Skip to main content
Solved

Restricted Software no longer working on Sonoma! Help! SOS

  • October 5, 2023
  • 11 replies
  • 67 views
D
Forum|alt.badge.img+4

We are a school district with staff setup as standard users on their Macbooks. We do not allow the App Store because, by law, we have to approve apps to protect student data. I just found out today that our M1 Macbooks that have been updated to MacOS Sonoma are completely bypassing any "Restricted Software" settings in Jamf. So users that update are able to open terminal, the App store, etc. even though the restrictions are setup and were working on Ventura.

 

We are on Jamf version 10.49.0 so I don't believe the update is the issue. Any suggestions are appreciated!

Best answer by sdagley

@DylanAckley You're going to need to update to JSS 10.50, and have all of your Macs on macOS 14.0 restart after that upgrade for Restricted Software configurations to work (see the https://learn.jamf.com/bundle/jamf-pro-release-notes-current/page/Important_Notices.html section of the JSS 10.50 release notes). This is because the audit subsystem is no longer enabled by default in macOS 14, and the Restricted Software feature requires it for functionality. The jamf agent with JSS 10.50 will enable it.

    11 replies

    sdagley
    Forum|alt.badge.img+25
    • sdagley
    • Jamf Heroes
    • Answer
    • October 6, 2023

    @DylanAckley You're going to need to update to JSS 10.50, and have all of your Macs on macOS 14.0 restart after that upgrade for Restricted Software configurations to work (see the https://learn.jamf.com/bundle/jamf-pro-release-notes-current/page/Important_Notices.html section of the JSS 10.50 release notes). This is because the audit subsystem is no longer enabled by default in macOS 14, and the Restricted Software feature requires it for functionality. The jamf agent with JSS 10.50 will enable it.

    dwbergstrom
    C
    Alvaro1337
    D
    Forum|alt.badge.img+4
    • DylanAckley
    • Author
    • New Contributor
    • October 6, 2023

    @DylanAckley You're going to need to update to JSS 10.50, and have all of your Macs on macOS 14.0 restart after that upgrade for Restricted Software configurations to work (see the https://learn.jamf.com/bundle/jamf-pro-release-notes-current/page/Important_Notices.html section of the JSS 10.50 release notes). This is because the audit subsystem is no longer enabled by default in macOS 14, and the Restricted Software feature requires it for functionality. The jamf agent with JSS 10.50 will enable it.


    Thank you! Thank you! I tried looking through the known issues and searching for this info but all I was getting was results about blocking the Sonoma upgrade. 

    I will work on this today!

    boberito
    Forum|alt.badge.img+22
    • boberito
    • Jamf Heroes
    • October 6, 2023

    You can also use this rule from the macOS Security Compliance Project to re-enable Auditd

    https://github.com/usnistgov/macos_security/blob/main/rules/audit/audit_auditd_enabled.yaml

    D
    B
    sdagley
    Forum|alt.badge.img+25
    • sdagley
    • Jamf Heroes
    • October 6, 2023

    For people who don't speak yaml here's a standalone bash script that does what the yaml file @boberito linked to does:

    #!/bin/bash # Enable the audit subsystem if it isn't running LAUNCHD_RUNNING=$(/bin/launchctl list | /usr/bin/grep -c com.apple.auditd) AUDITD_RUNNING=$(/usr/sbin/audit -c | /usr/bin/grep -c "AUC_AUDITING") if [[ $LAUNCHD_RUNNING == 1 ]] && [[ -e /etc/security/audit_control ]] && [[ $AUDITD_RUNNING == 1 ]]; then echo "auditd running, nothing to do here" else echo "auditd isn't running, so enable it" if [[ ! -e /etc/security/audit_control ]] && [[ -e /etc/security/audit_control.example ]]; then /bin/cp /etc/security/audit_control.example /etc/security/audit_control fi /bin/launchctl enable system/com.apple.auditd /bin/launchctl bootstrap system /System/Library/LaunchDaemons/com.apple.auditd.plist /usr/sbin/audit -i fi exit 0
    D
    donmontalvo
    B
    D
    Forum|alt.badge.img+4
    • DylanAckley
    • Author
    • New Contributor
    • October 6, 2023

    Thank you! Thank you! I tried looking through the known issues and searching for this info but all I was getting was results about blocking the Sonoma upgrade. 

    I will work on this today!


    Thank you again @sdagley ! It worked. It looks like it requires a inventory update as well and then restart of the Macbook to get the new Restricted Software configurations to work.

    C
    Forum|alt.badge.img+8
    • ctarbox
    • Valued Contributor
    • October 12, 2023

    @DylanAckley You're going to need to update to JSS 10.50, and have all of your Macs on macOS 14.0 restart after that upgrade for Restricted Software configurations to work (see the https://learn.jamf.com/bundle/jamf-pro-release-notes-current/page/Important_Notices.html section of the JSS 10.50 release notes). This is because the audit subsystem is no longer enabled by default in macOS 14, and the Restricted Software feature requires it for functionality. The jamf agent with JSS 10.50 will enable it.


    Many thanks for this info, sdagley!

    B
    Forum|alt.badge.img+11
    • brunerd
    • New Contributor
    • October 16, 2023

    Just to chime in on this… this is not the behavior I am seeing with Restricted Software on Jamf `v10.50.0-t1693149930` and Sonoma 14.0. Instead, I find that a Restricted Software app will stay open until a `jamf manage` kicks off and then the app is closed. This is nowhere near the responsiveness that it used to be. 

    It's puzzling given all the time Jamf has had to address the changes in Sonoma that they couldn't come up with their own solution to do this in a persistent manner like Hannes Juutilainen  did with Big Sur Blocker?

    pgy_jamf_help
    Forum|alt.badge.img+1
    • pgy_jamf_help
    • New Contributor
    • November 28, 2023

    I was on Ventura 13.5 and it allowed me to upgrade to Sonoma even if we blocked it. I check on other computers and it is locked down.
    I think that when the notification from Apple Update comes in it magically unlocks the update. So it basically overwrites JAMF settings.
    In the case the user does not click on Upgrade and restarts the Mac then it is locked down again.

    JevermannNG
    Forum|alt.badge.img+8
    • JevermannNG
    • Valued Contributor
    • December 29, 2023

    For people who don't speak yaml here's a standalone bash script that does what the yaml file @boberito linked to does:

    #!/bin/bash # Enable the audit subsystem if it isn't running LAUNCHD_RUNNING=$(/bin/launchctl list | /usr/bin/grep -c com.apple.auditd) AUDITD_RUNNING=$(/usr/sbin/audit -c | /usr/bin/grep -c "AUC_AUDITING") if [[ $LAUNCHD_RUNNING == 1 ]] && [[ -e /etc/security/audit_control ]] && [[ $AUDITD_RUNNING == 1 ]]; then echo "auditd running, nothing to do here" else echo "auditd isn't running, so enable it" if [[ ! -e /etc/security/audit_control ]] && [[ -e /etc/security/audit_control.example ]]; then /bin/cp /etc/security/audit_control.example /etc/security/audit_control fi /bin/launchctl enable system/com.apple.auditd /bin/launchctl bootstrap system /System/Library/LaunchDaemons/com.apple.auditd.plist /usr/sbin/audit -i fi exit 0

    On a Mac with 13.6.3 I received the following log, how can I solve this:

    Script result: /usr/sbin/audit: illegal option -- c
    Usage: audit -e | -i | -n | -s | -t
    auditd isn't running, so enable it
    Bootstrap failed: 5: Input/output error
    Trigger sent.

    JevermannNG
    Forum|alt.badge.img+8
    • JevermannNG
    • Valued Contributor
    • December 29, 2023

    On a Mac with 13.6.3 I received the following log, how can I solve this:

    Script result: /usr/sbin/audit: illegal option -- c
    Usage: audit -e | -i | -n | -s | -t
    auditd isn't running, so enable it
    Bootstrap failed: 5: Input/output error
    Trigger sent.


    We are on Jamf Pro 10.50.

    Do Clients to reboot to get this to work?

    Works fine on Macs running macOS 14.x

    C
    Forum|alt.badge.img+8
    • ctarbox
    • Valued Contributor
    • December 29, 2023

    We are on Jamf Pro 10.50.

    Do Clients to reboot to get this to work?

    Works fine on Macs running macOS 14.x


    Yes, I found that giving them a reboot and running recon were needed.

    Terms & ConditionsCookie settingsAccessibility statement