@JarvisUno Thanks, this is pretty nice to have.

@jzarate According to the script, you put "yes" in Parameter 4.

I downloaded Catalina from App Store, but when launching it should block with restricted - but it works fine ? As far I can see I use the same as example above ?

Remove the "" from your Process Name:
Process Name: Install macOS Catalina or use Install macOS Catalina.app

@jzarate or remove it all together from Parameter 4 and use the script for other updates in the future.

Also to double check what updates are being blocked use:

softwareupdate --ignore

@JarvisUno, might be a bad question, but all Jamf scripts ran as sudo ,right? So there is no need to scope it to user? Just to computer will do it? (I'm talking about Execution frequency: once per computer vs once per user per computer)

@iri No question is stupid, yes the script will take of it.

@jameson This might be anecdotal but my restriction process (10.15.1 on prem) did not honor my use of wild card at the tail of "macOS Catalina" and I needed to explicitly define the .app (ask me how I found out). This had been working fine with beta tests on the previous 10.11.1 instance so I am unsure if this is an environmental thing or an issue with the product but the tl;dr is make that change and force a management refresh on endpoints along with the update suppression and you should be good.

Configuring a block for InstallAssistant and a block for Install macOS Catalina is NOT working in JAMF Pro v, 10.15.1 (Cloud version). I've added 5 macs to the scope and I was successfully able to download the Install macOS Catalina application and even run it. Yesterday, I applied a macOS Deferral Configuration Profile to all my macs in the fleet. However, I was able to upgrade to Catalina on 3 of those Macs that were in the scope.

I took the script approach as mentioned in an above post and created a policy to apply to macs: [https://github.com/palantir/jamf-pro-scripts/blob/master/scripts/Update%20macOS%20softwareupdate%20Ignore%20List.sh](link URL)
This seems to be the only thing that can block the Catalina update. I had to run the policy twice on a MacBook pro and have the user restart in order for Catalina to not show up in Software Update in System Preferences. #IDK

Ran the script against my own computer twice and rebooted it. Doesn't seem to be working for me as Catalina is still showing up in the Software Update in Sys preferences.

Trying to see if it's only me or if any of my users are affected.

@yungstump Did you use the script that was added above?

If, yes what was the outcome after you ran the policy.

I saw on twitter someone retweet @RobertHammen (I am going to assume it's the same person) blocking it with the --ignore command. I'll probably go that route for the time being. Using the following command /usr/sbin/softwareupdate --ignore "macOS Catalina"

@JarvisUno The script is working for me. I just have an ongoing policy that reaches out to all machines. I did also put a software restriction as well.

So I tested this a while ago using Restricted Software on my test machine and I was happy with it, but was horrified to learn today that somebody had upgraded to it.

I then downloaded the update on a different device and it ran straight away no problems, then I went off to do something else, came back, and it was now being restricted when I attempted to run it.

Although the setting in Restricted Software was correct, it turns out that the devices in scope will need the Management Framework to refresh in order for the setting to apply (https://macmule.com/2019/10/07/blocking-macos-catalina-with-jamf-pro/#There_is_no_step_2). I don't currently have a policy to do this so will need to look into it, but for the meantime I will use the route of ignoring the update.

Thanks for sharing that script @JarvisUno Works a treat.

Next step - Anyone know how to get rid of the red 1 bubble in system preferences dock icon? :D

@rodders I set up a config profile with a custom setting and the following plist. I tried scripting this but the icon would be refreshed on a regular basis.

i put the config profile into self service since it will block all system preferences notifications and I wanted it to be Opt in.

The issue i'm running into is that users need to either restart, or do a killall Dock before it actually takes effect.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>AttentionPrefBundleIDs</key>
    <string>0</string>
</dict>
</plist>

@rodders trying to see if there is another way then a custom profile route as this blocks all update notifications if I am not mistaken.

@strayer I tried your Configuration Profile above using the plist. The profile loaded, but I'm still seeing the badge even after reboot. Any suggestions?

![optional image ALT text](

)
I installed the profile at a system level and then ran

killall Dock

and the effect was instant and the icon has not returned. I did have to convert the plist to an xml before it could be uploaded to jamfcloud using

plutil -convert xml1 /Path/To/com.apple.systempreferences.plist

@strayer, I was missing the correct Preference Domain. That did the trick, thank you!

I reached out to Jamf Support regarding the Restricted Software of Catalina not working in my environment. It turns out, Apple has to add Catalina to their repository and that usually takes a few weeks. In the meantime, we can use a basic command within a policy to block Catalina:

#!/bin/sh
softwareupdate --ignore "macOS Catalina"

If we use the script, is it a simple process to revert it back so we can allow people to download Catalina once some of the bugs have been repaired?

--Reset-ignored will remove all ignored updates. Here's a list of the rest of the commands.

@JarvisUno When removing the preferences restrictions, will ignored updates eventually show up? or do we have to execute sudo softwareupdate --reset-ignored on each machine for the updates to comeback for Catalina.

weird follow up...

I had this restricted to a certain group, now I've deleted the restriction but I am still getting the error message I wrote.

@FutureFacinLuke If you run  'sudo jamf manage' on a Mac reporting the restriction is still in place that will force a reload of the restriction settings.