TweetFollow Us on Twitter

MacEnterprise: Pain Management

Volume Number: 25
Issue Number: 05
Column Tag: MacEnterprise

MacEnterprise: Pain Management

Dealing with Apple firmware updates in an enterprise environment

By Greg Neagle, MacEnterprise.org

Introduction

You've made fantastic progress on your systems management infrastructure for your organization's Macs. You have a method to create standard images. Maybe you are even using InstaDMG. (If you haven't heard of InstaDMG, fire up a browser and do a search now!) You have an imaging server to quickly get these images on new Macs - maybe NetInstall, NetRestore or Deploy Studio, or one of the commercial solutions. You've implemented software to install and update applications and OS patches - perhaps you are using the open-source radmind tools, or Apple Remote Desktop, or a commercial package like the Casper Suite or LANrev. You've even gotten good at using the command-line and ssh to remotely connect to a machine and troubleshoot and fix issues. Your environment is predictable, structured, and managed. Life is good.

Now that so much of your job is automated and streamlined, you are sitting in your office, browsing the web and looking at Mac tech sites. Suddenly, you see something that just ruins your whole day. Apple has just released a firmware update.

What's the big deal?

So why should a firmware update cause you heartburn? Can't you just use your fancy software distribution tool to push it out to the affected machines? Well, you can push the firmware updater, but in most cases, you can't actually install the firmware remotely or in an automated fashion! Worse, for EFI firmware updates, a person must physically press the power button long enough to start the update after a shutdown. What a pain. All your centralized automation goes out the window, and once again, you are doomed to a life of running from machine to machine - installing updates.

The bad news

So now you are reading with bated breath (look it up - it's not "baited breath" - which makes me think of halitosis...) and hoping that your humble author will make all the pain go away. I am truly sorry - that is not within my power. I can't make your pain go away - I can only help you manage your pain.

Pain Inventory

There are two major challenges posed by Apple firmware updates. The first is finding out about them. Since firmware updates are generally for specific hardware models, unless you have one of everything Apple's ever shipped in your office, you won't find out about every firmware update simply by looking at Software Update on your machine. You'll need a way to find out about firmware updates that apply to all the various hardware in your organization.

The second challenge, as implied above, is deploying those updates. You cannot deploy these like you do OS updates or security updates. You'll need another method.

Pain Awareness

Let's tackle the first challenge. You have a few options. The first and most obvious is to check Mac tech websites or Apple's support downloads page at http://support.apple.com/downloads/ on a regular basis, checking for firmware updates. That's tedious, and since Apple firmware updates are relatively uncommon, something you're not likely to remember to do consistently.

Another possibility, if you have a machine running OS X Server, is to turn on the Software Update Server and monitor what it downloads. A Software Update Server will download all Apple updates without regard to which hardware it applies. You can then look through the list of downloaded updates periodically. A tip: sort the updates by Post Date, and filter the list by typing "Firmware" into the search field. This will give you a list of firmware updates (at least those for which Apple has included the word "Firmware" in its name) and puts the most recent at the top. See Figure 1 for an example.


Figure 1. Software Update Server

Again, this can be tedious, and you'll certainly find listings for updates that apply to hardware your organization does not own. Still, this works as a method of discovering what firmware updates Apple has made available.

Another possibility is to farm out the discovery: since firmware updates apply only to specific models of hardware, you could have a script that runs on every machine that you manage that runs the command-line version of Software Update (/usr/sbin/softwareupdate) and looks for available firmware updates. Here's a one-liner:

/usr/sbin/softwareupdate -l | /usr/bin/grep -i firmware

This will print available firmware updates for the current machine. You could expand on this - perhaps emailing you, or posting this info into a database. In fact, later on in this column we will expand on this technique.

Approaches to Pain Management

Now you have a method of finding out that firmware updates are available. Next, you must find a way to actually deploy these updates. In my organization, I tried a couple of approaches. The first was simply verbal. I asked all the technical support people to check Software Update for available firmware updates whenever they had to visit a user and if there were any, to apply them. Not surprisingly, that didn't really get the job done.

The next approach I tried was to try as hard as I could to automate the application of firmware updates. I was seduced down this path by Apple's SMC firmware updates for the first generation of Intel Macs. These SMC updates were the ones that enabled Boot Camp, among other things, so I was quite anxious to get them out there. It turned out that you could automate SMC firmware updates, and I wrote some scripts to do just that. You can see them here:

http://managingosx.wordpress.com/2006/10/27/automating-firmware-updates/

and here:

http://managingosx.wordpress.com/2006/11/02/automating-intel-firmware-updates-ii-revenge-of-the-smc/

Ultimately, this was not a sustainable solution. It only handled SMC firmware updates, not any of the other types of firmware updates, and since the path to the actual firmware updater was different for each machine type, and since you had to keep track of the SMC firmware versions each updater was for, it quickly became a house of cards. You needed to continually update the scripts and the firmware installers as Apple released new hardware and new SMC updates. And there were still the EFI updates, and the Graphics Firmware updates, and the Trackpad and Keyboard Firmware updates and more to deal with.

Back to the drawing board. Approach number three was a script that ran at startup, ran softwareupdate -l and emailed me (or rather, my group of administrators) if a machine needed a firmware update. I'd then add that task to our helpdesk ticketing system for a technician to do. Needless to say, the technicians didn't like this solution very much, but it worked, to a point. Still, we were missing ideal opportunities to update the firmware when a tech visited a machine for other reasons.

If these updates could not be automated, what we wanted was something that:

Notified the user and us that a firmware update was needed for the machine. Since most of our users are not administrators, they could not actually perform the update, but at least they could notify the help desk for assistance.

If a tech was working on a machine and was logged in as an administrator, upon login they would be notified there were available firmware updates so they could install them right then.

With those desires in mind, I wrote a script to be run at each login that checked the output of softwareupdate -l for available firmware updates, and if any were found, it would display an alert informing the user to contact the help desk if they were not an administrator, or urging them to install the update if they had admin rights.

A version of the script follows. Yes, it's written in Perl, and I know all the cool kids are now using Python. Perl's support for regular expressions and straightforward support for calling system command-line tools make it a good fit for this type of script. Feel free to rewrite it in bash, Python, Ruby, or whatever makes you happy. Let's take a look.

#!/usr/bin/perl -w
use strict;
# change 'com.myorg' to your organization name
my $prefs = "com.myorg.firmwareupdatecheck";

As a nicety, we're going to set things up so that this only runs once per day - that is, if a user logs in and out several times in a single day, he or she will see a firmware update alert (if one is needed) only once a day. If you want to be more insistent, you could remove this check. If you do, and a firmware update is available, the user will be notified at every login. Alternately, you could increase the interval so that not every machine hits the Software Update server (either your local one, or Apple's via your Internet connection) every single day.

# check the last time we ran on this machine; 
# exit if we already ran today so we don't annoy too much
my $now = time;
my $lastChecked = 
   `defaults -currentHost read $prefs lastChecked 2>/dev/null`;
chomp $lastChecked;
if ($lastChecked ne "") {
  my $daysSinceLastChecked = 
     int(($now-$lastChecked)/(60*60*24));
  exit if ($daysSinceLastChecked < 1);
}

Next, we'll get a list of updates from softwareupdate and look through them to find firmware updates.

# get list of available updates from softwareupdate
my $allupdates = `softwareupdate -l | grep '^   \\* '`;
chomp $allupdates;
my @updates = split /\n/, $allupdates;
my $firmwareupdates = "";
my $firmwarelist = "";
my $otherupdates = "";
# walk through the list looking for firmware updates
for my $update (@updates) {
  $update = substr($update,5);
  if (($update =~ /[F|f]irmware/) ||
      ($update =~ /EFI/) ||
      ($update =~ /SMC/)) {
    $firmwareupdates .= "$update ";
    $firmwarelist .= "   $update\n";
  } else {
    $otherupdates .= "$update ";
  }
}

We're looking for "Firmware", "firmware", "EFI", or "SMC" in the name of each available update. Every firmware update I've seen with the exception of a 2005 "iMac G5 Sleep Light Update" has the word "Firmware" in the name, so this should get the job done.

Next, we record when we did this and what we found using defaults. This is the same file we read when we start to see if we already ran today.

# record when we checked and what we found
system "defaults -currentHost write $prefs lastChecked -int $now";
system "defaults -currentHost write $prefs availableUpdates '$firmwareupdates'";

And now the exciting part! If there are available firmware updates, we're going to notify the user. But before we do, we tell Software Update to hide all the available updates that aren't firmware updates. I do this in my environment because normally we install all the other updates with our software distribution mechanism and I didn't want to get a lot of questions about additional updates available in Software Update. You may want to handle this differently.

if ($firmwareupdates) {
  # there are available firmware updates
  if ($otherupdates) {
    # hide the non-firmware updates since I don't want 
    # users tempted to install them
    system "softwareupdate --ignore $otherupdates >/dev/null 2>&1";
  }

Admin users get one version of the alert. This version opens the Software Update application if he or she clicks Install. We embed some AppleScript and use osascript to call it. Note the "giving up after 120" clause to display alert - this causes AppleScript to close the alert after two minutes if the user ignores it.

  
  # are we running under an admin account?
  my $checkAdmin = `dseditgroup -o checkmember admin`;
  if ($checkAdmin =~ /^yes/) {
     # user is an admin, prompt them to install
           my $result = `osascript<<EOFA
try
  tell application "System Events"
    activate
    display alert "Firmware updates available" message 
"There are firmware updates available for this Mac:" & return & "$firmwarelist" as warning buttons {"Later", "Install"} default button "Install" cancel button "Later" giving up after 120 end tell if button returned of the result is "Install" then tell application "Software Update" to activate end if end try EOFA`;

If the user is not an administrator, the user gets an alert directing him or her to call the help desk - again we use embedded AppleScript to display the alert.

  } else {
    # user is not an admin, tell them to call help desk
    my $result = `osascript<<EOFB
try
  tell application "System Events"
    activate
    display alert "Firmware updates available" message 
"There are firmware updates available for this Mac:" & return & "$firmwarelist" & return & "Please call Tech Support at 555-1212 for help in installing these updates."
as warning buttons
{"OK"} default button "OK" cancel button "OK" giving up after 120 end tell end try EOFB`; } }

If the script runs in the context of a user without admin rights and firmware updates are available for this machine, after a few seconds, the user will see an alert like the one in Figure 2.


Figure 2. Firmware alert for non-admins

If it runs under an admin user's login, the user should see a slightly different alert, as shown in Figure 3.


Figure 3. Firmware alert for admin users.

If the admin user clicks Install, Software Update will be launched and the admin user can install the firmware update immediately. Non-firmware updates should be hidden, but can be shown again by selecting Reset Ignored Updates from the Software Update menu.

If you don't want to retype this script (and who would?) you can find a copy here:

http://managingosx.wordpress.com/2009/01/06/firmware-updates/

To get the script to run at login for every user, we'll use a launchd agent. Make a directory called "Management" in the root Library directory (if you have another directory for this sort of thing, feel free to use that instead):

mkdir /Library/Management

Save the script as "firmwarecheck.pl" in that directory. Make sure it has execute rights:

chmod 755 /Library/Management/firmwarecheck.pl

You can check if you did things correctly by trying to run it:

/Library/Management/firmwarecheck.pl

Now we can create a launchd item to run it at login for every user. Create a plain text file at /Library/LaunchAgents/com.myorg.firmwarecheck.plist with this content:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
      <key>Label</key>
      <string>com.myorg.firmwarecheck</string>
      <key>LimitLoadToSessionType</key>
      <string>Aqua</string>
      <key>Program</key>
      <string>/Library/Management/firmwarecheck.pl</string>         
      <key>RunAtLoad</key>
      <true/>
</dict>
</plist>

Some of these launchd keys are new in Leopard, but this launchd item will also work in Tiger. Check to make sure your launchd plist is a valid plist file:

cd /Library/LaunchAgents
plutil -lint com.myorg.firmwarecheck.plist
com.myorg.firmwarecheck.plist: OK

If you don't get an "OK" message, double-check your typing. Ensure your new launchd item is owned by root:wheel and has mode 644:

cd /Library/LaunchAgents
sudo chown root:wheel com.myorg.firmwarecheck.plist
sudo chmod 644 com.myorg.firmwarecheck.plist

If you made no mistakes, /Library/Management/firmwarecheck.pl will now be launched whenever someone logs in. All the pieces are in place! Package up the two files and push them out using your favorite software distribution mechanism.

End of Pain?

In this month's column, we dealt with the pain of firmware updates in an enterprise environment by pushing the pain throughout the organization. A script that runs at login checks to see if firmware updates are available for the machine. If firmware updates are found, the user is notified. Even if the user chooses to ignore these notifications, the next time an admin user logs into the machine they will also be notified. If you are lucky, you'll have users who will call the help desk, and then you can use Apple Remote Desktop, Leopard Screen Sharing, or another remote access solution to kick off the firmware update, and tell the user to do the "human-needed" part of holding down the power button for those updates that require it. If you're not so lucky, at least you'll know when machines need updates, and the next time you visit the machine and log in as an administrator, you'll be reminded to apply the updates.

Even if this solution doesn't make sense for you or your organization, the techniques presented here could be used to craft other solutions - for this problem and others. As an OS X system administrator, you'll want to be familiar with as many tools as possible. This column touched on softwareupdate, Perl scripting, AppleScript, and launchd, each important tools in the Mac sysadmin's toolbox!


Greg Neagle is a member of the steering committee of the Mac OS X Enterprise Project (macenterprise.org) and is a senior systems engineer at a large animation studio. Greg has been working with the Mac since 1984, and with OS X since its release. He can be reached at gregneagle@mac.com.

 
AAPL
$111.78
Apple Inc.
-0.87
MSFT
$47.66
Microsoft Corpora
+0.14
GOOG
$516.35
Google Inc.
+5.25

MacTech Search:
Community Search:

Software Updates via MacUpdate

LibreOffice 4.3.5.2 - Free Open Source o...
LibreOffice is an office suite (word processor, spreadsheet, presentations, drawing tool) compatible with other major office suites. The Document Foundation is coordinating development and... Read more
CleanApp 5.0.0 Beta 5 - Application dein...
CleanApp is an application deinstaller and archiver.... Your hard drive gets fuller day by day, but do you know why? CleanApp 5 provides you with insights how to reclaim disk space. There are... Read more
Monolingual 1.6.2 - Remove unwanted OS X...
Monolingual is a program for removing unnecesary language resources from OS X, in order to reclaim several hundred megabytes of disk space. It requires a 64-bit capable Intel-based Mac and at least... Read more
NetShade 6.1 - Browse privately using an...
NetShade is an Internet security tool that conceals your IP address on the web. NetShade routes your Web connection through either a public anonymous proxy server, or one of NetShade's own dedicated... Read more
calibre 2.13 - Complete e-library manage...
Calibre is a complete e-book library manager. Organize your collection, convert your books to multiple formats, and sync with all of your devices. Let Calibre be your multi-tasking digital librarian... Read more
Mellel 3.3.7 - Powerful word processor w...
Mellel is the leading word processor for OS X and has been widely considered the industry standard since its inception. Mellel focuses on writers and scholars for technical writing and multilingual... Read more
ScreenFlow 5.0.1 - Create screen recordi...
Save 10% with the exclusive MacUpdate coupon code: AFMacUpdate10 Buy now! ScreenFlow is powerful, easy-to-use screencasting software for the Mac. With ScreenFlow you can record the contents of your... Read more
Simon 4.0 - Monitor changes and crashes...
Simon monitors websites and alerts you of crashes and changes. Select pages to monitor, choose your alert options, and customize your settings. Simon does the rest. Keep a watchful eye on your... Read more
BBEdit 11.0.2 - Powerful text and HTML e...
BBEdit is the leading professional HTML and text editor for the Mac. Specifically crafted in response to the needs of Web authors and software developers, this award-winning product provides a... Read more
ExpanDrive 4.2.1 - Access cloud storage...
ExpanDrive builds cloud storage in every application, acts just like a USB drive plugged into your Mac. With ExpanDrive, you can securely access any remote file server directly from the Finder or... Read more

Latest Forum Discussions

See All

Make your own Tribez Figures (and More)...
Make your own Tribez Figures (and More) with Toyze Posted by Jessica Fisher on December 19th, 2014 [ permalink ] Universal App - Designed for iPhone and iPad | Read more »
So Many Holiday iOS Sales Oh My Goodness...
The holiday season is in full-swing, which means a whole lot of iOS apps and games are going on sale. A bunch already have, in fact. Naturally this means we’re putting together a hand-picked list of the best discounts and sales we can find in order... | Read more »
It’s Bird vs. Bird in the New PvP Mode f...
It’s Bird vs. Bird in the New PvP Mode for Angry Birds Epic Posted by Jessica Fisher on December 19th, 2014 [ permalink ] Universal App - Designed for iPhone and iPad | Read more »
Telltale Games and Mojang Announce Minec...
Telltale Games and Mojang Announce Minecraft: Story Mode – A Telltale Games Series Posted by Jessica Fisher on December 19th, 2014 [ permalink ] | Read more »
WarChest and Splash Damage Annouce Their...
WarChest and Splash Damage Annouce Their New Game: Tempo Posted by Jessica Fisher on December 19th, 2014 [ permalink ] WarChest Ltd and Splash Damage Ltd are teaming up again to work | Read more »
BulkyPix Celebrates its 6th Anniversary...
BulkyPix Celebrates its 6th Anniversary with a Bunch of Free Games Posted by Jessica Fisher on December 19th, 2014 [ permalink ] BulkyPix has | Read more »
Indulge in Japanese cuisine in Cooking F...
Indulge in Japanese cuisine in Cooking Fever’s new sushi-themed update Posted by Simon Reed on December 19th, 2014 [ permalink ] Lithuanian developer Nordcurrent has yet again updated its restaurant simulat | Read more »
Badland Daydream Level Pack Arrives to C...
Badland Daydream Level Pack Arrives to Celebrate 20 Million Downloads Posted by Ellis Spice on December 19th, 2014 [ permalink ] | Read more »
Far Cry 4, Assassin’s Creed Unity, Desti...
Far Cry 4, Assassin’s Creed Unity, Destiny, and Beyond – AppSpy Takes a Look at AAA Companion Apps Posted by Rob Rich on December 19th, 2014 [ permalink ] These day | Read more »
A Bunch of Halfbrick Games Are Going Fre...
A Bunch of Halfbrick Games Are Going Free for the Holidays Posted by Ellis Spice on December 19th, 2014 [ permalink ] Universal App - Designed for iPhone and iPad | Read more »

Price Scanner via MacPrices.net

Invaluable Launches New Eponymously -Named A...
Invaluable, the world’s largest online live auction marketplace, hhas announced the official launch of the Invaluable app for iPad, now available for download in the iTunes App Store. Invaluable... Read more
IDC Reveals Worldwide Mobile Enterprise Appli...
International Data Corporation (IDC) last week hosted the IDC FutureScape: Worldwide Mobile Enterprise Applications and Solutions 2015 Predictions Web conference. The session provided organizations... Read more
The Apple Store offering free next-day shippi...
The Apple Store is now offering free next-day shipping on all in stock items if ordered before 12/23/14 at 10:00am PT. Local store pickup is also available within an hour of ordering for any in stock... Read more
It’s 1992 Again At Sony Pictures, Except For...
Techcrunch’s John Biggs interviewed a Sony Pictures Entertainment (SPE) employee, who quite understandably wished to remain anonymous, regarding post-hack conditions in SPE’s L.A office, explaining “... Read more
Holiday sales this weekend: MacBook Pros for...
 B&H Photo has new MacBook Pros on sale for up to $300 off MSRP as part of their Holiday pricing. Shipping is free, and B&H charges NY sales tax only: - 15″ 2.2GHz Retina MacBook Pro: $1699... Read more
Holiday sales this weekend: MacBook Airs for...
B&H Photo has 2014 MacBook Airs on sale for up to $120 off MSRP, for a limited time, for the Thanksgiving/Christmas Holiday shopping season. Shipping is free, and B&H charges NY sales tax... Read more
Holiday sales this weekend: iMacs for up to $...
B&H Photo has 21″ and 27″ iMacs on sale for up to $200 off MSRP including free shipping plus NY sales tax only. B&H will also include a free copy of Parallels Desktop software: - 21″ 1.4GHz... Read more
Holiday sales this weekend: Mac minis availab...
B&H Photo has new 2014 Mac minis on sale for up to $80 off MSRP. Shipping is free, and B&H charges NY sales tax only: - 1.4GHz Mac mini: $459 $40 off MSRP - 2.6GHz Mac mini: $629 $70 off MSRP... Read more
Holiday sales this weekend: Mac Pros for up t...
B&H Photo has Mac Pros on sale for up to $500 off MSRP. Shipping is free, and B&H charges sales tax in NY only: - 3.7GHz 4-core Mac Pro: $2599, $400 off MSRP - 3.5GHz 6-core Mac Pro: $3499, $... Read more
Save up to $400 on MacBooks with Apple Certif...
The Apple Store has Apple Certified Refurbished 2014 MacBook Pros and MacBook Airs available for up to $400 off the cost of new models. An Apple one-year warranty is included with each model, and... Read more

Jobs Board

*Apple* Store Leader Program (US) - Apple, I...
…Summary Learn and grow as you explore the art of leadership at the Apple Store. You'll master our retail business inside and out through training, hands-on experience, Read more
Project Manager, *Apple* Financial Services...
**Job Summary** Apple Financial Services (AFS) offers consumers, businesses and educational institutions ways to finance Apple purchases. We work with national and Read more
*Apple* Retail - Multiple Positions (US) - A...
Sales Specialist - Retail Customer Service and Sales Transform Apple Store visitors into loyal Apple customers. When customers enter the store, you're also the Read more
*Apple* Retail - Multiple Positions (US) - A...
Sales Specialist - Retail Customer Service and Sales Transform Apple Store visitors into loyal Apple customers. When customers enter the store, you're also the Read more
*Apple* Retail - Multiple Positions (US) - A...
Job Description: Sales Specialist - Retail Customer Service and Sales Transform Apple Store visitors into loyal Apple customers. When customers enter the store, Read more
All contents are Copyright 1984-2011 by Xplain Corporation. All rights reserved. Theme designed by Icreon.