Jamf Nation Community

GetCart3r · ‎10-26-2021

Incase anyone else is looking to do the same I put a restriction into place today that will block "All Managed" computers from allowing "macOS Monterey 12.x" from running. You just need to restriction "Install macOS Monterey.app" This is the restriction I have in place.

If they select to upgrade they will get the following message popup.

The only potential work around for someone to bypass this is if they have admin rights to change the name of the application.

junjishimazaki · ‎10-26-2021

You can also deploy a configuration profile to defer major software updates or send a policy script to block Monterey from the app store "softwareupdate --ignore "macOS Monterey"

jtrant · ‎10-26-2021

This won't work for Big Sur clients, only Catalina.

merlin · ‎10-26-2021

You can restrict also InstallAssistant process if you are worried about people renaming the application.

GetCart3r · ‎10-26-2021

For us if a user has admin rights then we wouldn't be worried about upgrades since few have those rights. I have opened it up with an "Exclusion" group for the local "SysOp" user to run the install. So if we need to ourselves we can do so locally.

sbrammer · ‎10-28-2021

What merlin said is true. I had both setup options for blocking Big Sur installs. The actual Install MacOSxxx.app as well as the InstallAssistant.

vrivera · ‎10-26-2021

Sorry but is this a policy or config profile?

GetCart3r · ‎10-26-2021

It's "Restricted Software"

MrRoboto · ‎10-26-2021

I am using the following 3 methods...

On macOS Catalina or earlier - "software update --ignore" command.

On macOS Big Sur - "com.apple.applicationaccess" preference keys to delay major OS updates for 90 days: set "forceDelayedMajorSoftwareUpdates" to true, set "enforcedSoftwareUpdateMajorOSDeferredInstallDelay" to 90.

On all versions of macOS - create a Restricted Software entry in Jamf for "InstallAssistant". This prevents any user from running the Install macOS xxx application. However you can still call the startOSinstall command via Terminal.

Louie · ‎10-26-2021

Creating the plist file for com.apple.applicationaccess works great

VintageMacGuy · ‎10-27-2021

I have this configured just like the OP screen shot - yet on my Mac, I can launch "Install macOS Monterey.app" with no problem. I can see the process running in Activity monitor matches the name in the Restriction in JAMF. I have done a recon and made sure the machine is in scope. I also see that it lists the Monterey Block restriction as being applied to my Mac - yet it still launches the installer and I can get through to the point of selecting the drive and about to start the install - which is where I quit out of it since I don't want to install it just yet.

What am I missing?

ba19 · ‎10-28-2021

I'm see the same issue as VintageMacGuy. Has anybody seen the same same and find a solution?

sbrammer · ‎10-28-2021

You will also need to restrict the Install Assistant. You can choose which options you want to have, but you will want to make sure you select the Kill process option.

You can also defer the update for a max of 90 days by creating a config policy, and restricting functionality by deferring major upgrades. If you do this way, the upgrade won't even show up in Software Updates until Day 91.

ba19 · ‎10-28-2021

Thank you. The restricted software method is now working. I had followed the example in the training module and they included the app name in quotes, once the quotes were removed it was restricted.

I have the defer for 90 days set already for major os updates but I also wanted to make sure they app wouldn't run if someone got their hands on the installer.

If InstallAssistant is also being restricted will it also restrict units from updating to a different version, ie. Catalina - BigSur?

sbrammer · ‎10-28-2021

From my experience recently, yes it will block any version. I had a few machines still on Catalina that i was going to upgrade to Big Sur and couldn't figure it out until i realized i had the InstallAssistant applied. So once i excluded the computers, the upgrade worked from Catalina to Big Sur.

ba19 · ‎10-28-2021

Thank you for the quick reply. I'll most likely restrict the InstallAssistant as well and then deal with one offs if needed.

Last question, does restricting InstallAssistant still allow minor OS updates to install?

sbrammer · ‎10-28-2021

I believe it does still allow it as the computer I am working on right now allowed me to install 11.6.1. It was located under "other updates are available" with a click More Info button.

LA_RX · ‎12-01-2021

Hey everyone, I've been using these methods for quite some time, however, this week looks like the System Preferences Badge has appeared. Is there any method that we can use to hide that badge for OSX Monterey but for it to only appear when any Security Updates are needed? For example right now it's appearing because it wants us to update to OSX Monterey. However, we are blocking this for the time being.

There are no other updates pending at the moment but our staff keep trying to install OSX Monterey even though it's blocked. It's just annoying.

LA_RX · ‎12-06-2021

If anyone is wondering I found this method by @AdamCraig here: https://community.jamf.com/t5/jamf-pro/adding-macos-catalina-to-the-restriction-list/m-p/162870/high...

Thanks!

bwoods · ‎03-16-2022

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>AttentionPrefBundleIDs</key>
<string>0</string>
</dict>
</plist>

bwoods · ‎03-16-2022

donmontalvo · ‎06-13-2022

@bwoods you sir, are my new hero! :)

--
https://donmontalvo.com

Jamf Nation Community

Blocking & Restricting "macOS Monterey 12.x"