Jamf Nation Community

@Merkley I'll give this a try and once the download is available in the Dev section I'll try to install it and see if it'll block it.
Thanks for pointing that out.

Thanks @Merkley , I added the configuration profile as well. Good stuff!

Ok so i got the beta running on a VM now.

Appnam listed in Applications for now: Install macOS 10.15 Beta.app
Processname still: osinstallsetupd be warned if you block this one, it block other installations.

Current build number: 19A471T

And like mentioned earlier, you can block BETA profiles with an Configuration Profile scoped out to your devices.

@txhaflaire I tried to installing the Dev beta access tool into one of our test device and it brings me to the App Store update section but it's blank. Is that normal?

@bmee

1. Install the beta.pkg that you receive which installs the profile.
2. Proceed to "Software Updates" located in the System Preferences pane.
3. Check for updates, and proceed with downloading and installing the upgrade.

Check before trying 10.15 all your previous beta profiles are neat removed.
It did not bring me to the Mac App Store.

@txhaflaire that works. weird that it brings me to the update section in the app store after the install is done.
thanks for the help all.

This is what I did.

I did the profile block initially. Thinking about switching to restricted software instead. Much like what @strayer did in their comment.

The Config profile can prevent installing the macOS beta profiles which changes the apple update server settings etc.

The config profile does not prevent installing the beta installer itself, as far i know

I find the technique of blocking the process InstallAssistant recommended by @mm2270 in the thread Restricted Software: macOS Mojave 10.14 works great to handle all of the macOS installers in a single shot. You can still call the startosinstall tool to initiate an install via a script from Jamf Pro with this block in place, unlike a block on the Install .app itself.

Did the same as @strayer

Hi All - just trying to "prep" for when full blown Catalina gets released, and impacts all our endpoint protection... would something like the below work?

We also block InstallAssistant, but there are exceptions to this (such as machines on 10.13 that we want upgraded to Mojave, etc), so i just want to make sure no-one can utilise these exceptions and go from 10.13 > 10.15.

Is macOS Catalina officially out? It is already showing up for me in Software Update System Pref pane. It's also showing up as default boot via Internet Recovery. I need to block this app from downloading and offering to install.

@itupshot

Looks like it is widely available, all of my devices are showing it. Downloads are choked off right now so I'm unable to see the final .app name to block

The Process Name is: Install macOS Catalina
The name of the application is: Install macOS Catalina

@dcgagne

Yes. This is frustrating. Hopefully, they used the same naming convention of the last few OS versions. I'm going to use that for now.

EDIT:
@tnielsen Thank you!

Can anyone confirm that blocking "Install macOS Catalina" is working? Our download of the release is going slowly so we'd like to be able to test before the users get it but might not be able to.

The block is working, but System Preferences is listing it regardless of any other settings. So all your users will see they have a big update that's needed, start to download it, and then get the warning message saying this program is blocked. It does not appear that deferring software updates for any amount of time will prevent this.

The application block will simply stop it from executing but not stop it from downloading. I don't mind that honestly, so I'm just going with the application block. It does work.

Interesting that App Store takes you to System Preferences to pull installer from SUS. I don't recall Mojave doing this.

I have Catalina blocked 2 ways...

-Catalina disabled on NetSUS server production catalog
-Install macOS Catalina.app blocked in Jamf Restriction

@McAwesome @tnielsen Same thing here. My restricted software policies for "Install macOS Catalina.app," and "InstallAssistant" are blocking it from executing, but still shows up in System Prefs > Software Update. I can live with that for now.

Just tested it on a laptop, and my Restricted Software policy message popped up when it tried to run.

@itupshot I created a Policy and then applied the following script to it. On Parameter 5 add: macOS Catalina and apply it to all the machines in your organization this will remove the update from showing on any machine in preferences.

This script worked great you can find it here: Update macOS Update Ignore List.sh

OPTION 1

After testing you may check if it was successful by running the following command: softwareupdate --ignore

Also if you are in the process of testing Catalina like I am you could remove undo this on your test machine by using the following command: sudo softwareupdate --reset-ignored

OPTION 2
Macmule made a post outlining the details on what else you can do here:
Blocking Catalina Update

OPTION 3
@nstrauss Also has another method going on here you might want to try, the take from this whole thing is that there are options.
Ignore Catalina Upgrade Prompt in Software Update

@JarvisUno, this is perfect. Thanks!

@JarvisUno , thanks a bunch! This seems to handle the notification perfectly. Since the App Store redirects to Software Update, my users will now see this when they try to get macOS Catalina that way.

When we want to lift the restriction, what is the best way to remove macOS Catalina from the softwareupdate ignore list?

@JarvisUno Thanks, this is pretty nice to have.

@jzarate According to the script, you put "yes" in Parameter 4.

I downloaded Catalina from App Store, but when launching it should block with restricted - but it works fine ? As far I can see I use the same as example above ?

Remove the "" from your Process Name:
Process Name: Install macOS Catalina or use Install macOS Catalina.app

@jzarate or remove it all together from Parameter 4 and use the script for other updates in the future.

Also to double check what updates are being blocked use:

softwareupdate --ignore

@JarvisUno, might be a bad question, but all Jamf scripts ran as sudo ,right? So there is no need to scope it to user? Just to computer will do it? (I'm talking about Execution frequency: once per computer vs once per user per computer)

@iri No question is stupid, yes the script will take of it.

@jameson This might be anecdotal but my restriction process (10.15.1 on prem) did not honor my use of wild card at the tail of "macOS Catalina" and I needed to explicitly define the .app (ask me how I found out). This had been working fine with beta tests on the previous 10.11.1 instance so I am unsure if this is an environmental thing or an issue with the product but the tl;dr is make that change and force a management refresh on endpoints along with the update suppression and you should be good.

Configuring a block for InstallAssistant and a block for Install macOS Catalina is NOT working in JAMF Pro v, 10.15.1 (Cloud version). I've added 5 macs to the scope and I was successfully able to download the Install macOS Catalina application and even run it. Yesterday, I applied a macOS Deferral Configuration Profile to all my macs in the fleet. However, I was able to upgrade to Catalina on 3 of those Macs that were in the scope.

I took the script approach as mentioned in an above post and created a policy to apply to macs: [https://github.com/palantir/jamf-pro-scripts/blob/master/scripts/Update%20macOS%20softwareupdate%20Ignore%20List.sh](link URL)
This seems to be the only thing that can block the Catalina update. I had to run the policy twice on a MacBook pro and have the user restart in order for Catalina to not show up in Software Update in System Preferences. #IDK

Ran the script against my own computer twice and rebooted it. Doesn't seem to be working for me as Catalina is still showing up in the Software Update in Sys preferences.

Trying to see if it's only me or if any of my users are affected.

@yungstump Did you use the script that was added above?

If, yes what was the outcome after you ran the policy.

I saw on twitter someone retweet @RobertHammen (I am going to assume it's the same person) blocking it with the --ignore command. I'll probably go that route for the time being. Using the following command /usr/sbin/softwareupdate --ignore "macOS Catalina"

@JarvisUno The script is working for me. I just have an ongoing policy that reaches out to all machines. I did also put a software restriction as well.

So I tested this a while ago using Restricted Software on my test machine and I was happy with it, but was horrified to learn today that somebody had upgraded to it.

I then downloaded the update on a different device and it ran straight away no problems, then I went off to do something else, came back, and it was now being restricted when I attempted to run it.

Although the setting in Restricted Software was correct, it turns out that the devices in scope will need the Management Framework to refresh in order for the setting to apply (https://macmule.com/2019/10/07/blocking-macos-catalina-with-jamf-pro/#There_is_no_step_2). I don't currently have a policy to do this so will need to look into it, but for the meantime I will use the route of ignoring the update.

Thanks for sharing that script @JarvisUno Works a treat.

Next step - Anyone know how to get rid of the red 1 bubble in system preferences dock icon? :D