OS X Yosemite

Hello. our block under Restricted Software is working perfectly.
Restricted process name of Install OS X 10.10 Developer Preview

@appledes - you should just be aware that using that path is not 100% guaranteed to stop all cases. The reason is that that path is to the installer app bundle, so when its run, it shows up in the process list kind of like-

/Applications/**+Install OS X 10.10 Developer Preview+**.app/Contents/MacOS/InstallAssistant

Your Restricted Software item is catching the part I bolded and underlined above, but, if a user tries their luck and renames the app bundle to something like "Install Me" the new path would look like-

/Applications/Install Me.app/Contents/MacOS/InstallAssistant

As you can see, the process name you entered is no longer there and Restricted Software won't know to shut it down. I just tried this by the way and the installer still launches when renamed to exactly what I have above.

However, since my Restricted Software item looks for "InstallAssistant", my path looks like this-

/anything can come before this/**InstallAssistant**

You cannot rename the "InstallAssistant" executable in the app's bundle or it stops working altogether. It doesn't even last long enough to show in the Dock before it exits.

Therefore, best practice here would probably be to set up two Restricted Software items
One that uses the normal bundle path like you have and a second one that will use the executable name and catches those cases of a clever user who tries to get around the block by renaming the .app bundle.

Note also that if you decide to use the "Delete" checkbox in the Restricted Software item, using the app bundle will delete the entire installer. whereas mine will only delete the executable and leave the rest. Ether one is effective though. The installer can't be started without the executable. so once its deleted, its worthless to the end user and they would need to try downloading it again.

@mm2270. Thank you for the advice. I will make that adjustment.

I too was using restricted process name of Install OS X 10.10 Developer Preview. And someone got around it. I haven't figured out how yet.

Its still managed, still enrolled, no partitions.

I updated my restriction to include @mm2270 's InstallAssistant suggestion, hopefully that will keep others from doing this. If anyone has an other ideas, please let me know.

@mm270 can you feed that string into casper? I didn't think the casper restricted software would accept a string like that.

@jwojda - Sorry for the confusion. I didn't mean to actually use a string like "/anything can come before this/InstallAssistant" I was using that to illustrate a point that anything can come before the string of "InstallAssistant"

My Restricted Software simply uses InstallAssistant as the process to look for.

lmao, I meant the part earlier about the kill -9 and awk stuff...

never occurred to me to do the InstallAssistant from your post... I'm s-m-u-r-t :)
Thank you for the clarification for those out of it today!

Oh, haha! Sorry, it didn't even occur to me you were asking about the kill -9 line. I was just stating that I tried that kill -9 line when the installer application was up and running and it shut down the installer. So my assumption prior to setting up my actual Restricted Software item would be that adding InstallAssistant in as the process to look for and checking the Kill box would do the same.

So apparently a public beta is starting this week… any tips for restricted process killing?

I'm hoping the process name is the same as the DP from June. If so, I'm set. If not, I'll have to add a new restricted software. I've signed up for the public beta and so will snag it as soon as Apple sends the email. One of use will surely update this thread if the installer process name has changed.

I'm also setting up a smart group to look for 10.10 machines and having it email me, so if one of my eager beavers bypasses the restricted software process and manages to install it, I'll get an email. And then it becomes a disciplinary issue.

@emilykausalik - see above. But as @damienbarrett said, that's good if it doesn't have a name change. As long as someone signs up and posts here, we'll find out. I belong to the other program, and they don't want us doing both. So it should be as simple as what's posted up above...

This was posted the other day, http://support.apple.com/kb/HT6311.

I created a Configuration Profile based on this, https://github.com/golbiga/Profiles/blob/master/blockosxbeta.mobileconfig. If your users are admins you can add an additional section that requires a password to remove it.

Allen

Allen, that's awesome. Great find! I'll be playing around with this config profile tomorrow.

theoretically, if you are not using profiles, would this also work as a 'defaults' command / mcx (Managed Pref) ?
(i.e. "sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AllowPreReleaseInstallation -bool false" )

UPDATE: just tried it using an 'MCX' setting, works that way as well (as i had hoped).
It doesn't stop anything until it get's the the portion of the installer that asks to select a disk

to use that, do i just copy/paste your mobileconfig file into a plist and upload it to JAMF's Config Profile under Custom settings?
When I save the mobileconfig off the github site and upload it to casper, it still wants the PLIST file..

Yup, copy & paste it and name the file whateveryouwant.mobileconfig. Just update it to your environment and if your users are admins you might want to add a section to require a password to remove. When creating a new profile, just upload and set to apply to computer level.

Allen

when I did that, casper still prompted for a plist file.

i tried saving the github to a plist file and uploaded that... but I don't know that it will do the trick.

I just uploaded it but I'm noticing that my JSS (8.73) and my dev JSS (9.32) are stripping the mcx settings. I'm going to test this out more, but it looks like Im going to have package this up with a postinstall script. I really wish Casper's profile options actually matched Profile Manager. It would make this so much easier.

at least it's not my imagination

Try saving the file @golbiga made as a .plist, then create a config profile using the custom settings and upload the file.

@jennifer_unger That works! I just created a com.apple.SoftwareUpdate.plist with AllowPreReleaseInstallation set to false and it applies properly. Thanks!

@jennifer_unger that's what I did, wasn't sure if that would work or not...
guess there's only one way to tell, and that's wait for the public beta to go live.

I just updated my profile https://github.com/golbiga/Profiles/blob/master/blockosxbeta.mobileconfig and I tested against 8.73 and 9.32. This time there are no issues when pushed by my JSS. com.apple.SoftareUpdate in /Library/ManagedPreferences now shows AllowPreReleaseInstallation being set to false.

Allen

@golbiga thank you!

Removed.