUS the Replica’s still did not have the Catalog URL. But a bit of Google-Foo & I was presented the answer by someone trying to offer 10.9 updates from a 10.8 ASUS.
We cascade Apple Software Update Server (read: ASUS), from a Master Server on our WAN as per the post here. So once an update is downloaded to the Master ASUS, the Replica’s should just replicate the updates.
This has worked great for a time, but we were missing some updates on a couple of servers. When looking in Server.app at the Software Update service it appeared that the missing updates status was “Waiting…”
As mentioned, these updates should just download from the Master. After a little “what does the logs say,” it appeared that they said EXACTLY what the issue was:
By default Apple Software Update Server’s (READ: ASUS) sync daily with Apple at 3am.
But this can be changed, & the below script can be ran to change the interval. You can change either the time of day the sync runs or change it to once a week.
NOTE: As the LaunchDaemon is located within the Server.app, you’ll need to run this after every update to Server.app.
Way back in 2011 I wrote the post: Managing Apple Software Update Server Across Multiple Servers 10.5/10.6/10.7. This itself was based off of an Apple KB article that seems to have disappeared, but the method outlined in the post above is alive & well, just needs some tweaking for 10.8+.
UPDATE: For 10.8+ see: Managing Apple Software Update Server Across Multiple Servers 10.8+.
An internal Apple Software Update Server (ASUS) allows administrators to control what software updates client computers download etc.. more information about this service can be found here.
This all works great, but the initial setup requires you to manually tick each update to enable it to be downloaded.
This can be a bit of a pain especially when managing mulitple servers.
The following post advises on how to setup a Master ASUS with other servers Replicating the enabled updates. Saving the Admin time when setting up new servers & allowing central management.
Apple has a support document on this here & there is also a post from Apple discussions that advises how to setup a 10.5 ASUS to serve 10.6 updates here. Continue reading