Jamf Nation Community

We have that same problem. It seems to be going by the file name and not the actual process name so changing the file name will not stop the install. We have come up with a solution that appears to be working for us.

We have setup a Software restriction for the 'InstallAssistant'. This is what is actually running from within 'Install OS X El Capitan.app' and restricting it seems to work.

Strider, does that not block the installation of other apps?

Tbathe,

So Install OS X El Capitan.app will block it?

Thanks,

Yes, if you enabled the Restrict exact process name, you'll need to add ".app"

Or you can disable that option and leave it as is.

Also, not sure how long it takes to replicate to the entire environment, so for testing, I ran 'sudo jamf manage' to apply the restriction immediately.

Please note, it will still show up as a viable download to any users who go to the App Store. There's nothing you can do (to my knowledge) to stop that. Additionally, I would not delete the application, mainly because then a user might seek to download all 6GB yet again... and again... and again... multiplied by the number of devices you have.

This may be of some interest

https://onemoreadmin.wordpress.com/2015/10/01/paradise-island-hiding-el-capitans-free-upgrade-banner/

@Kaltsas

Awesome! Thanks!!

This worked for us..

Thanks all, policy implemented last night and blocking nicely !!!

Where do you guys set it within the policy. I don't see 'Process Name' under any category within Policy creation process. Is it under Files and Processes? Maybe mine looks different because we are still on 9.73?

What would be the trigger for something like this?

Got it. Appreciate the quick response @btaitt ! Thanks much!

just as an FYI - I had "Install OS X*" and it blocked a 10.10.5 upgrade package from the Mac App Store..

I need to go back and run s'more tests to confirm.

@jwojda not unexpected, which is why I use "Install OS X El Capitan"

Have not tested it, but you might be able to avoid having the regular OS X updates being blocked by using
"Install OS X*.app" since the updaters from the App Store are not .apps, they are in .pkg format.
Again, not tested, so if anyone has tried that and it doesn't work, just ignore me, or tell me I'm wrong. :)

As an aside, we still just block "InstallAssistant" and works for us. The only downside, if you consider it one, is that you can't delete the whole .app bundle that way. You can delete the binary, which makes the .app useless though.

I have not had success by blocking "Install OS X El Capitan" with "Restrict exact process name" checked. It will work for matching the filename and quitting the installer from /Applications but if the file is renamed it will launch and not quit. If the file is moved to any other directory, it will launch and not quit.

What has been successful for me in all testing has been blocking "InstallAssistant" with exact process name checked. By blocking that process name it doesn't matter what the .app is named or where it is launched from. This may negatively affect your environment if you deploy OS upgrades via the installer app but since I do not do OS upgrades that way it has worked flawlessly to prevent unapproved OS upgrades.

Good work on this method for hiding the banner in App Store.

Anyone had any joy suppressing the Notification Centre notifications for this?

Um, apologies for stepping into this space, but this web page was near the top of my google search for how to prevent El Capitan from installing. I am not a programmer or system admin (other than being the "admin" of my solo macbook), so I feel a bit like I walked into a private party... Still hoping you can help.

My colleague has been plagued with problems since allowing El Capitan to be installed through a system update, and I recently went to the App Store to update other software on my Macbook Pro, and El Capitan started an automatic install. I believe I stopped it; I must have; I'm still running Yosemite. But um, I'd like to prevent it, but I have no idea what this "policy" thing is that I need to edit.

I'm a one-person show, know enough tech to be both a joy and a headache to folks like you, am willing to be (though extremely cautious about) editing files only accessible on the terminal screen. (I started using computers back in the DOS days...)

Is there anything little ol' me can do on my solo computer to stop this madness called El Capitan?

Many heartfelt thanks.

JSS in Bethesda, MD

Hi @notanITadmin This isn't a private forum or club. Its open to all, however, its mostly for Mac IT admins managing large numbers of Macs in schools or organizations. Still, no worries on asking a question.

So, first thing is, I'm not sure what your colleague experienced, but, OS X El Capitan does not automatically install itself. It needs to be downloaded as an app from the Mac App Store application on a Mac. To do that, you need an App Store account and be signed into it, but even at that, it won't just install itself when doing normal OS X updates, unless the Mac is already running some version of it. If its on an older release like Yosemite or Mavericks, etc, it won't install as part of the regular update process. Apple does put up buttons, banners and other items that will bring you to the El Capitan page to start an installation though, so maybe one of those items was clicked on and he or you were brought to that page.

If your Mac is still on Yosemite and you want to keep it that way for the time being, one thing that may help is, go into the App Store application on your Mac. On the Updates tab, you may see a big banner for El Capitan up top. if so, there will also be a button labeled "Free Upgrade" If you right or Control click on that button you should see a menu come up with a single "Hide Update" item in it. Choose that and the El Capitan banner will go away, at least for now. You may need to do that every so often as Apple issues updated versions of it. I think they reappear when it sees its a revved version, but I'm not certain on that.

You may also want to look at the link posted by danf_b just above yours. The info on the link may help with preventing the banner from appearing in the App Store. I haven't played with that, but worth looking at.

Lastly, your initials had me do a double take. "JSS" happens to also be the initialism used a lot on this forum for the main product we use, called "JAMF Software Server", so that was pretty funny to see. Maybe you came to the right place. :)

Good luck.

@mm2270,

Thanks for the welcome and the response. I'm 90% positive that I did not click on "install update" or some variation of that, but instead clicked on "go to App Store" and as soon as I did, a window popped up saying "Installing El Capitan..." with the progress bar going. So I'm a bit leary about going back to the App Store, but I will try your suggestion. My colleague definitely clicked on "install update" and has regretted it ever since.

Re: JSS-- funny coincidence, but no, those are my real initials, and I have no idea what JAMF Software Server is. ;-)

4 Quick Questions on this topic , 1. Does the software designation have to be exactly "Install OS X El Capitan.app" for the policy to work ?

1. Can I enable this restricted software policy without affecting existing instances of El Capitan on my network ? Or will I need to make Exclusions ?

2. I notice that there was one difference in the two Restricted software policies above : a. Has Deleted Application b. Doesn't have this option Checked

3. Does this ONLY block APP store installation attempts or will this also block a user from bringing a flash drive with OSX el capitan installer as well ? And if not what can be done to block that as well?

Thanks

@GNegron2015

I had individual restrictions for each release of OS X that appeared in the App Store. Since this thread, I changed it to be One Restriction to Rule Them All.

Process Name: Install OS X *

(See attached Image)

What you lose is 'accurate' accounts of which installer they tried to install.. but in my environment, I don't care. I don't want them to try to install any upgrade as that typically leads to more work for the Help Desk and the Field Techs.

Now to answer your questions:

1. You can, and it won't effect existing El Caps. It only comes into play when people try to run the installer. If you want a user to be able to run it on a device, then either add that device as an exclusion, or create a static group that is part of the exclusion list of the restriction, and then add devices to that.
2. So, I feel like this used to be different, but I've not used it for so long, I don't know. I thought I used to be able to chose the delete without having to chose the "Exact" box. But that's not the case now. The * doesn't work in this case and I'd have to go back to having 5 different restrictions. So, in order to leave my restriction as is, I wrote a script to check devices to see if they had any of the installers and then remove them.
3. This (should) block any attempt to run "Install OS X blah", no matter what the source, download, copied from share, USB, whatever. If one were to change the name of the installer, that would be sufficient to circumvent it, so it's not foolproof (and might be where the * is more helpful).

Thanks Yellow, I've got to get cracking on blocking this as it's been rumored to break some functioning apps.

Thanks Again Gino

I implemented this months ago and has been working great, any JAMF managed Mac cannot update to 10.11 El Cap in the Apple App Store, But....

this also seems to have blanket prohibited any Mac from Updating at all, meaning 10.10x Macs to the latest 10.10.5.

I have to manually Add Mac names to the my Static Excluded group, and this just sucks, time consuming.

Am I missing something? Thx in advance

John K

Hi everyone my query is whether it will only restrict the mac app store apps or any apps which is present in mac eg(adobe applications)