TweetFollow Us on Twitter

MacEnterprise: Pain Management

Volume Number: 25
Issue Number: 05
Column Tag: MacEnterprise

MacEnterprise: Pain Management

Dealing with Apple firmware updates in an enterprise environment

By Greg Neagle, MacEnterprise.org

Introduction

You've made fantastic progress on your systems management infrastructure for your organization's Macs. You have a method to create standard images. Maybe you are even using InstaDMG. (If you haven't heard of InstaDMG, fire up a browser and do a search now!) You have an imaging server to quickly get these images on new Macs - maybe NetInstall, NetRestore or Deploy Studio, or one of the commercial solutions. You've implemented software to install and update applications and OS patches - perhaps you are using the open-source radmind tools, or Apple Remote Desktop, or a commercial package like the Casper Suite or LANrev. You've even gotten good at using the command-line and ssh to remotely connect to a machine and troubleshoot and fix issues. Your environment is predictable, structured, and managed. Life is good.

Now that so much of your job is automated and streamlined, you are sitting in your office, browsing the web and looking at Mac tech sites. Suddenly, you see something that just ruins your whole day. Apple has just released a firmware update.

What's the big deal?

So why should a firmware update cause you heartburn? Can't you just use your fancy software distribution tool to push it out to the affected machines? Well, you can push the firmware updater, but in most cases, you can't actually install the firmware remotely or in an automated fashion! Worse, for EFI firmware updates, a person must physically press the power button long enough to start the update after a shutdown. What a pain. All your centralized automation goes out the window, and once again, you are doomed to a life of running from machine to machine - installing updates.

The bad news

So now you are reading with bated breath (look it up - it's not "baited breath" - which makes me think of halitosis...) and hoping that your humble author will make all the pain go away. I am truly sorry - that is not within my power. I can't make your pain go away - I can only help you manage your pain.

Pain Inventory

There are two major challenges posed by Apple firmware updates. The first is finding out about them. Since firmware updates are generally for specific hardware models, unless you have one of everything Apple's ever shipped in your office, you won't find out about every firmware update simply by looking at Software Update on your machine. You'll need a way to find out about firmware updates that apply to all the various hardware in your organization.

The second challenge, as implied above, is deploying those updates. You cannot deploy these like you do OS updates or security updates. You'll need another method.

Pain Awareness

Let's tackle the first challenge. You have a few options. The first and most obvious is to check Mac tech websites or Apple's support downloads page at http://support.apple.com/downloads/ on a regular basis, checking for firmware updates. That's tedious, and since Apple firmware updates are relatively uncommon, something you're not likely to remember to do consistently.

Another possibility, if you have a machine running OS X Server, is to turn on the Software Update Server and monitor what it downloads. A Software Update Server will download all Apple updates without regard to which hardware it applies. You can then look through the list of downloaded updates periodically. A tip: sort the updates by Post Date, and filter the list by typing "Firmware" into the search field. This will give you a list of firmware updates (at least those for which Apple has included the word "Firmware" in its name) and puts the most recent at the top. See Figure 1 for an example.


Figure 1. Software Update Server

Again, this can be tedious, and you'll certainly find listings for updates that apply to hardware your organization does not own. Still, this works as a method of discovering what firmware updates Apple has made available.

Another possibility is to farm out the discovery: since firmware updates apply only to specific models of hardware, you could have a script that runs on every machine that you manage that runs the command-line version of Software Update (/usr/sbin/softwareupdate) and looks for available firmware updates. Here's a one-liner:

/usr/sbin/softwareupdate -l | /usr/bin/grep -i firmware

This will print available firmware updates for the current machine. You could expand on this - perhaps emailing you, or posting this info into a database. In fact, later on in this column we will expand on this technique.

Approaches to Pain Management

Now you have a method of finding out that firmware updates are available. Next, you must find a way to actually deploy these updates. In my organization, I tried a couple of approaches. The first was simply verbal. I asked all the technical support people to check Software Update for available firmware updates whenever they had to visit a user and if there were any, to apply them. Not surprisingly, that didn't really get the job done.

The next approach I tried was to try as hard as I could to automate the application of firmware updates. I was seduced down this path by Apple's SMC firmware updates for the first generation of Intel Macs. These SMC updates were the ones that enabled Boot Camp, among other things, so I was quite anxious to get them out there. It turned out that you could automate SMC firmware updates, and I wrote some scripts to do just that. You can see them here:

http://managingosx.wordpress.com/2006/10/27/automating-firmware-updates/

and here:

http://managingosx.wordpress.com/2006/11/02/automating-intel-firmware-updates-ii-revenge-of-the-smc/

Ultimately, this was not a sustainable solution. It only handled SMC firmware updates, not any of the other types of firmware updates, and since the path to the actual firmware updater was different for each machine type, and since you had to keep track of the SMC firmware versions each updater was for, it quickly became a house of cards. You needed to continually update the scripts and the firmware installers as Apple released new hardware and new SMC updates. And there were still the EFI updates, and the Graphics Firmware updates, and the Trackpad and Keyboard Firmware updates and more to deal with.

Back to the drawing board. Approach number three was a script that ran at startup, ran softwareupdate -l and emailed me (or rather, my group of administrators) if a machine needed a firmware update. I'd then add that task to our helpdesk ticketing system for a technician to do. Needless to say, the technicians didn't like this solution very much, but it worked, to a point. Still, we were missing ideal opportunities to update the firmware when a tech visited a machine for other reasons.

If these updates could not be automated, what we wanted was something that:

Notified the user and us that a firmware update was needed for the machine. Since most of our users are not administrators, they could not actually perform the update, but at least they could notify the help desk for assistance.

If a tech was working on a machine and was logged in as an administrator, upon login they would be notified there were available firmware updates so they could install them right then.

With those desires in mind, I wrote a script to be run at each login that checked the output of softwareupdate -l for available firmware updates, and if any were found, it would display an alert informing the user to contact the help desk if they were not an administrator, or urging them to install the update if they had admin rights.

A version of the script follows. Yes, it's written in Perl, and I know all the cool kids are now using Python. Perl's support for regular expressions and straightforward support for calling system command-line tools make it a good fit for this type of script. Feel free to rewrite it in bash, Python, Ruby, or whatever makes you happy. Let's take a look.

#!/usr/bin/perl -w
use strict;
# change 'com.myorg' to your organization name
my $prefs = "com.myorg.firmwareupdatecheck";

As a nicety, we're going to set things up so that this only runs once per day - that is, if a user logs in and out several times in a single day, he or she will see a firmware update alert (if one is needed) only once a day. If you want to be more insistent, you could remove this check. If you do, and a firmware update is available, the user will be notified at every login. Alternately, you could increase the interval so that not every machine hits the Software Update server (either your local one, or Apple's via your Internet connection) every single day.

# check the last time we ran on this machine; 
# exit if we already ran today so we don't annoy too much
my $now = time;
my $lastChecked = 
   `defaults -currentHost read $prefs lastChecked 2>/dev/null`;
chomp $lastChecked;
if ($lastChecked ne "") {
  my $daysSinceLastChecked = 
     int(($now-$lastChecked)/(60*60*24));
  exit if ($daysSinceLastChecked < 1);
}

Next, we'll get a list of updates from softwareupdate and look through them to find firmware updates.

# get list of available updates from softwareupdate
my $allupdates = `softwareupdate -l | grep '^   \\* '`;
chomp $allupdates;
my @updates = split /\n/, $allupdates;
my $firmwareupdates = "";
my $firmwarelist = "";
my $otherupdates = "";
# walk through the list looking for firmware updates
for my $update (@updates) {
  $update = substr($update,5);
  if (($update =~ /[F|f]irmware/) ||
      ($update =~ /EFI/) ||
      ($update =~ /SMC/)) {
    $firmwareupdates .= "$update ";
    $firmwarelist .= "   $update\n";
  } else {
    $otherupdates .= "$update ";
  }
}

We're looking for "Firmware", "firmware", "EFI", or "SMC" in the name of each available update. Every firmware update I've seen with the exception of a 2005 "iMac G5 Sleep Light Update" has the word "Firmware" in the name, so this should get the job done.

Next, we record when we did this and what we found using defaults. This is the same file we read when we start to see if we already ran today.

# record when we checked and what we found
system "defaults -currentHost write $prefs lastChecked -int $now";
system "defaults -currentHost write $prefs availableUpdates '$firmwareupdates'";

And now the exciting part! If there are available firmware updates, we're going to notify the user. But before we do, we tell Software Update to hide all the available updates that aren't firmware updates. I do this in my environment because normally we install all the other updates with our software distribution mechanism and I didn't want to get a lot of questions about additional updates available in Software Update. You may want to handle this differently.

if ($firmwareupdates) {
  # there are available firmware updates
  if ($otherupdates) {
    # hide the non-firmware updates since I don't want 
    # users tempted to install them
    system "softwareupdate --ignore $otherupdates >/dev/null 2>&1";
  }

Admin users get one version of the alert. This version opens the Software Update application if he or she clicks Install. We embed some AppleScript and use osascript to call it. Note the "giving up after 120" clause to display alert - this causes AppleScript to close the alert after two minutes if the user ignores it.

  
  # are we running under an admin account?
  my $checkAdmin = `dseditgroup -o checkmember admin`;
  if ($checkAdmin =~ /^yes/) {
     # user is an admin, prompt them to install
           my $result = `osascript<<EOFA
try
  tell application "System Events"
    activate
    display alert "Firmware updates available" message 
"There are firmware updates available for this Mac:" & return & "$firmwarelist" as warning buttons {"Later", "Install"} default button "Install" cancel button "Later" giving up after 120 end tell if button returned of the result is "Install" then tell application "Software Update" to activate end if end try EOFA`;

If the user is not an administrator, the user gets an alert directing him or her to call the help desk - again we use embedded AppleScript to display the alert.

  } else {
    # user is not an admin, tell them to call help desk
    my $result = `osascript<<EOFB
try
  tell application "System Events"
    activate
    display alert "Firmware updates available" message 
"There are firmware updates available for this Mac:" & return & "$firmwarelist" & return & "Please call Tech Support at 555-1212 for help in installing these updates."
as warning buttons
{"OK"} default button "OK" cancel button "OK" giving up after 120 end tell end try EOFB`; } }

If the script runs in the context of a user without admin rights and firmware updates are available for this machine, after a few seconds, the user will see an alert like the one in Figure 2.


Figure 2. Firmware alert for non-admins

If it runs under an admin user's login, the user should see a slightly different alert, as shown in Figure 3.


Figure 3. Firmware alert for admin users.

If the admin user clicks Install, Software Update will be launched and the admin user can install the firmware update immediately. Non-firmware updates should be hidden, but can be shown again by selecting Reset Ignored Updates from the Software Update menu.

If you don't want to retype this script (and who would?) you can find a copy here:

http://managingosx.wordpress.com/2009/01/06/firmware-updates/

To get the script to run at login for every user, we'll use a launchd agent. Make a directory called "Management" in the root Library directory (if you have another directory for this sort of thing, feel free to use that instead):

mkdir /Library/Management

Save the script as "firmwarecheck.pl" in that directory. Make sure it has execute rights:

chmod 755 /Library/Management/firmwarecheck.pl

You can check if you did things correctly by trying to run it:

/Library/Management/firmwarecheck.pl

Now we can create a launchd item to run it at login for every user. Create a plain text file at /Library/LaunchAgents/com.myorg.firmwarecheck.plist with this content:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
      <key>Label</key>
      <string>com.myorg.firmwarecheck</string>
      <key>LimitLoadToSessionType</key>
      <string>Aqua</string>
      <key>Program</key>
      <string>/Library/Management/firmwarecheck.pl</string>         
      <key>RunAtLoad</key>
      <true/>
</dict>
</plist>

Some of these launchd keys are new in Leopard, but this launchd item will also work in Tiger. Check to make sure your launchd plist is a valid plist file:

cd /Library/LaunchAgents
plutil -lint com.myorg.firmwarecheck.plist
com.myorg.firmwarecheck.plist: OK

If you don't get an "OK" message, double-check your typing. Ensure your new launchd item is owned by root:wheel and has mode 644:

cd /Library/LaunchAgents
sudo chown root:wheel com.myorg.firmwarecheck.plist
sudo chmod 644 com.myorg.firmwarecheck.plist

If you made no mistakes, /Library/Management/firmwarecheck.pl will now be launched whenever someone logs in. All the pieces are in place! Package up the two files and push them out using your favorite software distribution mechanism.

End of Pain?

In this month's column, we dealt with the pain of firmware updates in an enterprise environment by pushing the pain throughout the organization. A script that runs at login checks to see if firmware updates are available for the machine. If firmware updates are found, the user is notified. Even if the user chooses to ignore these notifications, the next time an admin user logs into the machine they will also be notified. If you are lucky, you'll have users who will call the help desk, and then you can use Apple Remote Desktop, Leopard Screen Sharing, or another remote access solution to kick off the firmware update, and tell the user to do the "human-needed" part of holding down the power button for those updates that require it. If you're not so lucky, at least you'll know when machines need updates, and the next time you visit the machine and log in as an administrator, you'll be reminded to apply the updates.

Even if this solution doesn't make sense for you or your organization, the techniques presented here could be used to craft other solutions - for this problem and others. As an OS X system administrator, you'll want to be familiar with as many tools as possible. This column touched on softwareupdate, Perl scripting, AppleScript, and launchd, each important tools in the Mac sysadmin's toolbox!


Greg Neagle is a member of the steering committee of the Mac OS X Enterprise Project (macenterprise.org) and is a senior systems engineer at a large animation studio. Greg has been working with the Mac since 1984, and with OS X since its release. He can be reached at gregneagle@mac.com.

 
AAPL
$105.22
Apple Inc.
+0.39
MSFT
$46.13
Microsoft Corpora
+1.11
GOOG
$539.78
Google Inc.
-4.20

MacTech Search:
Community Search:

Software Updates via MacUpdate

Ember 1.8.2 - Versatile digital scrapboo...
Ember (formerly LittleSnapper) is your digital scrapbook of things that inspire you: websites, photos, apps or other things. Just drag in images that you want to keep, organize them into relevant... Read more
Tonality Pro 1.1.2 - Professional-grade...
Tonality Pro gives you the power to create stunning and dramatic black & white images. This is a complete monochrome image editor with more than 150 one-click style presets, totally unique... Read more
VueScan 9.4.49 - Scanner software with a...
VueScan is a scanning program that works with most high-quality flatbed and film scanners to produce scans that have excellent color fidelity and color balance. VueScan is easy to use, and has... Read more
OS X Server 4.0 - For OS X 10.10 Yosemit...
Designed for OS X and iOS devices, OS X Server makes it easy to share files, schedule meetings, synchronize contacts, develop software, host your own website, publish wikis, configure Mac, iPhone,... Read more
TotalFinder 1.6.12 - Adds tabs, hotkeys,...
TotalFinder is a universally acclaimed navigational companion for your Mac. Enhance your Mac's Finder with features so smart and convenient, you won't believe you ever lived without them. Tab-based... Read more
BusyCal 2.6.3 - Powerful calendar app wi...
BusyCal is an award-winning desktop calendar that combines personal productivity features for individuals with powerful calendar sharing capabilities for families and workgroups. BusyCal's unique... Read more
calibre 2.7 - Complete e-library managem...
Calibre is a complete e-book library manager. Organize your collection, convert your books to multiple formats, and sync with all of your devices. Let Calibre be your multi-tasking digital... Read more
Skitch 2.7.3 - Take screenshots, annotat...
With Skitch, taking, annotating, and sharing screenshots or images is as fun as it is simple.Communicate and collaborate with images using Skitch and its intuitive, engaging drawing and annotating... Read more
Delicious Library 3.3.2 - Import, browse...
Delicious Library allows you to import, browse, and share all your books, movies, music, and video games with Delicious Library. Run your very own library from your home or office using our... Read more
Art Text 2.4.8 - Create high quality hea...
Art Text is an OS X application for creating high quality textual graphics, headings, logos, icons, Web site elements, and buttons. Thanks to multi-layer support, creating complex graphics is no... Read more

Latest Forum Discussions

See All

Rami Ismail Opens Up distribute​() for D...
Rami Ismail Opens Up distribute​() for Developers Posted by Jessica Fisher on October 24th, 2014 [ permalink ] Rami Ismail, Chief Executive of Business and Development at indie game studio | Read more »
Great Hitman GO Goes on Sale and Gets Ne...
Great Hitman GO Goes on Sale and Gets New Update – Say That Three Times Fast Posted by Jessica Fisher on October 24th, 2014 [ permalink ] | Read more »
Rival Stars Basketball Review
Rival Stars Basketball Review By Jennifer Allen on October 24th, 2014 Our Rating: :: RESTRICTIVE BUT FUNUniversal App - Designed for iPhone and iPad Rival Stars Basketball is a fun mixture of basketball and card collecting but its... | Read more »
Rubicon Development Makes Over a Dozen o...
Rubicon Development Makes Over a Dozen of Their Games Free For This Weekend Only Posted by Jessica Fisher on October 24th, 2014 [ permalink ] | Read more »
I Am Dolphin Review
I Am Dolphin Review By Jennifer Allen on October 24th, 2014 Our Rating: :: NEARLY FIN-TASTICUniversal App - Designed for iPhone and iPad Swim around and eat nearly everything that moves in I Am Dolphin, a fun Ecco-ish kind of game... | Read more »
nPlayer looks to be the ultimate choice...
Developed by Newin Inc, nPlayer may seem like your standard video player – but is aiming to be the best in its field by providing high quality video play performance and support for a huge number of video formats and codecs. User reviews include... | Read more »
Fighting Fantasy: Caverns of the Snow Wi...
Fighting Fantasy: Caverns of the Snow Witch Review By Jennifer Allen on October 24th, 2014 Our Rating: :: CLASSY STORYTELLINGUniversal App - Designed for iPhone and iPad Fighting Fantasy: Caverns of the Snow Witch is a sterling... | Read more »
A Few Days Left (Games)
A Few Days Left 1.01 Device: iOS Universal Category: Games Price: $3.99, Version: 1.01 (iTunes) Description: Screenshots are in compliance to App Store's 4+ age rating! Please see App Preview for real game play! **Important: Make... | Read more »
Toca Boo (Education)
Toca Boo 1.0.2 Device: iOS Universal Category: Education Price: $2.99, Version: 1.0.2 (iTunes) Description: BOO! Did I scare you!? My name is Bonnie and my family loves to spook! Do you want to scare them back? Follow me and I'll... | Read more »
Intuon (Games)
Intuon 1.1 Device: iOS Universal Category: Games Price: $.99, Version: 1.1 (iTunes) Description: Join the battle with your intuition in a new hardcore game Intuon! How well do you trust your intuition? Can you find a needle in a... | Read more »

Price Scanner via MacPrices.net

Weekend sale: 13-inch 128GB MacBook Air for $...
Best Buy has the 2014 13-inch 1.4GHz 128GB MacBook Air on sale for $849.99, or $150 off MSRP, on their online store. Choose free home shipping or free local store pickup (if available). Price valid... Read more
Nimbus Note Cross=Platform Notes Utility
Nimbus Note will make sure you never forget or lose your valuable data again. Create and edit notes, save web pages, screenshots and any other type of data – and share it all with your friends and... Read more
NewerTech’s Snuglet Makes MagSafe 2 Power Con...
NewerTech has introduced the Snuglet, a precision-manufactured ring designed to sit inside your MagSafe 2 connector port, providing a more snug fit to prevent your power cable from unintentional... Read more
Apple Planning To Sacrifice Gross Margins To...
Digitimes Research’s Jim Hsiao says its analysts believe Apple is planning to sacrifice its gross margins to save its tablet business, which has recently fallen into decline. They project that Apple’... Read more
Who’s On Now? – First Instant-Connect Search...
It’s nighttime and your car has broken down on the side of the highway. You need a tow truck right away, so you open an app on your iPhone, search for the closest tow truck and send an instant... Read more
13-inch 2.5GHz MacBook Pro on sale for $949,...
Best Buy has the 13″ 2.5GHz MacBook Pro available for $949.99 on their online store. Choose free shipping or free instant local store pickup (if available). Their price is $150 off MSRP. Price is... Read more
Save up to $125 on Retina MacBook Pros
B&H Photo has the new 2014 13″ and 15″ Retina MacBook Pros on sale for up to $125 off MSRP. Shipping is free, and B&H charges NY sales tax only. They’ll also include free copies of Parallels... Read more
Apple refurbished Time Capsules available sta...
The Apple Store has certified refurbished Time Capsules available for up to $60 off MSRP. Apple’s one-year warranty is included with each Time Capsule, and shipping is free: - 2TB Time Capsule: $255... Read more
Textilus New Word, Notes and PDF Processor fo...
Textilus is new word-crunching, notes, and PDF processor designed exclusively for the iPad. I haven’t had time to thoroughly check it out yet, but it looks great and early reviews are positive.... Read more
WD My Passport Pro Bus-Powered Thunderbolt RA...
WD’s My Passport Pro RAID solution is powered by an integrated Thunderbolt cable for true portability and speeds as high as 233 MB/s. HighlightsOverviewSpecifications Transfer, Back Up And Edit In... Read more

Jobs Board

*Apple* Solutions Consultant - Apple Inc. (U...
…important role that the ASC serves is that of providing an excellent Apple Customer Experience. Responsibilities include: * Promoting Apple products and solutions Read more
Senior Event Manager, *Apple* Retail Market...
…This senior level position is responsible for leading and imagining the Apple Retail Team's global event strategy. Delivering an overarching brand story; in-store, Read more
*Apple* Solutions Consultant (ASC) - Apple (...
**Job Summary** The ASC is an Apple employee who serves as an Apple brand ambassador and influencer in a Reseller's store. The ASC's role is to grow Apple Read more
Project Manager / Business Analyst, WW *Appl...
…a senior project manager / business analyst to work within our Worldwide Apple Fulfillment Operations and the Business Process Re-engineering team. This role will work Read more
*Apple* Retail - Multiple Positions (US) - A...
Job Description: Sales Specialist - Retail Customer Service and Sales Transform Apple Store visitors into loyal Apple customers. When customers enter the store, Read more
All contents are Copyright 1984-2011 by Xplain Corporation. All rights reserved. Theme designed by Icreon.