I am one of 5 guys that does administration at the 82 schools in the county. About half these schools use all Macs. That's a lot of machines to keep updated with security updates. I'm wanting to find or write a script that lets me automatically apply the Security Updates and putting it as a cron job on each client. I'm okay with each client getting those updates because they're so small and it keeps things more secure. Things like minor and major point updates will be pushed through Apple Remote Desktop after I've had enough time to make sure they won't break anything. Has anyone out there done something like this? The output of the command-line softwareupdate is pretty regular so surely this can be done. All the security updates start with SecUpd and follow with the date and other stuff. I just need to get that string and feed it into the softwareupdate command and have it get that particular update. Any idea of the best way to do this? Shell script? Apple Script? Perl? I figured perl would probably be the best bet. Can anyone think of any disadvantage to this idea?

Thanks in advance for the help

Personally I connect to all the Macs under my care with ssh and run the softwareupdater by hand. This is time consuming with 200+ Macs, but I would rather visually be able to verify that the Security Update ran, installed, finished. Then I like to repair permissions and send a reboot notice (if necessary). I wouldn't trust it to a script.

On the ther hand, you might want to look into trying to wrangle "cfengine" to do your patch pushing for you.

well, here's one scenario:

$ softwareupdate -l
Software Update Tool
Copyright 2002-2003 Apple Computer, Inc.

Software Update found the following new or updated software:
! SecUpd2004-06-07Pan-1.0
Security Update 2004-06-07, 1.0, 1320K [required] [restart]

$ softwareupdate -l | grep '!.*SecUpd'
! SecUpd2004-06-07Pan-1.0

$ softwareupdate -l | grep '!.*SecUpd' | xargs softwareupdate -i
Software Update Tool
Copyright 2002-2003 Apple Computer, Inc.

softwareupdate: Must be run as root

$ softwareupdate -l | grep '!.*SecUpd' | sudo xargs softwareupdate -i
Password:
Software Update Tool
Copyright 2002-2003 Apple Computer, Inc.

softwareupdate: !: No such update name

Security Update 2004-06-07: 0...10...20...30...40...50...60...70...80...90...100
Optimizing system performance. This may take a while...

Done.

You have installed one or more updates that requires that you restart your
computer. Please restart immediately.

Wow, that's exactly what I wanted to do. I guess I'll just throw that into the crontab and see how that goes! Thanks so much!

Though it's months ago this topic was posted, I would like to script all updates that come available, preferably daily when everyone starts his or her Mac and gets some coffee :D.
I'm a newby, not familiar with cron (only a Mac OS X manager for 10 Mac's), I have some experience on AppleScript.
I would very much like to install a script on all Mac's but I don't know how the script reads if I look at the log in the second answer to th question in this topic. What I'm puzzled about too is how the password has been inserted to permit the job to execute an administrator's task while a user was logged in, possibly without Admin credentials.
Would one of you, please, be so kind as to explaining to me how I should install a script achieving a daily check for Software Updates (including Security ones) and if available install those updates, so that the Mac's user doesn't need to know the Admin- or root-password and is not allowed to abort the script?
I would be very thankful in advance!

You most probably don't want to do this without assessing that there are no bugs in the updates.
Waiting a couple of days while monitoring places like here or macfixit is good practice.
Just imagine what will happen to your machines if Apple pushes another broken Ethernet-driver down the update-pipe...

Though it's months ago this topic was posted, I would like to script all updates that come available, preferably daily when everyone starts his or her Mac and gets some coffee :D. Realize that some installations require a reboot. That may not be what the user wants to have happen when they get in first thing in the morning.
I'm a newby, not familiar with cron (only a Mac OS X manager for 10 Mac's), I have some experience on AppleScript.
I would very much like to install a script on all Mac's but I don't know how the script reads if I look at the log in the second answer to th question in this topic. Huh? The script is designed to match any security update based upon the security updates having a standard naming convention. Note that this is no longer the case as security updates seem to be incrementally numbered by year starting in 2005.
What I'm puzzled about too is how the password has been inserted to permit the job to execute an administrator's task while a user was logged in, possibly without Admin credentials. Not a problem. Just use root's own crontab to call your script! ;)
Would one of you, please, be so kind as to explaining to me how I should install a script achieving a daily check for Software Updates (including Security ones) and if available install those updates, so that the Mac's user doesn't need to know the Admin- or root-password and is not allowed to abort the script?
I would be very thankful in advance! First, you don't want a potential reboot to occur while your users are busy working on their computers. Personally, I would have the script called by periodic/daily so as to execute along with all the other daily drudgery. This occurs early in the morning by default. The afore-mentioned vaporware script should also be able to reboot the computer, which could potentially create its own problems as voldenuit pointed out.

Take a look at these in your Terminal program:
cat /etc/crontab

This is root's crontab, notice that the daily script is run at 3:15 AM (at least mine is). Now look at:
ls -l /etc/periodic/daily/

Note that there should be two files here that are run every day at 3:15 AM. There should be one called '500.daily'. Do this:
tail -15 /etc/periodic/daily/500.daily

Look for this part:
if [ -f /etc/daily.local ]; then
echo ""
echo "Running daily.local:"
sh /etc/daily.local
fi
This is where you can hook in your own script, just make it executable and name it daily.local, and put it in your /etc/ folder.

Your script should:
1. Check for updates as the code in earlier posts suggests.
2. Restart the machine if necessary
3. I would also have the script email results, a timestamp, and its machine name to you so you don't have to check all 10 computers everyday.

Post back if you are interested in pursuing this. ;)

You most probably don't want to do this without assessing that there are no bugs in the updates.
Waiting a couple of days while monitoring places like here or macfixit is good practice.
Just imagine what will happen to your machines if Apple pushes another broken Ethernet-driver down the update-pipe...

I'm sure you are right! I only didn't know that such things happen: I blindly run updates as soon as they appear (daily) on my Mac, so I shouldn't!
Thanks for your warnings :(

This is really valuable information! Thank you very much. I'll take care of all your and other'r advices. I'm going to study the pro's and con's and see where I get stuck; again all of you: thanks :)