All Mac computers need to have direct Internet access. All Mac computers download updates from Apple.com.
Without allowing Mac client computers Internet access, the only way you can still patch Mac software is to use a Software Update Server (SUS). In this case, you must redirect all clients to the SUS on the Mac OS X server.
Software Update Server is part of the OS X Server operating system and contains a repository of all available updates. The OS X Server must be connected to the Internet to download Apple updates. Mac clients can then be redirected to the SUS service on the OS X Server.
The Software Update utility is built in to each client Mac. Users can run the softwareupdate command from time to time or on a schedule like a Windows scheduled task.
If a Mac client has Internet access, then the user can update software. The software update utility runs on the Mac client and presents available services or updates. The user selects the desired services or updates, which are then downloaded through the GUI on the client.