search

mpanighetti / install-or-defer

A framework for prompting users of Jamf Pro-managed Macs to install Apple software updates.
Apache License 2.0
148 stars 28 forks source link

Adding check if SUCatalog is available #19

Closed christopherdietrich closed 5 years ago

christopherdietrich commented 5 years ago

Adding in an additional check to see if the SUCatalog is available. Makes sense if your SUS is only available on an internal network, as a client can be outside of your network, have internet available, but not be able to reach the internal SUS. Without this check, the clean_up function would run and remove the LD and PLIST.

homebysix commented 5 years ago

Also: if a Mac is unable to reach its update server, the script is already configured to clean up and exit without updating after attempting softwareupdate --list. I'm not sure what this adds, other than perhaps bailing out more quickly?

christopherdietrich commented 5 years ago

On a Mac with no SUCatalog set (which is the default state), this block of code will result in reaching out to the non-existent URL None.

D'oh, good catch. Will rework this.

I'm not sure what this adds, other than perhaps bailing out more quickly?

The scenario I'm hoping to catch is when a Mac is able to connect to the internet, but unable to reach the SUS, e.g. because the SUS is internal only and the Mac is outside the VPN. In that case it would not be desirable to reset the deferral-state.

mpanighetti commented 5 years ago

The way this has been implemented, if the Mac fails to reach the SUS after the initial 72 hour deferral period is set, it will skip update/defer alerting. That could create a situation where the 72 hour clock continues to count down and eventual force-update/restart kicks in, without intermediate alerts.

This would probably be a better check to add during the actual update attempt, maybe with a new user-facing alert describing the error when the SUS can't be reached.

christopherdietrich commented 5 years ago

The way this has been implemented, if the Mac fails to reach the SUS after the initial 72 hour deferral period is set, it will skip update/defer alerting. That could create a situation where the 72 hour clock continues to count down and eventual force-update/restart kicks in, without intermediate alerts.

Correct. My thought was that this is a similar condition as the "ping-check" failing, so I put it in the same place.

homebysix commented 5 years ago

This looks OK to me, and some basic testing ran successfully.