ApexSupportBulletin: DeployingaMAUCachingServerRevision1.1[October21,2016]Contactpbowden@microsoft.comSummaryMicrosoftAutoUpdate(MAU)isautilitythatdetects,downloadsandappliesupdatestoMicrosoftapplicationsinstalledonmacOS.Specifically,MAUsupportsOffice2016,Office2011,SkypeforBusinessandLyncapps.MAUisnotusedforMicrosoftappsthataredownloadedfromtheMacAppStore.Bydefault,MAUwillperformversionchecksagainstMicrosoft’sContentDeliveryNetwork(CDN)ontheInternettodeterminewhetherthelocallyinstalledapphasanupdateavailable.Ifanupdateisavailable,MAUwilldeterminethesmallestpackagetodownloadtobringthelocallyinstalledversionoftheappup-to-date.TherearetwoscenarioswhereenterpriseITadminsmightwantbettercontrolovertheupdateworkflow:

1. TheabilityforMAUtousealocalnetworksourceforretrievingupdatepackagesinsteadoftheMicrosoftCDNontheInternet.Thisscenarioisgoodfor‘branch’scenarios,andcaseswhereInternetbandwidthislimited.Forthisscenario,MAUcanbeconfiguredtousean‘UpdateCache’.

2. AnenterprisemightwanttohavestrictcontrolonwhichversionofOfficeapplicationscanbeinstalled.Forexample,MicrosoftreleasesproductionqualityupdatesonthesecondorthirdTuesdayofeachmonth.Anenterprisemightwanttotemporarilypreventusersfromupdatingtothenewbuildtoverifycompatibilitywithcustomapplications.Forthisscenario,MAUcanbeconfiguredtouseacustom‘ManifestServer’.

Bothofthescenariosabovecanbedeployedindependently,ortogether,dependingontherequirementsofthebusiness.MAU3.8orlaterisrequiredtosupportbothofthesescenarios.HowMAUWorksMAUdetectsapplicationupdatesevery12hoursbycheckingaversionnumberembeddedinanXMLfile(knownasa‘manifest’)ontheInternetandcomparingthatagainsttheversionofthelocallyinstalledapp.IfthebackgrounddaemonnoticesthattheXMLfilereferencesanewerversionthanwhatisinstalled,thefullMAUapplicationwindowisopenedandusersarepromptedtoupdate.TheexactURLoftheXMLfileisdictatedbytwofactors1)theupdatechannelthattheuserissubscribedto2)theidentifieroftheapplicationthatisbeingchecked.Thefollowingend-pointsarethebaseURLsforeachofthechannelsthatMAUsupports:

ChannelName ChannelPurpose BaseURLProduction Highest-qualitymonthly

releaseshttps://officecdn.microsoft.com/pr/C1297A47-86C4-4C1F-97FA-950631F94777/OfficeMac/

External InsiderSlow–Highquality,earlyaccessbuilds

https://officecdn.microsoft.com/pr/1ac37578-5a24-40fb-892e-b89d85b6dfaa/OfficeMac/

InsiderFast InsiderFast–Goodqualityweeklybuilds

https://officecdn.microsoft.com/pr/4B2D7701-0A4F-49C8-B4CB-0C2D4043F51F/OfficeMac/

Applicationidentifiersconsistofa4-characterlanguageidentifier,4-characterappnameand2-characterversionnumber.Typicalexamplesareasfollows:

Application FullApplicationIdentifierWord2016forMac 0409MSWD15Excel2016forMac 0409XCEL15PowerPoint2016forMac 0409PPT315Outlook2016forMac 0409OPIM15OneNote2016forMac 0409ONMC15Office2011forMac(English) 0409MSOf14Lync2011forMac 0409UCCP14SkypeforBusinessMac 0409MSFB16MicrosoftAutoUpdate 0409MSau03

Importantnotes:

1. TheinternalversionofOffice2016forMacapplicationsis‘15’,whereastheinternalversionof2011applicationsis‘14’2. Office2016applicationsarelanguage-neutralbuildsanduseafixedlanguageidentifierof0409,regardlessofthelanguagepreference3. Office2011updatesaredeliveredasasuite,soall2011appsuseasingleappnameof‘MSOf’

Ifyouknowthechannelandapplication,youcandeterminetheexactURLoftheXMLfilethatMAUwillusetocheckforupdates.Forexample,PowerPoint2016ontheInsiderFastchannelwillusehttps://officecdn.microsoft.com/pr/4B2D7701-0A4F-49C8-B4CB-0C2D4043F51F/OfficeMac/0409PPT315.xmltocheckforupdates.InadditiontotheXMLfile,aMicrosoft-signedsecuritycatalog(.CAT)ofthesamenameisusedtoverifythatboththeXMLfilehasn’tbeentamperedwith,andtheupdatepackageshavenotbeenalteredinanyway.ThecombinationofXMLandCATarecommonlyknownas‘collateral’.MAUrequiresboththeXMLandCATfiletobepresenttosuccessfullydetectupdates.Scenario1:Deployingan‘UpdateCache’ServiceTherearethreecomponentsthatmakeuptheUpdateCachesolution:

1. TheMAUCacheAdmintoolwhichcopiesfilesfromMicrosoft’sCDNtoafolderofyourchoice.2. AnHTTP/HTTPSwebservicethatexposesyourfoldertoclientsonyournetwork.3. AconfigurationchangetotheMAUclientoneachusers’machine.

TheMAUCacheAdmintoolThe‘MAUCacheAdmin’toolcanbeusedtocopybothcollateralandupdatepackagesfromtheMicrosoftCDNtoafolderofyourchoice.ThelatestversionofMAUCacheAdmin,whichisabashscript,canbedownloadedfromhttps://github.com/pbowden-msft/MAUCacheAdminBydefault,theMAUCacheAdmintoolcheckstheCDNanddownloadsupdatesjustonce.Ifyouwishtorunthetoolinaloopusethe--CheckIntervalcommand-lineparameter.Allavailableupdatepackagesaredownloadedintotherootofthefolderthatyouspecifywiththe--CachePathcommand-lineparameter.Onlyproductionqualitybuildsaredownloadedbythetool.ForOffice2016applications,thetoolwilldownloadboth‘full’updates,and‘delta’updatesforthepreviousthreereleases.Atypicalmonthlyupdateforallappswillconsume~8GBofdiskspace.

HTTP/HTTPSwebserviceYouwillneedtoexposetheCachePathfolderaspartofanHTTPorHTTPSserver.MAUhasnodependencyontheoperatingsystemorversionofthewebhost.AnyHTTPserver,includingApache,InternetInformationService(IIS),andevenpython’sSimpleWebServeriscapableofhostingMAUcontent.TheonlyrequirementthatMAUhasisthattheservermustreturna404responseifitdoesn’thaveacopyoftherequestedpackage.NOTE:Thewebservicemustusethestandardportsof80and443.MAUdoesnotsupportcustomportdefinitions.

ConfiguringtheMAUclienttousealocalserverOnceyourwebserverisdeployed,youmustconfigureeachusers’MAUclienttopreferthelocalserviceovertheCDN.YoucanuseConfigurationProfilestodeploytheseoverrides,orsimplyusethedefaultscommand-linetooltosetlocalpreferences:

defaults write com.microsoft.autoupdate2 UpdateCache -string 'https://server/folder/' IMPORTANT:EnsurethatatrailingslashisusedwhenspecifyingthevaluefortheUpdateCachepreference.Thisismandatory.Inthisscenario,MAUwillstillusethecollateralontheMicrosoftCDNtodetectupdates,butbeforedownloadingthoseupdatepackagesovertheInternetfromtheCDN,itwillfirstchecktheUpdateCacheserver.IftheUpdateCacheserverhasalocalcopyoftheupdate,a200responsewillbesenttotheclientandMAUwillobtainitsupdatefromthelocalserver.Iftheserverreturnsa404(notfound)response,MAUwillfall-backtodownloadingthepackagefromtheCDN.Scenario2:DeployingaCustom‘ManifestServer’ServiceTherearethreecomponentsthatmakeuptheManifestServersolution:

1. ObtainingcopiesofMAU’scollateral2. AnHTTP/HTTPSwebservicethatexposesthecollateraltoclientsonyournetwork.3. AconfigurationchangetotheMAUclientoneachusers’machine.

ObtainingMAUcollateralYoucanusetheMAUCacheAdmintooltoobtaincollateralfromtheCDN.Oneachcheckingcycle,MAUCacheAdminwilldownloadthelatestcollateralandplaceitinthe‘collateral’sub-folderoftheCachePath.ForOffice2016forMacapps,theXMLandCATfilesarestoredunderaper-versionfolder.Office2011collateralisstoredunderasub-foldercalled‘Legacy’.

YoucanalsouseatoolsuchascurltodownloadcopiesofcollateralfromMicrosoft’sserverstoyourcustomserver.Forexample:

curl -# --output --url "https://officecdn.microsoft.com/pr/4B2D7701-0A4F-49C8-B4CB-0C2D4043F51F/OfficeMac/0409PPT315.{xml,cat}"

Finally,youcanfindarchivesofOffice2016applicationcollateralathttp://macadmins.software.SimplydownloadtheDMGrelativetothe‘maximum’versionyouwantMAUtosee.HTTP/HTTPSwebserviceYouwillneedtoexposeyourcollateralfolderaspartofanHTTPorHTTPSserver.MAUhasnodependencyontheoperatingsystemorversionofthewebhost.AnyHTTPserver,includingApache,InternetInformationService(IIS),andevenpython’sSimpleWebServeriscapableofhostingMAUcontent.Itisrecommendedthatyoucreateafoldercalled‘Production’anddragtherelevantapplicationcollateralintothatfolder.ThisflatfolderofapplicationcollateraliswhattheMAUclientwillusetodetermineinanupdateisavailable.Thinkoftheversionedfoldersasalong-termarchive.Youmustdeploycollateralforallapplicationstoyourcustommanifestserver,notjusttheappsthatyouwishtocontrol.Forexample,ifyoudon’tdeploy0409UCCP14collateral,MAUwillnotbeabletocheckforLyncupdates.Ifyourcustommanifestserverisonyourcorporatenetwork,userswhotaketheirmachineshomemaynothavedirectaccesstothewebserverandMAUwillnotbeabletocheckforupdates.IfyouaredeployingbothanUpdateCacheandcustomManifestServer,youcanuseeitherthesamewebserver,ordifferentservers–it’syourchoice.NOTE:Thewebservicemustusethestandardportsof80and443.MAUdoesnotsupportcustomportdefinitions.

ConfiguringtheMAUclienttousecustommanifestsInadditiontoMicrosoft-definedupdatechannels,MAUsupportsacustomchannelwhereyoucanspecifyyourownmanifestserver.YoucanuseConfigurationProfilestodeploytheseoverrides,orsimplyusethedefaultscommand-linetooltosetlocalpreferences:

defaults write com.microsoft.autoupdate2 ChannelName -string 'Custom' defaults write com.microsoft.autoupdate2 ManifestServer -string 'https://server/folder/'

IMPORTANT:EnsurethatatrailingslashisusedwhenspecifyingthevaluefortheManifestServerpreference.Thisismandatory.IfMAUhasbeenconfiguredtouseacustommanifestserver,itwillusethatexactpathasthesingleauthorityofupdates.Ifyourcustommanifestserverisdownornon-functional,MAUwillreportthattheupdateservercouldnotbereached.Itwillnotfail-throughtoMicrosoft’sservers.YoucannotuseMAUtodeploycustomapplications.Attemptingtoalterthemanifest(XML)filewillcauseafilesignaturechange,whichMAUwillreject.

DocumentHistory

Date/Version ChangesOctober6,2016–1.0 Initialversion,basedoncontentsfrom‘ImplementingaCustomManifestServerforMAU’October21,2016–1.1 RevisedtheMAUCacheAdminsectionasthetoolnowjustrunsoncebydefault