Blocking macOS updates, working method?

vanschip-gerard
Contributor

Its my understanding that the 2 main methods for blocking software updates are:
1. softwareupdate --ignore "macOS 10.13.4 Update"
2. configuration profile where you can delay it.

Method 1 does not seem to work for me. I have even tried the command on my local machine, added Catalina itself and 10.15.4 and 10.15.5 yet system preferences keeps nagging me to update.

Anyone know of a sure way to block the update? 10.15.4 and up breaks some internal software and me repeatedly telling users to not update is always greeted by a "wooops".

19 REPLIES 19

dan-snelson
Valued Contributor II

@vanschip-gerard 5. How To Block macOS Big Sur 11.0 from @ClassicII's macOS Big Sur 11.0 - Updated Index of Need to Know Changes & Links! may prove helpful.

retsejme
New Contributor

That's a nice list, but that's for blocking the beta. Now that the real one is live we need to block it all.

rhooper
Contributor III

@vanschip-gerard vanschi in the past three os updates we always used "Restricted Software" to block InstallAssistant
Maybe that no longer works though and i need to recheck it

nikjamf
New Contributor III

Restriction is Working " Install macOS Big Sure.app" confirmed! I also create restriction to block "osinstallersetupd " as well.

cingalls
New Contributor II

@nikjamf , does Jamf's Restricted Software of "Install macOS Big Sur.app" work if a user clicks Upgrade Now on Big Sur inside System Preferences -> Software Update?
Just curious how your users tried to upgrade

rhooper
Contributor III

@cingalls cingallwe found that blocking macOs Install does in fact restrict the installation of the od upgrade. But, if the user changes the bame of that app it installed fine. This was the reason we decided to restrict the hidden installassistant app instead.
This is my 2 cents worth anyway.

rhooper
Contributor III

@cingalls Well, after checking the blockage of Big Sur install... Yes, the restrict install does come up with a message, but then allows it anyways.
I will be following this posting for sure.
Any other ideas are welcome.

rhooper
Contributor III

Hey guys, I found that I had an unchecked "Kill Process" which made a difference. We could also delete the application but decided we would need it later.
I also renamed the App to "Install masOS Install.app copy" and it did in fact stop the install.
WAHOOOOO!
7a3ba7347b494c599f5c3819bec20787

everhelst
New Contributor

Still rather new on this process, but I copied the exact information as the previous message, but it is still downloading the App. Does it download and then kill the install?

kmortiere
New Contributor

@rhooper that process worked for me. Once it downloads completely and you launch it to install it blocks immediately. Works both from the Applications folder or System Preference when you click "Update Now". Does anyone know how to get rid of the notification to update as well? So it doesn't nag with that "1" on System Preferences.

rhooper
Contributor III

@everhelst Yes, it does install it, but then blocks the installation of the app. You can also have it delete the application altogether.... but we may need to call upon it at another time in the near future.

JKingsnorth
Contributor

You can set it to delete it after it downloads. However, that doesn't stop people from redownloading it over and over again plus its a hefty file size... I'd just leave it and restrict the opening of the .app file.

scottb
Honored Contributor

I've had some users google-foo unenrolling from Jamf and then doing what they want. Only way I can catch them is to change the name on the user-enrollment page/account. If someone is an Admin, and has 2¢ of sense, they can get around it.
That's not my issue though - I just send emails to those that own the space and let them/HR deal with the problem children...

Scotty
Contributor

I do a couple of things to block it.

  1. I block the .app with restricted software and set it to delete the installer when run. This will get most users unless their savvy enough to rename the app.

  2. I disable the Big Sur update form even showing up in the native Software Update GUI with the command below. This will hide it until reset. So no prompts in native GUI no matter what they do. Even if you go to the Apple Store and try you get the attached message. Note that this command will no longer work in BigSur but works in Catalina down. So we will need to figure out something else for whatever surpasses BigSur. sudo softwareupdate --ignore "macOS Big Sur"
    3c26e056d4bb4abf9a4aaa5113a0e889

  3. We simply notify our users.. "hey, don't install this yet until we confirm our security agents and config are good. "

EDIT: @scottb we do a few things like requiring one of our Agents to use VPN, and network scans for unmanaged machines to fine those turkeys. When they can connect to VPN they call in crying. We re-enroll them. We also make tickets for the help desk to force them back to Catalina :)

Caleb
New Contributor

I think you're out of luck if you've got the 10.15.5 & 2020-03 update (because the --ignore flag no longer functions after this update) BUT if you're 10.15.4 or in Mojave I guess that's still a viable option.
Link: https://mrmacintosh.com/10-15-5-2020-003-updates-changes-to-softwareupdate-ignore/

I'm hesitant to mention this because I like loopholes ;), however if you want to restrict Big Sur by bundle ID (which will make it harder for those "savvy" users) then you should check out this:
Link: https://github.com/hjuutilainen/bigsurblocker

Too bad Apple doesn't care that many of their users can't simply buy new hardware and/or update third-party mission critical software that doesn't work on their new releases [at launch].

scottb
Honored Contributor

@ScottSimmons - same here. Running that policy (script) daily to keep most in line. Only four out of ~1000 on one instance have managed to bypass, so I am OK at this point.
All I'm trying to say is that beyond some basic, low-bar methods, I'm not killing myself to herd cats.

bayareaautomato
New Contributor II

@ScottSimmons How is the command setup? As a policy? I'm a bit green, trying to also get this done for my org.

tcandela
Valued Contributor II

@vanschip-gerard what payload do you use to create the config profile to delay software updates ? I'm trying to test the delay of macOS Big Sur using option #2 below. I have option #1 working for Big Sur

Its my understanding that the 2 main methods for blocking software updates are:
1. softwareupdate --ignore "macOS 10.13.4 Update"
2. configuration profile where you can delay it.

nevermind i found it configuration profile --> restriction --> functionality

larry_barrett
Valued Contributor

Run this as ongoing. As long as there's no notification there's nothing compelling them to upgrade. All this does is turn off the notifications. Works on (at least) mojave and catalina

#!/bin/sh
rm -rf /Library/Bundles/OSXNotification.bundle

softwareupdate --ignore macOSInstallerNotification_GM