Blocking & Restricting "macOS Monterey 12.x"

GetCart3r
New Contributor III

Screen Shot 2021-10-26 at 9.55.22 AM.png
Incase anyone else is looking to do the same I put a restriction into place today that will block "All Managed" computers from allowing "macOS Monterey 12.x" from running. You just need to restriction "Install macOS Monterey.app" This is the restriction I have in place.


Screen Shot 2021-10-26 at 9.50.34 AM.png

 

If they select to upgrade they will get the following message popup.
Screen Shot 2021-10-26 at 9.49.11 AM.png

 

The only potential work around for someone to bypass this is if they have admin rights to change the name of the application.

 

21 REPLIES 21

junjishimazaki
Valued Contributor

You can also deploy a configuration profile to defer major software updates or send a policy script to block Monterey from the app store "softwareupdate --ignore "macOS Monterey"

This won't work for Big Sur clients, only Catalina.

merlin
New Contributor III

You can restrict also InstallAssistant process if you are worried about people renaming the application.

GetCart3r
New Contributor III

For us if a user has admin rights then we wouldn't be worried about upgrades since few have those rights. I have opened it up with an "Exclusion" group for the local "SysOp" user to run the install. So if we need to ourselves we can do so locally.

sbrammer
New Contributor III

What merlin said is true. I had both setup options for blocking Big Sur installs. The actual Install MacOSxxx.app as well as the InstallAssistant. 

vrivera
New Contributor

Sorry but is this a policy or config profile? 

GetCart3r
New Contributor III

It's "Restricted Software"

MrRoboto
Contributor III

I am using the following 3 methods...

 

On macOS Catalina or earlier - "software update --ignore" command. 

 

On macOS Big Sur - "com.apple.applicationaccess" preference keys to delay major OS updates for 90 days: set "forceDelayedMajorSoftwareUpdates" to true, set "enforcedSoftwareUpdateMajorOSDeferredInstallDelay" to 90.

 

On all versions of macOS - create a Restricted Software entry in Jamf for "InstallAssistant". This prevents any user from running the Install macOS xxx application. However you can still call the startOSinstall command via Terminal.

Louie
New Contributor III

Creating the plist file for com.apple.applicationaccess works great

VintageMacGuy
Contributor II

I have this configured just like the OP screen shot - yet on my Mac, I can launch "Install macOS Monterey.app" with no problem. I can see the process running in Activity monitor matches the name in the Restriction in JAMF. I have done a recon and made sure the machine is in scope. I also see that it lists the Monterey Block restriction as being applied to my Mac - yet it still launches the installer and I can get through to the point of selecting the drive and about to start the install - which is where I quit out of it since I don't want to install it just yet.

VintageMacGuy_0-1635367520061.png

What am I missing?

ba19
New Contributor II

I'm see the same issue as VintageMacGuy. Has anybody seen the same same and find a solution?

sbrammer
New Contributor III

You will also need to restrict the Install Assistant. You can choose which options you want to have,  but you will want to make sure you select the Kill process option. 

 

Block Install Assistant.JPG

 

You can also defer the update for a max of 90 days by creating a config policy, and restricting functionality by deferring major upgrades. If you do this way, the upgrade won't even show up in Software Updates until Day 91. 

ba19
New Contributor II

Thank you. The restricted software method is now working. I had followed the example in the training module and they included the app name in quotes, once the quotes were removed it was restricted.

I have the defer for 90 days set already for major os updates but I also wanted to make sure they app wouldn't run if someone got their hands on the installer.

If InstallAssistant is also being restricted will it also restrict units from updating to a different version, ie. Catalina - BigSur?

sbrammer
New Contributor III

From my experience recently, yes it will block any version. I had a few machines still on Catalina that i was going to upgrade to Big Sur and couldn't figure it out until i realized i had the InstallAssistant applied. So once i excluded the computers, the upgrade worked from Catalina to Big Sur. 

ba19
New Contributor II

Thank you for the quick reply. I'll most likely restrict the InstallAssistant as well and then deal with one offs if needed.

Last question, does restricting InstallAssistant still allow minor OS updates to install? 

sbrammer
New Contributor III

I believe it does still allow it as the computer I am working on right now allowed me to install 11.6.1. It was located under "other updates are available" with a click More Info button.

LA_RX
New Contributor II

Hey everyone, I've been using these methods for quite some time, however, this week looks like the System Preferences Badge has appeared. Is there any method that we can use to hide that badge for OSX Monterey but for it to only appear when any Security Updates are needed? For example right now it's appearing because it wants us to update to OSX Monterey. However, we are blocking this for the time being.

There are no other updates pending at the moment but our staff keep trying to install OSX Monterey even though it's blocked. It's just annoying.

Screen Shot 2021-12-01 at 10.19.01 AM.png

LA_RX
New Contributor II

bwoods
Valued Contributor

 

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>AttentionPrefBundleIDs</key>
<string>0</string>
</dict>
</plist>

 

bwoods
Valued Contributor

bwoods_0-1647442558836.png

 

donmontalvo
Esteemed Contributor III

@bwoods you sir, are my new hero! :)

--
https://donmontalvo.com