unix_fan wrote: > Folks, my google fu and lopsa.org searches are not narrowing it down for me. > > I've been handed a group that uses MacOSX and asked to craft a patch > management approach for them. I use MacOSX at home, but have never managed a > group of MacOSX machines (not server). > > We need to do some sort of patch management for these MacOSX machines. I > could have sworn Ski or Leon had been in on a discussion about that long ago, > but all I find is the bemoaning of a lack of Enterprise-ish tools and > discussion of MacOSX vs. Linux. I'm trying to find what patch management > approaches MacOSX sysadmins actually utilize, that they like. > > Two generic scenarios come to my MacOSX rookie mind: > 1. Write ssh queries that look for OS versions and patch status, or > 2. Utilize a CM tool like puppet/bcfg2/lfcg/<fill in your fave>. > > What do people who manage groups of MacOSX desktop machines actually use? To > bound the exercise, let's just call patch management the following task. > > A vulnerability is announced, along with the patch. I want to generate a > report that shows how many machines are affected in the denominator, and how > many machines have actually been patched in the numerator. How do you manage > MacOSX group patch deployment in this scenario? > > For this query, it doesn't matter whether your approach is home grown, open > source, or commercial.
For desktops that belong to individuals, we typically leave it up to them. We send emails urging people to update when there are announcements of vulnerabilities. For labs and classrooms, we use radmind running off one of my Solaris servers. It takes a bit to get into it, but the guy who manages it can control an awful lot of detail. He has a summer intern who is working out some new stuff, like having a progress bar pop up on the Mac when radmind starts running (as opposed to just running in the background and then suddenly rebooting, which can be disconcerting if someone is using them at 2 in the morning unawares). They did that by changing how radmind was run. Rather than having is as a "periodic", they have it run using iHook from launchd. Anyway, when there is a change needed or a patch, they just change an image, and the machines update the next night. They can also initiate changes if they are needed more quickly than overnight. When our new building opened up, they were able to deploy on the order of 100 new machines a day. -- --------------- Chris Hoogendyk - O__ ---- Systems Administrator c/ /'_ --- Biology & Geology Departments (*) \(*) -- 140 Morrill Science Center ~~~~~~~~~~ - University of Massachusetts, Amherst <hoogen...@bio.umass.edu> --------------- Erdös 4 _______________________________________________ Tech mailing list Tech@lopsa.org http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
