Adding macOS Catalina to the restriction list

bmee
Contributor

Apple just announce macOS Catalina.

Anyone already add this to their software restriction list to prevent users installing the beta version?

Or do we need to wait for the package to be uploaded to the developer's website?

Thanks in advances.

50 REPLIES 50

Merkley
New Contributor III

I was about to do this, but someone pointed out on MacAdmins Slack channel that you can prevent macOS Beta with a configuration profile as well. It's located in the Software Update restrictions. If you don't have a software update server, you can leave that area blank as it'll just pull from Apple's servers. I didn't know this and created a profile just for this.

bmee
Contributor

@Merkley I'll give this a try and once the download is available in the Dev section I'll try to install it and see if it'll block it.
Thanks for pointing that out.

clong
New Contributor

Thanks @Merkley , I added the configuration profile as well. Good stuff!

ThijsX
Valued Contributor

Ok so i got the beta running on a VM now.

Appnam listed in Applications for now: Install macOS 10.15 Beta.app
Processname still: osinstallsetupd be warned if you block this one, it block other installations.

Current build number: 19A471T

And like mentioned earlier, you can block BETA profiles with an Configuration Profile scoped out to your devices.

bmee
Contributor

@txhaflaire I tried to installing the Dev beta access tool into one of our test device and it brings me to the App Store update section but it's blank. Is that normal?

ThijsX
Valued Contributor

@bmee

  1. Install the beta.pkg that you receive which installs the profile.
  2. Proceed to "Software Updates" located in the System Preferences pane.
  3. Check for updates, and proceed with downloading and installing the upgrade.

Check before trying 10.15 all your previous beta profiles are neat removed.
It did not bring me to the Mac App Store.

bmee
Contributor

@txhaflaire that works. weird that it brings me to the update section in the app store after the install is done.
thanks for the help all.

AdamCraig
Contributor III

a3b45a2800f74b7bba959b2350cc2e33
This is what I did.

Jbirtola
New Contributor

I did the profile block initially. Thinking about switching to restricted software instead. Much like what @strayer did in their comment.

ThijsX
Valued Contributor

The Config profile can prevent installing the macOS beta profiles which changes the apple update server settings etc.

The config profile does not prevent installing the beta installer itself, as far i know

sdagley
Honored Contributor II

I find the technique of blocking the process InstallAssistant recommended by @mm2270 in the thread Restricted Software: macOS Mojave 10.14 works great to handle all of the macOS installers in a single shot. You can still call the startosinstall tool to initiate an install via a script from Jamf Pro with this block in place, unlike a block on the Install .app itself.

MatG
Contributor III

Did the same as @strayer

martinrobertson
New Contributor

Hi All - just trying to "prep" for when full blown Catalina gets released, and impacts all our endpoint protection... would something like the below work? 6810f641071347bcae7505e0de387b0e

We also block InstallAssistant, but there are exceptions to this (such as machines on 10.13 that we want upgraded to Mojave, etc), so i just want to make sure no-one can utilise these exceptions and go from 10.13 > 10.15.

itupshot
Contributor II

Is macOS Catalina officially out? It is already showing up for me in Software Update System Pref pane. It's also showing up as default boot via Internet Recovery. I need to block this app from downloading and offering to install.
561d735d4c9346bda1edca16c980b8b8

dcgagne
Contributor

@itupshot

Looks like it is widely available, all of my devices are showing it. Downloads are choked off right now so I'm unable to see the final .app name to block

tnielsen
Valued Contributor

The Process Name is: Install macOS Catalina
The name of the application is: Install macOS Catalina

itupshot
Contributor II

@dcgagne

Yes. This is frustrating. Hopefully, they used the same naming convention of the last few OS versions. I'm going to use that for now.

EDIT:
@tnielsen Thank you!

gb3
New Contributor III

Can anyone confirm that blocking "Install macOS Catalina" is working? Our download of the release is going slowly so we'd like to be able to test before the users get it but might not be able to.

McAwesome
Contributor III

The block is working, but System Preferences is listing it regardless of any other settings. So all your users will see they have a big update that's needed, start to download it, and then get the warning message saying this program is blocked. It does not appear that deferring software updates for any amount of time will prevent this.

tnielsen
Valued Contributor

The application block will simply stop it from executing but not stop it from downloading. I don't mind that honestly, so I'm just going with the application block. It does work.

dstranathan
Valued Contributor II

Interesting that App Store takes you to System Preferences to pull installer from SUS. I don't recall Mojave doing this.

I have Catalina blocked 2 ways...

-Catalina disabled on NetSUS server production catalog
-Install macOS Catalina.app blocked in Jamf Restriction

itupshot
Contributor II

@McAwesome @tnielsen Same thing here. My restricted software policies for "Install macOS Catalina.app," and "InstallAssistant" are blocking it from executing, but still shows up in System Prefs > Software Update. I can live with that for now.

Just tested it on a laptop, and my Restricted Software policy message popped up when it tried to run.

JarvisUno
Contributor II

@itupshot I created a Policy and then applied the following script to it. On Parameter 5 add: macOS Catalina and apply it to all the machines in your organization this will remove the update from showing on any machine in preferences.

This script worked great you can find it here: Update macOS Update Ignore List.sh

OPTION 1 33d6523d88fd459199143f2dfc449c96

After testing you may check if it was successful by running the following command: softwareupdate --ignore

Also if you are in the process of testing Catalina like I am you could remove undo this on your test machine by using the following command: sudo softwareupdate --reset-ignored

OPTION 2
Macmule made a post outlining the details on what else you can do here:
Blocking Catalina Update

OPTION 3
@nstrauss Also has another method going on here you might want to try, the take from this whole thing is that there are options.
Ignore Catalina Upgrade Prompt in Software Update

davethemayor
New Contributor

@JarvisUno, this is perfect. Thanks!

jzarate
New Contributor II

@JarvisUno , thanks a bunch! This seems to handle the notification perfectly. Since the App Store redirects to Software Update, my users will now see this when they try to get macOS Catalina that way.31c320f0c7ed49cc9a619d45ec2eb5bd

When we want to lift the restriction, what is the best way to remove macOS Catalina from the softwareupdate ignore list?

itupshot
Contributor II

@JarvisUno Thanks, this is pretty nice to have.

@jzarate According to the script, you put "yes" in Parameter 4.

jameson
Contributor II

I downloaded Catalina from App Store, but when launching it should block with restricted - but it works fine ? As far I can see I use the same as example above ?

a69e35011c5b45da82729ba22a30a564

dmichels
Contributor

Remove the "" from your Process Name:
Process Name: Install macOS Catalina or use Install macOS Catalina.app

JarvisUno
Contributor II

@jzarate or remove it all together from Parameter 4 and use the script for other updates in the future.

Also to double check what updates are being blocked use:

softwareupdate --ignore

iri
New Contributor

@JarvisUno, might be a bad question, but all Jamf scripts ran as sudo ,right? So there is no need to scope it to user? Just to computer will do it? (I'm talking about Execution frequency: once per computer vs once per user per computer)

JarvisUno
Contributor II

@iri No question is stupid, yes the script will take of it.

andrew_nicholas
Valued Contributor

@jameson This might be anecdotal but my restriction process (10.15.1 on prem) did not honor my use of wild card at the tail of "macOS Catalina" and I needed to explicitly define the .app (ask me how I found out). This had been working fine with beta tests on the previous 10.11.1 instance so I am unsure if this is an environmental thing or an issue with the product but the tl;dr is make that change and force a management refresh on endpoints along with the update suppression and you should be good.

edullum
Contributor

Configuring a block for InstallAssistant and a block for Install macOS Catalina is NOT working in JAMF Pro v, 10.15.1 (Cloud version). I've added 5 macs to the scope and I was successfully able to download the Install macOS Catalina application and even run it. Yesterday, I applied a macOS Deferral Configuration Profile to all my macs in the fleet. However, I was able to upgrade to Catalina on 3 of those Macs that were in the scope.

I took the script approach as mentioned in an above post and created a policy to apply to macs: [https://github.com/palantir/jamf-pro-scripts/blob/master/scripts/Update%20macOS%20softwareupdate%20Ignore%20List.sh](link URL)
This seems to be the only thing that can block the Catalina update. I had to run the policy twice on a MacBook pro and have the user restart in order for Catalina to not show up in Software Update in System Preferences. #IDK

yungstump
New Contributor II

Ran the script against my own computer twice and rebooted it. Doesn't seem to be working for me as Catalina is still showing up in the Software Update in Sys preferences.

Trying to see if it's only me or if any of my users are affected.

JarvisUno
Contributor II

@yungstump Did you use the script that was added above?

If, yes what was the outcome after you ran the policy.

easyedc
Valued Contributor II

I saw on twitter someone retweet @RobertHammen (I am going to assume it's the same person) blocking it with the --ignore command. I'll probably go that route for the time being. Using the following command /usr/sbin/softwareupdate --ignore "macOS Catalina"

PCSysops
New Contributor II

@JarvisUno The script is working for me. I just have an ongoing policy that reaches out to all machines. I did also put a software restriction as well.

ajassi
New Contributor II

So I tested this a while ago using Restricted Software on my test machine and I was happy with it, but was horrified to learn today that somebody had upgraded to it.

I then downloaded the update on a different device and it ran straight away no problems, then I went off to do something else, came back, and it was now being restricted when I attempted to run it.

Although the setting in Restricted Software was correct, it turns out that the devices in scope will need the Management Framework to refresh in order for the setting to apply (https://macmule.com/2019/10/07/blocking-macos-catalina-with-jamf-pro/#There_is_no_step_2). I don't currently have a policy to do this so will need to look into it, but for the meantime I will use the route of ignoring the update.

rodders
New Contributor III

Thanks for sharing that script @JarvisUno Works a treat.

Next step - Anyone know how to get rid of the red 1 bubble in system preferences dock icon? 😄