How Robot Cloud Handles Apple Software Updates
This article details how Apple Software Updates are applied through Robot Cloud, and provides an overview of various reasons why a Mac might not update as expected.
Apple introduced the App Store in OS X 10.6. At first it was simply a new method of acquiring Apple and third-party software. When OS X 10.9 was released it also became the de facto method for end-users to update their OS X software, leaving the older Software Update application buried in the OS and while still available through the command line it no longer has a visible presence.
Previously Robot Cloud would disable automatic updates and instead run a round of updates on a Mac by force once per weekend, outside the hours of 9am to 9pm. If a restart was needed, it would display a pop-up to the end-user stating updates were applied and that they needed to restart. If a Mac was not online, it would be missed. As a matter of attrition some rarely used Macs were only seeing patches applied once per month.
Robot Cloud enables automatic updates for Apple Software on the Mac, leveraging Apple's robust notification system. In addition to this, once per day when a Mac checks in to Robot Cloud, all available updates are downloaded. From here, Robot Cloud attempts to install non-critical updates first, then checks to see if a Mac has been idle for more than 15 minutes. If so, critical updates that do not require a restart are also installed.
Updates that require a restart are now handled in two ways:
First, an Apple notification will present itself stating updates have been downloaded and are ready for installation. The user can ignore that, or update now, or select "try again tonight".
Second, the previous weekend patching schedule by force remains. This will catch Macs with users that opted to ignore the update all week.
REASONS FOR CHANGE
The Center for Internet Security (CIS) Guidelines for OS X 10.9 and later state that Apple's automatic updates should be enabled and that they should not be turned off. This change is a result of a discovery that critical background updates are never triggered when using Software Update from the command line or when tied to a software update server.
Ultimately we at Robot Cloud have decided to trust Apple's mechanism for updates but also download and install as many updates as we can silently while the Mac is online. This is to ensure patching is still occurring as there is always a percentage of users who ignore every notification. The end result is a significantly higher rate of patches being applied in a timely manner, with a much smaller fraction of Macs that receive the forced updates, less work for System Administrators and overall a better user experience.
Reasons Why a Mac Might Not Update
- If the Mac is running Server.app or is running the legacy OS X Server OS, it will not run any type of update. We consider servers to be off-limits for any type of automatic patching. Servers are members of Inventory & Alerts only.
- If the Mac has a problem communicating with the Robot Cloud server it could prevent the policy check from completing. This may happen if traffic to Robot Cloud is blocked by a firewall or proxy. This could also happen if the local Robot Cloud binary stops communicating and needs to be updated or reinstalled.
- If the Mac is turned off during the hours of 9 PM to 9 AM on Saturday or Sunday, it will miss the window for patching.
- If the Mac is directed to use a local software update server it could report that there are no updates available. This occurs when the DNS and search domain are not properly configured on the local network. This can also happen if the client machine is running a newer operating system than the server.
- If the Mac is a notebook, directed to use a local software update server, and is taken home over the weekend, this will prevent updates from being shown and from being installed (unless the server is using a public IP).