Jamf Nation Community

Sounds like we'll have to add the Beta Access Utility app to restricted software. That should cover things for the most part.

Allen

I used my machine as guinea pig for this so I could create a restricted software record… but it doesn't look like any kind of app is installed, just a preference that allows access to the beta downloads. Any tips from others out there about how to lock this down?

@emilykausalik][/url][/url: If there is an app that apple uses to allow builds to come through Software Update. Once it's installed, that's how the updates are installed. You could in theory kill that app just like any other by watching the process and nuking/deleting it.

Like Emily said, there is no actual application. There is a pkg that you run and all it seems to really do is change the software update catalog URL and auto-launch software update so the local machine can see the latest OS beta seeds.

The feedback assistant, which is a standalone app, does not appear to be associated with actually accessing the beta seeds.

Yeah, that's what I was talking about - looking for a way to nuke the install of the "utility" that changes the SUS URL.
I have sent an email to a rep at Apple asking if they have any ideas on how to help us.

There is definitely a difference between programs. Current AppleSeed members are encouraged not to sign up for this program. It may be a limited time program.

@jhbush1973][/url][/url, the programs are indeed different. Seeing it's all NDA, I'm not sure I'll post anything about that, but I just asked if they would consider delivering the Utility (whatever the public version will be called) in an app form, a la Mavericks. Easily nukable.

What about a Software Update Profile (System Preferences/Profiles)? Lock 'er down.

I don't see any signs that the installer installs a distinct utility - It looks like the installer just drops in a replacement com.apple.SoftwareUpdate.plist file based on the change in creation/modification dates on that preference file immediately after the installer completes. But if there is a process that fires up behind the scenes during the install process then that could be the break we need. I'm reaching out to our reps as well - hopefully they have a bone to throw us!

Ooo, the software update profile is a good idea @boettchs. I'll have to give that a try.

Computer level config profile with a software update payload successfully prevents the Mac from pointing at the beta seed catalogURL. Good call @boettchs. The utility still appears to change the catalogURL in the com.apple.SoftwareUpdate.plist preference file, but the App Store, and softwareupdate in terminal both stick to the catalogURL dictated by the config profile.

I'm going to do some more validation of this tomorrow morning, but everything looks promising so far!

@jasonaswell - good news. I don't have a "Server" so I was just installing that to try the profile route. Glad your results are positive so far!

No admin rights = No Beta

What would be the correct address to use to point to Apple's Software Update URL, but not to the beta seed's catalogURL?

@rtrouton][/url][/url][/url, my understanding is that now unless there's a custom CatalogURL in the plist, it reverts to Apple servers. If there is one present, it shows by using:

defaults read /Library/Preferences/com.apple.SoftwareUpdate CatalogURL

Removing that should do set the Mac to Apple defaults.

sudo defaults delete /Library/Preferences/com.apple.SoftwareUpdate CatalogURL

But I don't know if there is "one" server URL like there used to be since Apple says to just use the command above to reset to Apple defaults.

*Edit: I just did it and it removed my ability to download certain software. So it mimics what we'll see with the "OS X Beta" program. Killing that stops the MAS from seeing "certain" updates from Apple.

theoretically if you don't allow users to sign into the app store, they wouldn't be able to get it? I sent a note off to AppleCare for a resolution to disable the machines from being able to install it.

Seconding @rtrouton: What is the correct Apple SUS URL to use? I *know* some of my users will attempt to prematurely upgrade to Mavericks (bypassing the software restriction we've been using). Am eager to put this config profile in place. Anyone?

Ah, scratch that....you must already have 10.9 installed, which my users don't have yet, so I have some breathing room until we can develop an acceptable blocking solution. Whew...

Still, why is Apple allowing non-developers access to beta versions of the OS.? Sounds like a recipe for disaster to me. I can't imagine the havoc this is going to wreak at the Apple Store Genius Bars.

@damienbarrett do you have an internal SUS? If not it might be a good time to check out reposado. At least then you can put up your own SUS and then point your users with Configuration Profiles to that server.

For anyone reading this thread who doesn't already have the URL:

https://appleseed.apple.com/sp/betaprogram

From their FAQ:

What if I have problems running the pre-release software? Always back up your computer before installing pre-release software. If you need help returning your Mac to a shipping version of OS X and restoring from your Time Machine back up, you can call AppleCare to speak to a support specialist, or reference online documentation.

I do run an internal SUS, but really only ror my own purposes for mass updating machines over the Summer. Our machines travel home every evening and I don't have the SUS public-facing, so it was easier to just leave everyone pointing to Apple's SUS.

So apparently you can opt out of the program too…I wonder if there is a way to set the Apple Store to not show the beta releases and make that a preference that people can't change? https://appleseed.apple.com/sp/betaprogram/unenroll

anybody run fseventer (or something) to see what files it's modifying, and then maybe we can scope off of that and remove the modifications?

looks like it's changing the catalogurl ```
redacted
```

@jwojda][/url, yes, as above, it alters the "/Library/Preferences/com.apple.SoftwareUpdate.plist" with a CatalogURL. If you nuke that, you kill access to the Betas. Of course you also need the Apple ID in the App Store that you signed up with (for the beta) but I think the Profiles method will work so far...that was posted up last night...

Anyone confirm yet if MCX also does the trick? We force our managed Macs to point to an internal SUS, but we use MCX, not Config Profiles for that. Hopefully it works the same way. I agree this is a very odd decision on Apple's part to open this to every Joe regular user. Not sure what they're doing here.

Although I really hate using profiles, this enforcing the default ASU URL seemed to do the trick. Even after reinstalling the PKG that affects the plist, the test user could still only see non-beta updates.

@ryway09 I'm still a bit new to Casper and setting up profiles (not something we are really planning on enforcing, as we allow users to self-adminster) … could you possible share what you configured for this? And what the URL of the default ASU is?

"What would be the correct address to use to point to Apple's Software Update URL, but not to the beta seed's catalogURL?"

For Mavericks machines, that would be:

http://swscan.apple.com/content/catalogs/others/index-10.9-mountainlion-lion-snowleopard-leopard.merged-1.sucatalog

Other OSes use different CatalogURLs. There is a list here:

https://github.com/wdas/reposado/blob/master/docs/reposado_preferences.txt#L40

FWIW

http://donmontalvo.com/jamf/jamfnation/IRC/freenode-osx-server_2014-04-23.jpg

external image link

Direct link:

http://osx.michaellynn.org/freenode-osx-server/freenode-osx-server_2014-04-23.html

Thanks (?), Don.

@gregneagle Valid concern, every so often threads cross the line, worth reminding everyone here (and IRC).

The Apple Public Beta is all over the internet. I don't think anyone here has really done or said much that crosses the line so far. It's always good to remind folks of the NDA's, so that is fine.

@boettchs Agreed.

Revealing the configuration changes made by Apple's utility does amount to releasing info covered under the NDA, IMHO. Otherwise, Apple would just publicly post those changes, no?

@gregneagle][/url It's discussed openly and widely on the IRC, no?

http://osx.michaellynn.org/freenode-osx-server/freenode-osx-server_2014-04-23.html

Well, an admin revealing how they removed a client's Mac from a public beta on a company owned Mac would be safe as they did not agree to an NDA covering such a program. I do not belong to the public beta and I'm just posting what I found. I know how the SUS works, so I found the info. I think I'm safe :)

I see, so some discussion was posted about a utility from Apple that deploys a plist change, which anyone with an Apple ID and a Mac running 10.9 can also obtain for $0.00…
I'm trying hard to find the "amazing" amount of violations going on there.