Block non major OSX updates 10.10.4->10.10.5

ant89
Contributor

We are not using our own SUS. So is there a way to block say, the 10.10.5 update?
Thru restricted software, how can you find the process name for this particular update?

I was able to block yosemite from mavericks via restricted software: Install OS X Yosemite for the process name.

Need to block just the 10.10.5 or any future updates like this.

Thanks,

15 REPLIES 15

RobertHammen
Valued Contributor II

Pretty unlikely you'll find a way to do this, as it just runs the installer pkg. Unless you block out the App Store. This is why a SUS (or Reposado) is critical, if you want this kind of granular control over updates.

You could also have update checking disabled. To turn things off in the App Store preferences:

Automatically check for updates
defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -bool false
Download newly available updates in the background
defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticDownload -bool false
Install XProtect and Gatekeeper updates automatically
defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -bool false
Install system data files and security updates
defaults write /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -bool false

674618ccff3b4e4a81147cdee22b3516

bpavlov
Honored Contributor

You could try to send out a command that ignores the delta and combo update using:

softwareupdate --ignore "identifier for update"

ant89
Contributor

Thanks for the input. ill try these out. Looks like im not able to actually prevent users from updating without my own SUS

Chris_Hafner
Valued Contributor II

We've flipped to the run forward philosophy. If I run and break things faster than the users, I generally figure out how to fix them before they break them. It's not for the faint of heart, but it's the way Apple keeps pushing us. @RobertHammen spelled out some of the way's to deal with this at the moment.

RobertHammen
Valued Contributor II

@bpavlov Good point, I'd forgotten about the ignore command.

Create a policy, recurring trigger, run once, scoped to 10.10.4 machines, Files and Processes, Execute Command:

softwareupdate --ignore "OSXUpd10.10.5-10.10.5"

10.10.3 and earlier machines would probably want the Combo update, which has a different identifier (you'd have to do a

softwareupdate -l

command on one of those machines to get the Combo identifier, and create a Smart Group for scoping with OS like 10.10 but not 10.10.4 or 10.10.5)

mm2270
Legendary Contributor II

I believe the Combo Update would show up as OSXUpdCombo10.10.5-10.10.5 but not certain.

I would take a step back and here and question whether its a good idea to actively block this update. There may be a very legitimate reason for doing so, or perhaps its only a temporary measure until its thoroughly checked in your environment and can be properly published or pushed. I hope that is the only reason. Since 10.10.5 fixes a veritable boatload of CVEs, I would strongly consider fast tracking this one into production if it were me. This is a little different than past security updates that fixed issues that had no active exploits. All versions of 10.10 prior to this one are affected by an issue that an active exploit in the wild is taking advantage of, so it changes the landscape a bit.

But that's just my opinion.

gachowski
Valued Contributor II

I think Mike and have posted the same idea a few times.... : )

Our users move at Apple speed on their personal machines. And I have to move that fast on the machines that I manage... I have to be in the beta program and effectively communicate to other software vendors that they have to have their products ready when apple release updates. MS, Adobe, Symantec, McAfee, Jamf and everyone else has to march at Apple's drum... there is no choice as all the updates and upgrades are security patches.

C

PS If you don't install Apple update the users personal machines are going to more secure then the machines you manage and that is very very strange....

millersc
Valued Contributor

From a 10.10.3 Mac:

  • OSXUpdCombo10.10.5-10.10.5 OS X Update Combined (10.10.5), 2071194K [recommended] [restart]
  • iTunesX-12.2.2 iTunes (12.2.2), 221488K [recommended]

bentoms
Honored Contributor III
Honored Contributor III

FWIW.. we block via the ignore process as shown above & here.

KSchroeder
Contributor

So where do you grab the string to use with the softwareupdate --ignore "your string here"?

Working on setting up SUS when I get some time, but in the short term I need to shutdown people from upgrading to 10.12.1 as it breaks our DLP software (though looking at it funny seems to do that to...)

Thanks for any ideas! My Google-fu has failed me so far in finding these identifier strings...

pcrandom
Contributor

@KSchroeder You can run "softwareupdate --list --all" to get the proper identifiers. Per the man page for softwareupdate:

"The identifier is the first part of the item name (before the dash and version number) that is shown by --list."

That part in the parentheses is a little confusing because often the identifier includes the version number, but the key is the "before the dash" part. So in one of the examples above:

softwareupdate --ignore "OSXUpd10.10.5-10.10.5"

I think you'd actually want to leave off the "-10.10.5" at the end (and you don't need--and possible don't want--to put quotes around the identifier).

I don't have a system running 10.12.0, but if you do and run "softwareupdate --list --all" on it, you should see the 10.12.1 update and the identifier to use in the --ignore command. I'd guess it's "macOSUpd10.12.1" so you'd put:

softwareupdate --ignore macOSUpd10.12.1

Note that --ignore does not do any error or logic check. You can have softwareupdate ignore anything and it will list it when you run softwareupdate --ignore, but if the identifier is not correct then it will obviously not ignore it.

KSchroeder
Contributor

Excellent, thanks @pcrandom! I would rather dump our DLP...but that's not quite on the table yet!

I did check with our TAM (he had been out, but got back to me today) and the proper command/identifier is:
softwareupdate --ignore OSXUpdCombo10.12.1

pcrandom
Contributor

@KSchroeder: That's weird; the update itself, when you download it from Apple, is called macosupd10.12.1.dmg (and the installer within the disk image is named macOSUpd10.12.1.pkg).

Since Apple changed the name of the OS with 10.12, I'd be surprised if the update still started with "OS X" for softwareupdate--also, since it's a x.x.1 update, there's no previous updates to 10.12 to combo, so it wouldn't be a combo update either.

Best way to be sure is to find a system running 10.12.0 and run the "softwareupdate --list --all" command on it and see what the listed name is for the 10.12.1 update. I was looking around for a 10.12.0 system to check myself, but I don't have any. If I find a Sierra full installer for 10.12.0, I'll spin up a quick VM to check, but so far I can only find a 10.12.1 full installer.

KSchroeder
Contributor

Finally got a hold of a Mac with 10.12.0 and softwareupdate --list shows:
Software Update Tool
Copyright 2002-2015 Apple Inc.

Finding available software
Software Update found the following new or updated software:
* macOS Sierra Update-10.12.1 macOS Sierra Update (10.12.1), 570194K [recommended] [restart]

Tested and verified that "softwareupdate --ignore "macOS Sierra Update" " hides it; in fact it disappears from the AppStore Updates GUI almost instantly (and comes back just as quickly when you --reset-ignored.

Thanks again for the input!

pcrandom
Contributor

@KSchroeder, you're welcome! Thanks for reporting back. Wow, I am surprised that the update has spaces in the name (and doesn't match the package name), first of all, and secondly doesn't have the version information before the dash. That breaks with their previous naming conventions. It'll be interesting to see what the the 10.12.2 update will be called in softwareupdate.

Note: If you leave "macOS Sierra Update" ignored on your systems, it's possible that it'll ignore other future updates automatically (which you may prefer), whereas ignoring more specifically-named updates would just ignore those and not newer versions of similar updates.