10-26-2021 06:04 AM - edited 10-26-2021 06:13 AM
Incase anyone else is looking to do the same I put a restriction into place today that will block "All Managed" computers from allowing "macOS Monterey 12.x" from running. You just need to restriction "Install macOS Monterey.app" This is the restriction I have in place.
If they select to upgrade they will get the following message popup.
The only potential work around for someone to bypass this is if they have admin rights to change the name of the application.
Posted on 10-26-2021 06:40 AM
You can also deploy a configuration profile to defer major software updates or send a policy script to block Monterey from the app store "softwareupdate --ignore "macOS Monterey"
Posted on 10-26-2021 06:48 AM
This won't work for Big Sur clients, only Catalina.
Posted on 10-26-2021 06:44 AM
You can restrict also InstallAssistant process if you are worried about people renaming the application.
Posted on 10-26-2021 06:55 AM
For us if a user has admin rights then we wouldn't be worried about upgrades since few have those rights. I have opened it up with an "Exclusion" group for the local "SysOp" user to run the install. So if we need to ourselves we can do so locally.
Posted on 10-28-2021 06:06 AM
What merlin said is true. I had both setup options for blocking Big Sur installs. The actual Install MacOSxxx.app as well as the InstallAssistant.
Posted on 10-26-2021 07:40 AM
Sorry but is this a policy or config profile?
Posted on 10-26-2021 07:52 AM
It's "Restricted Software"
Posted on 10-26-2021 08:46 AM
I am using the following 3 methods...
On macOS Catalina or earlier - "software update --ignore" command.
On macOS Big Sur - "com.apple.applicationaccess" preference keys to delay major OS updates for 90 days: set "forceDelayedMajorSoftwareUpdates" to true, set "enforcedSoftwareUpdateMajorOSDeferredInstallDelay" to 90.
On all versions of macOS - create a Restricted Software entry in Jamf for "InstallAssistant". This prevents any user from running the Install macOS xxx application. However you can still call the startOSinstall command via Terminal.
Posted on 10-26-2021 02:53 PM
Creating the plist file for com.apple.applicationaccess works great
10-27-2021 01:43 PM - edited 10-27-2021 01:45 PM
I have this configured just like the OP screen shot - yet on my Mac, I can launch "Install macOS Monterey.app" with no problem. I can see the process running in Activity monitor matches the name in the Restriction in JAMF. I have done a recon and made sure the machine is in scope. I also see that it lists the Monterey Block restriction as being applied to my Mac - yet it still launches the installer and I can get through to the point of selecting the drive and about to start the install - which is where I quit out of it since I don't want to install it just yet.
What am I missing?
Posted on 10-28-2021 06:21 AM
I'm see the same issue as VintageMacGuy. Has anybody seen the same same and find a solution?
Posted on 10-28-2021 06:51 AM
You will also need to restrict the Install Assistant. You can choose which options you want to have, but you will want to make sure you select the Kill process option.
You can also defer the update for a max of 90 days by creating a config policy, and restricting functionality by deferring major upgrades. If you do this way, the upgrade won't even show up in Software Updates until Day 91.
Posted on 10-28-2021 07:20 AM
Thank you. The restricted software method is now working. I had followed the example in the training module and they included the app name in quotes, once the quotes were removed it was restricted.
I have the defer for 90 days set already for major os updates but I also wanted to make sure they app wouldn't run if someone got their hands on the installer.
If InstallAssistant is also being restricted will it also restrict units from updating to a different version, ie. Catalina - BigSur?
Posted on 10-28-2021 07:49 AM
From my experience recently, yes it will block any version. I had a few machines still on Catalina that i was going to upgrade to Big Sur and couldn't figure it out until i realized i had the InstallAssistant applied. So once i excluded the computers, the upgrade worked from Catalina to Big Sur.
Posted on 10-28-2021 07:52 AM
Thank you for the quick reply. I'll most likely restrict the InstallAssistant as well and then deal with one offs if needed.
Last question, does restricting InstallAssistant still allow minor OS updates to install?
Posted on 10-28-2021 08:45 AM
I believe it does still allow it as the computer I am working on right now allowed me to install 11.6.1. It was located under "other updates are available" with a click More Info button.
Posted on 12-01-2021 07:21 AM
Hey everyone, I've been using these methods for quite some time, however, this week looks like the System Preferences Badge has appeared. Is there any method that we can use to hide that badge for OSX Monterey but for it to only appear when any Security Updates are needed? For example right now it's appearing because it wants us to update to OSX Monterey. However, we are blocking this for the time being.
There are no other updates pending at the moment but our staff keep trying to install OSX Monterey even though it's blocked. It's just annoying.
Posted on 12-06-2021 11:56 AM
If anyone is wondering I found this method by @AdamCraig here: https://community.jamf.com/t5/jamf-pro/adding-macos-catalina-to-the-restriction-list/m-p/162870/high...
Thanks!
03-16-2022 07:54 AM - edited 03-17-2022 08:52 AM
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>AttentionPrefBundleIDs</key>
<string>0</string>
</dict>
</plist>
Posted on 03-16-2022 07:56 AM
Posted on 06-13-2022 06:29 AM
@bwoods you sir, are my new hero! :)