I’ve been using an internal Microsoft AutoUpdate (MAU) Caching Server here at the newspaper since shortly after it was announced by Paul Bowden last year. I helped explain the various configuration options available last night in the #microsoft-office channel of the MacAdmins Slack and wanted to expand on them with a more detailed article.
There are three different ways the MAU Caching Server can be configured. If you are interested in learning the differences of those options please read on.
Before going any further make sure you have read Bowden’s support bulletin, Deploying a MAU Caching Server. It contains technical details that I won’t be covering here. The article does a good job of explaining the options but there are still frequent questions in Slack.
After deciding on the option that works best in your environment you’ll need the latest version of MAUCacheAdmin to deploy your server. I won’t get into details of using MAUCacheAdmin in this post. You’ll also need any generic HTTP server (ports 80/443 only) to actually host the cache and/or manifests.
Option 1: “UpdateCache”
This is the option to use when you simply want to save bandwidth.
When running an “UpdateCache” server the MAU appliation on the client computers will reference collateral from Microsoft (which will always be the latest version) but will download the updates from your local server. If your local server cannot be reached the client will then fall back to Microsoft’s CDN servers to download the updates.
This option can save you bandwidth but provides no control over when end users are offered the latest updates.
Option 2: “ManifestServer”
This is the option to use when you want to control when and what update versions are offered to the clients.
When running a “ManifestServer” the MAU application on client computers will reference collateral on your server as the authoritative source about available updates but will download them from Microsoft’s CDN. This allows you to create multiple folders such as testing and live to stagger updates between different groups of computers within your organization. If your local server cannot be reached the clients will not fall back to Microsoft and no updates will be offered.
This option provides complete control over when end users are offered the latest updates but saves no bandwidth.
Option 3: Combine both
This is the option to use when you want full control over MAU collateral and updates.
When running both an “UpdateCache” and “ManifestServer” the MAU application on client computers will talk exclusively with your local server and will never contact the Microsoft CDN for anything. MAUCacheAdmin on your HTTP server will handle downloading all information from the internet.
This allows you to control when updates get detected by MAU on clients and also downloads those updates from the local cache to save bandwidth.
Configuring the clients
There is one setting that needs to be configured on clients to reference an “UpdateCache” and two for a “ManifestServer.” All three options are within the com.microsoft.autoupdate2 preference domain and can be set with a defaults write or with a configuration profile.
defaults write com.microsoft.autoupdate2 UpdateCache -string 'https://server/folder/' defaults write com.microsoft.autoupdate2 ManifestServer -string 'https://server/folder/' defaults write com.microsoft.autoupdate2 ChannelName -string 'Custom'
What if the server can’t be reached?
Another question that comes up often is about how Microsoft AutoUpdate will behave when a computer leaves the office and can’t reach an internal-only MAU server. Thankfully it fails gracefully and doesn’t present end users with any potentially confusing messages. If users attempt to manually update they will simply be told that there are no updates available. Errors about not being able to reach the server will be logged to: /Library/Logs/Microsoft/autoupdate.log
My Setup
I’ve been running Option 3 from the beginning and have been happy with the setup. The “ManifestServer” allows me to test updates before they rollout to the fleet by controlling access to the collateral and the “UpdateCache” makes a huge difference with our relatively low bandwidth internet connection.
Let me know if you have any questions and I’ll be happy to help.