We are a school district with staff setup as standard users on their Macbooks. We do not allow the App Store because, by law, we have to approve apps to protect student data. I just found out today that our M1 Macbooks that have been updated to MacOS Sonoma are completely bypassing any "Restricted Software" settings in Jamf. So users that update are able to open terminal, the App store, etc. even though the restrictions are setup and were working on Ventura. We are on Jamf version 10.49.0 so I don't believe the update is the issue. Any suggestions are appreciated!

Restricted Software no longer working on Sonoma! Help! SOS

@DylanAckley You're going to need to update to JSS 10.50, and have all of your Macs on macOS 14.0 restart after that upgrade for Restricted Software configurations to work (see the https://learn.jamf.com/bundle/jamf-pro-release-notes-current/page/Important_Notices.html section of the JSS 10.50 release notes). This is because the audit subsystem is no longer enabled by default in macOS 14, and the Restricted Software feature requires it for functionality. The jamf agent with JSS 10.50 will enable it.

Thank you! Thank you! I tried looking through the known issues and searching for this info but all I was getting was results about blocking the Sonoma upgrade.

I will work on this today!

You can also use this rule from the macOS Security Compliance Project to re-enable Auditd

https://github.com/usnistgov/macos_security/blob/main/rules/audit/audit_auditd_enabled.yaml

For people who don't speak yaml here's a standalone bash script that does what the yaml file @boberito linked to does:

#!/bin/bash



# Enable the audit subsystem if it isn't running



LAUNCHD_RUNNING=$(/bin/launchctl list | /usr/bin/grep -c com.apple.auditd)

AUDITD_RUNNING=$(/usr/sbin/audit -c | /usr/bin/grep -c "AUC_AUDITING")

if [[ $LAUNCHD_RUNNING == 1 ]] && [[ -e /etc/security/audit_control ]] && [[ $AUDITD_RUNNING == 1 ]]; then

	echo "auditd running, nothing to do here"

else

	echo "auditd isn't running, so enable it"

	if [[ ! -e /etc/security/audit_control ]] && [[ -e /etc/security/audit_control.example ]]; then

		/bin/cp /etc/security/audit_control.example /etc/security/audit_control

	fi



	/bin/launchctl enable system/com.apple.auditd

	/bin/launchctl bootstrap system /System/Library/LaunchDaemons/com.apple.auditd.plist

	/usr/sbin/audit -i

fi



exit 0

Thank you! Thank you! I tried looking through the known issues and searching for this info but all I was getting was results about blocking the Sonoma upgrade.

I will work on this today!

Thank you again @sdagley ! It worked. It looks like it requires a inventory update as well and then restart of the Macbook to get the new Restricted Software configurations to work.

@DylanAckley You're going to need to update to JSS 10.50, and have all of your Macs on macOS 14.0 restart after that upgrade for Restricted Software configurations to work (see the https://learn.jamf.com/bundle/jamf-pro-release-notes-current/page/Important_Notices.html section of the JSS 10.50 release notes). This is because the audit subsystem is no longer enabled by default in macOS 14, and the Restricted Software feature requires it for functionality. The jamf agent with JSS 10.50 will enable it.

Many thanks for this info, sdagley!

Just to chime in on this… this is not the behavior I am seeing with Restricted Software on Jamf `v10.50.0-t1693149930` and Sonoma 14.0. Instead, I find that a Restricted Software app will stay open until a `jamf manage` kicks off and then the app is closed. This is nowhere near the responsiveness that it used to be.

It's puzzling given all the time Jamf has had to address the changes in Sonoma that they couldn't come up with their own solution to do this in a persistent manner like Hannes Juutilainen did with Big Sur Blocker?

I was on Ventura 13.5 and it allowed me to upgrade to Sonoma even if we blocked it. I check on other computers and it is locked down.
I think that when the notification from Apple Update comes in it magically unlocks the update. So it basically overwrites JAMF settings.
In the case the user does not click on Upgrade and restarts the Mac then it is locked down again.

For people who don't speak yaml here's a standalone bash script that does what the yaml file @boberito linked to does:

#!/bin/bash



# Enable the audit subsystem if it isn't running



LAUNCHD_RUNNING=$(/bin/launchctl list | /usr/bin/grep -c com.apple.auditd)

AUDITD_RUNNING=$(/usr/sbin/audit -c | /usr/bin/grep -c "AUC_AUDITING")

if [[ $LAUNCHD_RUNNING == 1 ]] && [[ -e /etc/security/audit_control ]] && [[ $AUDITD_RUNNING == 1 ]]; then

	echo "auditd running, nothing to do here"

else

	echo "auditd isn't running, so enable it"

	if [[ ! -e /etc/security/audit_control ]] && [[ -e /etc/security/audit_control.example ]]; then

		/bin/cp /etc/security/audit_control.example /etc/security/audit_control

	fi



	/bin/launchctl enable system/com.apple.auditd

	/bin/launchctl bootstrap system /System/Library/LaunchDaemons/com.apple.auditd.plist

	/usr/sbin/audit -i

fi



exit 0

On a Mac with 13.6.3 I received the following log, how can I solve this:

Script result: /usr/sbin/audit: illegal option -- c
Usage: audit -e | -i | -n | -s | -t
auditd isn't running, so enable it
Bootstrap failed: 5: Input/output error
Trigger sent.

On a Mac with 13.6.3 I received the following log, how can I solve this:

Script result: /usr/sbin/audit: illegal option -- c
Usage: audit -e | -i | -n | -s | -t
auditd isn't running, so enable it
Bootstrap failed: 5: Input/output error
Trigger sent.

We are on Jamf Pro 10.50.

Do Clients to reboot to get this to work?

Works fine on Macs running macOS 14.x

We are on Jamf Pro 10.50.

Do Clients to reboot to get this to work?

Works fine on Macs running macOS 14.x

Yes, I found that giving them a reboot and running recon were needed.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded