Update 1/23/2006: Updated to make it cronnable (full path to commands, since /usr/sbin isn't in $PATH for root.
Update 12/05/2005: Updated the AppleScript portion with a timeout of one week.
Update 12/02/2005: I fixed the code with <'s and >'s, and added some applescript functionality inspired by Blake Irvin's script.

The main things I find missing from Apple's Software Update Server are the abilities to push out updates from server to client, and schedule updating for clients, rather than just let them look at the server. This is the script I came up with to remedy this as best as I can given the current situation.

This script installs all available updates, and reboots if necessary and possible. I check for logged in users, ignoring if an admin is logged in, since I don't really care if I reboot while they're the only ones logged in- just end users.

Its purpose was to be run as a weekly cron job, and only installing "approved" updates. To accomplish this, I set all the clients to look to my server at port 8089, using

defaults write /Library/Preferences/com.apple.SoftwareUpdate CatalogURL http://<server>:8089/

For machines testing updates, I set their port to 8088. The server runs predominantly on port 8088, but when an update is ready to be deployed, I stick the server on 8089, and let the script do it's magic.

However, there's nothing preventing the software update server to be Apple's, if you want to immediately deploy everything.

If you make any significant/interesting changes, please This e-mail address is being protected from spam bots, you need JavaScript enabled to view it , or post the changes to MacEnterprise.

#!/usr/bin/perl
# Software Update Client Script
#
# Created by Geoff Franks
# Hauptman-Woodward Medical Research Institute
# November 23, 2005
# 
# This script runs software update, installing all available items.
# If a reboot is required by the update, it will check for logged in users,
# and reboot if it can. Regardless of reboot status, an email is sent to 
# notify of the update. 
#
# Note: for sendmail work properly under panther, postfix needs to be running.
# Since postfix in tiger is run by a queue directory in Launchd, I would 
# recommend a cron job to run /usr/libexec/postfix/master -e 60 at certain 
# intervals. Of course, I could be wrong on that, but it's the way I needed
# to do it on my panther machine. 
# 
# Update: Dec 2, 2005
# I fixed the HTML <,>'s in the script, and added some applescript functionality
# inspired by Blake Irvin's script at 
# https://www.clockworm.com/weblog/blake/2005/11/16/ScripttoInstallOSXSecurityUp.html
# It informs the user of the pdate, and asks them to reboot as soon as possible.
# When they decide to reboot, it does a soft-gui-reboot allowing for saves, etc.
# It is also possible to circumvent the reboot this way, by opening applications,
# or causing one to cancel the logout process. 
#
# Update: Dec 5, 2005
# Updated with an AppleScript timeout of 1 week.

#Set up some initial variables.. grab hostname, remove any \n's.
$reboot = "no";
$hostname = `/bin/hostname -s`;
$hostname =~ s/\n//i;
# This is the name of the file that the script will log to 
$logfile = "";

# email notifications will be sent to this email address. backslash is required
$toaddress = "\@";

# users listed here will not be considered while processing for logged in users
# It uses regex to process, so any name with "admin" will be ignored.
# Add more by doing (admin|newuser|newuser2)
$excludeusers = "admin";

#run softwareupdate, and grab all output
$message = `/usr/sbin/softwareupdate -i -a 2>&1`;

#see if we need a restart
if ( grep !/restart immediately\./, $message )
{
  $message .= "no restart required\n";
}
else
{
  $message .= "\nrestart required\n";

  #see if there's nayone logged in who would prevent a reboot
  $users = `/usr/bin/who | /usr/bin/grep -v $excludeusers 2>&1`;
  if ( !$users )
  {
    $message .= "no one logged in.. restarting\n";
    $reboot = "yes";
  }
  else
  {
    $message .= "AutoUpdate could not restart " . $hostname . " because" . 
	" someone was logged in.\n";
	$usersloggedin = "yes";
  }
}

#print to stdout for debugging
print $message;

#log to log file
open(LOGFILE, ">$logfile") or 
    die "Error opening logfile: $!" ;
print LOGFILE $message;
close LOGFILE;

#and lastly, email to the notification address
my $sendmail = "/usr/sbin/sendmail -t";
open SENDMAIL, "|$sendmail" or die "Cannot open sendmail: $!";
print SENDMAIL <