Apple just announce macOS Catalina.
Anyone already add this to their software restriction list to prevent users installing the beta version?
Or do we need to wait for the package to be uploaded to the developer's website?
Thanks in advances.
I was about to do this, but someone pointed out on MacAdmins Slack channel that you can prevent macOS Beta with a configuration profile as well. It's located in the Software Update restrictions. If you don't have a software update server, you can leave that area blank as it'll just pull from Apple's servers. I didn't know this and created a profile just for this.
Ok so i got the beta running on a VM now.
Appnam listed in Applications for now: Install macOS 10.15 Beta.app
Processname still: osinstallsetupd be warned if you block this one, it block other installations.
Current build number: 19A471T
And like mentioned earlier, you can block BETA profiles with an Configuration Profile scoped out to your devices.
Check before trying 10.15 all your previous beta profiles are neat removed.
It did not bring me to the Mac App Store.
I find the technique of blocking the process
InstallAssistant recommended by @mm2270 in the thread Restricted Software: macOS Mojave 10.14 works great to handle all of the macOS installers in a single shot. You can still call the
startosinstall tool to initiate an install via a script from Jamf Pro with this block in place, unlike a block on the Install .app itself.
Hi All - just trying to "prep" for when full blown Catalina gets released, and impacts all our endpoint protection... would something like the below work?
We also block InstallAssistant, but there are exceptions to this (such as machines on 10.13 that we want upgraded to Mojave, etc), so i just want to make sure no-one can utilise these exceptions and go from 10.13 > 10.15.
The block is working, but System Preferences is listing it regardless of any other settings. So all your users will see they have a big update that's needed, start to download it, and then get the warning message saying this program is blocked. It does not appear that deferring software updates for any amount of time will prevent this.
@McAwesome @tnielsen Same thing here. My restricted software policies for "Install macOS Catalina.app," and "InstallAssistant" are blocking it from executing, but still shows up in System Prefs > Software Update. I can live with that for now.
Just tested it on a laptop, and my Restricted Software policy message popped up when it tried to run.
@itupshot I created a Policy and then applied the following script to it. On Parameter 5 add: macOS Catalina and apply it to all the machines in your organization this will remove the update from showing on any machine in preferences.
This script worked great you can find it here: Update macOS Update Ignore List.sh
After testing you may check if it was successful by running the following command:
Also if you are in the process of testing Catalina like I am you could remove undo this on your test machine by using the following command:
sudo softwareupdate --reset-ignored
Macmule made a post outlining the details on what else you can do here:
Blocking Catalina Update
@JarvisUno , thanks a bunch! This seems to handle the notification perfectly. Since the App Store redirects to Software Update, my users will now see this when they try to get macOS Catalina that way.
When we want to lift the restriction, what is the best way to remove macOS Catalina from the softwareupdate ignore list?
@jameson This might be anecdotal but my restriction process (10.15.1 on prem) did not honor my use of wild card at the tail of "macOS Catalina" and I needed to explicitly define the .app (ask me how I found out). This had been working fine with beta tests on the previous 10.11.1 instance so I am unsure if this is an environmental thing or an issue with the product but the tl;dr is make that change and force a management refresh on endpoints along with the update suppression and you should be good.
Configuring a block for InstallAssistant and a block for Install macOS Catalina is NOT working in JAMF Pro v, 10.15.1 (Cloud version). I've added 5 macs to the scope and I was successfully able to download the Install macOS Catalina application and even run it. Yesterday, I applied a macOS Deferral Configuration Profile to all my macs in the fleet. However, I was able to upgrade to Catalina on 3 of those Macs that were in the scope.
I took the script approach as mentioned in an above post and created a policy to apply to macs: [https://github.com/palantir/jamf-pro-scripts/blob/master/scripts/Update%20macOS%20softwareupdate%20Ignore%20List.sh](link URL)
This seems to be the only thing that can block the Catalina update. I had to run the policy twice on a MacBook pro and have the user restart in order for Catalina to not show up in Software Update in System Preferences. #IDK
I saw on twitter someone retweet @RobertHammen (I am going to assume it's the same person) blocking it with the --ignore command. I'll probably go that route for the time being. Using the following command /usr/sbin/softwareupdate --ignore "macOS Catalina"
So I tested this a while ago using Restricted Software on my test machine and I was happy with it, but was horrified to learn today that somebody had upgraded to it.
I then downloaded the update on a different device and it ran straight away no problems, then I went off to do something else, came back, and it was now being restricted when I attempted to run it.
Although the setting in Restricted Software was correct, it turns out that the devices in scope will need the Management Framework to refresh in order for the setting to apply (https://macmule.com/2019/10/07/blocking-macos-catalina-with-jamf-pro/#There_is_no_step_2). I don't currently have a policy to do this so will need to look into it, but for the meantime I will use the route of ignoring the update.