/build/static/layout/Breadcrumb_cap_w.png

Is the Kace K1000 adding a home CatalogURL to the com.apple.SoftwareUpdate.plist?

I've started noticing a number of Macs turning up with "Updates for this Mac are managed by '127.0.0.1' Details..."

A CatalogURL string would be something like this: "http://127.0.0.1:5223/index-PTCH195506.sucatalog".

I've disabled all patching schedules some time ago in Kace for Macs, but still run a weekly detect schedule.

But this issue is something new and Kace tech support isn't sure if it is the K1000 or not. I'm pretty sure it is as we don't have any other Mac patching system in place.

Any one else see this with a k1000?


5 Comments   [ + ] Show comments
  • What version of the SMA and version of Agent installed on the Mac.
    Also what is version of the Mac OS? - KevinG 4 years ago
  • K1000 is Version: 10.1.99
    Macs are mostly 10.14.*, but it is also happening on a few 10.13.* and 10.15.*. - kpm8 4 years ago
  • Are you using an MDM solution? Is the setting being controlled by a profile? - chucksteel 4 years ago
    • We have recently implemented Intune, but as of yet have not configured it for any Macs. There has been a couple Macs added to test encryption but no profiles created. - kpm8 4 years ago
      • We do patch with the SMA and I haven't seen this behavior on our fleet of machines, so I don't think the SMA is responsible. I would also expect the URL to be set to the IP of the SMA and not localhost. - chucksteel 4 years ago
  • Thanks Chucksteel, that makes sense... I'm just resetting the software update settings and then monitoring to see if any get reset for now. - kpm8 4 years ago
  • Afternoon all, may I ask you both what you use to patch the macs?
    I have been using the kace sma but for a long time I have troubles with it detecting the latest macOS security update, the older models it detects fine but newer models it does not even detect like my laptop. Have been down the support channel with kace but have not got anywhere this for at least the last macOS security updates. - markc0 4 years ago
    • We are also having macOS patching issues with the new 10.x patching system. Hoping support is able to resolve the problems with OS patches.

      It doesn't make sense as some machines detect fine, while others don't detect patches they need at all. And for us, there doesn't seem to be any indication of a correlation, i.e. it's not related to newer vs older models.

      Even devices with matching macOS builds are having different detect results. For the same patch, some detect the patch while other don't detect the patch at all.


      logs seem to indicate detect issues

      i.e. on a machine that is missing the patch but fails to detect it for "Security Update 2020-002 for macOS Mojave 10.14.6":
      KacePatchModule::AsusDetect: Patch detection using softwareupdate didn't find a patch. Checking install.log instead.

      KacePatchModule::AsusDetect: This patch doesn't apply. Id: (PTCH231299). Apple product id: (061-90745)

      KacePatchModule::AsusDetect: Package identifier not found: (com.apple.pkg.update.os.SecUpd2020-002Mojave.18G4032)
      KacePatchModule::AsusDetect: Package identifier not found: (com.apple.update.fullbundleupdate.18G4032)


      (some of my colleagues are starting to look at other avenues to replace KACE, not just for this issue but because of other SMA macOS deficiencies related to newer macOS security, like something that can also do MDM for handling Kernel Extensions without having to purchase a separate appliance. But not to actually manage any mobile devices.) - erush 4 years ago

Answers (1)

Answer Summary:
Posted by: erush 4 years ago
Yellow Belt
1

Top Answer

Yes, they are temporarily replacing CatalogURL with every individual Apple Publisher patch detect. This was one of the first things I noticed with the new 10.x patching system.

For patches where Apple is the publisher, KACE is using Apple Software Update Server (acronymed ASUS, not related to AsusTek). For all other macOS non-Apple publisher patches they seem to be using Munki. (I think ASUS is used within Munki, but not sure if that is how it is used with SMA.)

You can see in the URL you have there "PTCH195506" which is "Remote Desktop 3.5.3" in the SMA patch catalog, you will see the a folder named ASUS in /Library/Application Support/Quest/KACE/data/kpd/,  and you can see when they change CatalogURL to a localhost webserver that spins up on 52232 in KAgent.log.

I guess they spin up the webserver on localhost because all the detect files are there, probably makes it quicker and more efficient (for every Apple patch?).

In KAgent.log each detect starts with, "KacePatchModule::Detect: Processing patch ID" everything between relates to the single patch detect.


You can see when ASUS changes CatalogURL, i.e.:

[2020-04-24.07:12:22][KacePatch:start_asus_webserver  ] KacePatchModule::start_asus_webserver: Temporary webserver brought up at http://127.0.0.1:52232
[2020-04-24.07:12:24][KacePatch:set_asus_catalog      ] KacePatchModule::set_asus_catalog: Setting software update catalog to (http://127.0.0.1:52232/index-PTCH231293.sucatalog)
[2020-04-24.07:12:24][KacePatch:set_catalog_url       ] AsusPrefs::set_catalog_url: Checking apple software update preferences in domain: (/Library/Preferences/com.apple.SoftwareUpdate)
[2020-04-24.07:12:24][KacePatch:set_catalog_url       ] AsusPrefs::set_catalog_url: Checking to see if orginal catalog url was already saved
[2020-04-24.07:12:24][KacePatch:get_catalog_url       ] AsusPrefs::get_catalog_url: Getting Current catalog URL
[2020-04-24.07:12:24][KacePatch:set_catalog_url       ] AsusPrefs::set_catalog_url: Original catalog URL is empty or starts with our value so not saving
[2020-04-24.07:12:24][KacePatch:set_catalog_url       ] AsusPrefs::set_catalog_url: Setting catalog URL to: (http://127.0.0.1:52232/index-PTCH231293.sucatalog)
[2020-04-24.07:12:24][KacePatch:set_catalog           ] AsusPrefs::set_catalog: Setting catalog URL: (http://127.0.0.1:52232/index-PTCH231293.sucatalog)
[2020-04-24.07:12:24][KacePatch:set_catalog           ] AsusPrefs::set_catalog: Set catalog command output: (Changed catalog to http://127.0.0.1:52232/index-PTCH231293.sucatalog)
[2020-04-24.07:12:24][KacePatch:get_catalog_url       ] AsusPrefs::get_catalog_url: Getting Current catalog URL
[2020-04-24.07:12:24][KacePatch:set_asus_catalog      ] KacePatchModule::set_asus_catalog: Software update catalog set to (http://127.0.0.1:52232/index-PTCH231293.sucatalog)
[2020-04-24.07:12:54][KacePatch:AsusDetect            ] KacePatchModule::AsusDetect: About to attempt patch detection... Running /usr/sbin/softwareupdate -l 2>&1
[2020-04-24.07:12:54][KacePatch:AsusDetect            ] KacePatchModule::AsusDetect: Detection output line: (No new software available.
)
[2020-04-24.07:12:54][KacePatch:AsusDetect            ] KacePatchModule::AsusDetect: Detection output line: (Software Update Tool
)
[2020-04-24.07:12:54][KacePatch:AsusDetect            ] KacePatchModule::AsusDetect: Detection output line: (
)
[2020-04-24.07:12:54][KacePatch:AsusDetect            ] KacePatchModule::AsusDetect: Detection output line: (Finding available software
)
[2020-04-24.07:12:54][KacePatch:AsusDetect            ] KacePatchModule::AsusDetect: Detection output line: ()
[2020-04-24.07:12:54][KacePatch:AsusDetect            ] KacePatchModule::AsusDetect: Patch detection using softwareupdate didn't find a patch. Checking install.log instead.


and when they are done detecting they set it back and teardown the temp localhost webserver:

[2020-04-24.07:12:55][KacePatch:reset_asus_catalog    ] KacePatchModule::reset_asus_catalog: Reseting software update catalog to original value
[2020-04-24.07:12:55][KacePatch:reset_original_catalog] AsusPrefs::reset_original_catalog_url: Checking apple software update preferences in domain: (/Library/Preferences/com.apple.SoftwareUpdate)
[2020-04-24.07:12:55][KacePatch:clear_catalog         ] AsusPrefs::clear_catalog: Clearing catalog URL
[2020-04-24.07:12:55][KacePatch:clear_catalog         ] AsusPrefs::clear_catalog: Clear catalog command output: (Changed catalog to Apple production)
[2020-04-24.07:12:55][KacePatch:reset_asus_catalog    ] KacePatchModule::reset_asus_catalog: Software update catalog reset to original value
[2020-04-24.07:12:57][KacePatch:stop_asus_webserver   ] KacePatchModule::stop_asus_webserver: Bringing down temporary web server.
[2020-04-24.07:12:57][KacePatch:stop_asus_webserver   ] KacePatchModule::stop_asus_webserver: Running command: (launchctl bootout system/com.kace.patching-asus 2>&1)
[2020-04-24.07:12:57][KacePatch:stop_asus_webserver   ] KacePatchModule::stop_asus_webserver: Cmd Output: (Boot-out failed: 36: Operation now in progress)
[2020-04-24.07:12:57][KacePatch:stop_asus_webserver   ] KacePatchModule::stop_asus_webserver: Running command: (rm -f /Library/LaunchDaemons/com.kace.patching-asus.plist 2>&1)
[2020-04-24.07:12:57][KacePatch:stop_asus_webserver   ] KacePatchModule::stop_asus_webserver: Cmd Output: ()
[2020-04-24.07:12:57][KacePatch:stop_asus_webserver   ] KacePatchModule::stop_asus_webserver: Temporary web server brought down.


Comments:
  • Good sleuthing. I knew they were using Munki for patching but had not seen any of this. - chucksteel 4 years ago
  • Thanks erush! I'll be sure to update my Kace tech support ticket with a link to this response. - kpm8 4 years ago
 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ