Jamf Nation Community

That's a nice list, but that's for blocking the beta. Now that the real one is live we need to block it all.

@vanschip-gerard vanschi in the past three os updates we always used "Restricted Software" to block InstallAssistant
Maybe that no longer works though and i need to recheck it

Restriction is Working " Install macOS Big Sure.app" confirmed! I also create restriction to block "osinstallersetupd " as well.

@nikjamf , does Jamf's Restricted Software of "Install macOS Big Sur.app" work if a user clicks Upgrade Now on Big Sur inside System Preferences -> Software Update?
Just curious how your users tried to upgrade

@cingalls cingallwe found that blocking macOs Install does in fact restrict the installation of the od upgrade. But, if the user changes the bame of that app it installed fine. This was the reason we decided to restrict the hidden installassistant app instead.
This is my 2 cents worth anyway.

@cingalls Well, after checking the blockage of Big Sur install... Yes, the restrict install does come up with a message, but then allows it anyways.
I will be following this posting for sure.
Any other ideas are welcome.

Hey guys, I found that I had an unchecked "Kill Process" which made a difference. We could also delete the application but decided we would need it later.
I also renamed the App to "Install masOS Install.app copy" and it did in fact stop the install.
WAHOOOOO!

Still rather new on this process, but I copied the exact information as the previous message, but it is still downloading the App. Does it download and then kill the install?

@rhooper that process worked for me. Once it downloads completely and you launch it to install it blocks immediately. Works both from the Applications folder or System Preference when you click "Update Now". Does anyone know how to get rid of the notification to update as well? So it doesn't nag with that "1" on System Preferences.

@everhelst Yes, it does install it, but then blocks the installation of the app. You can also have it delete the application altogether.... but we may need to call upon it at another time in the near future.

You can set it to delete it after it downloads. However, that doesn't stop people from redownloading it over and over again plus its a hefty file size... I'd just leave it and restrict the opening of the .app file.

I've had some users google-foo unenrolling from Jamf and then doing what they want. Only way I can catch them is to change the name on the user-enrollment page/account. If someone is an Admin, and has 2¢ of sense, they can get around it.
That's not my issue though - I just send emails to those that own the space and let them/HR deal with the problem children...

I do a couple of things to block it.

1. I block the .app with restricted software and set it to delete the installer when run. This will get most users unless their savvy enough to rename the app.

2. I disable the Big Sur update form even showing up in the native Software Update GUI with the command below. This will hide it until reset. So no prompts in native GUI no matter what they do. Even if you go to the Apple Store and try you get the attached message. Note that this command will no longer work in BigSur but works in Catalina down. So we will need to figure out something else for whatever surpasses BigSur. sudo softwareupdate --ignore "macOS Big Sur"
   

3. We simply notify our users.. "hey, don't install this yet until we confirm our security agents and config are good. "

EDIT: @scottb we do a few things like requiring one of our Agents to use VPN, and network scans for unmanaged machines to fine those turkeys. When they can connect to VPN they call in crying. We re-enroll them. We also make tickets for the help desk to force them back to Catalina :)

I think you're out of luck if you've got the 10.15.5 & 2020-03 update (because the --ignore flag no longer functions after this update) BUT if you're 10.15.4 or in Mojave I guess that's still a viable option.
Link: https://mrmacintosh.com/10-15-5-2020-003-updates-changes-to-softwareupdate-ignore/

I'm hesitant to mention this because I like loopholes ;), however if you want to restrict Big Sur by bundle ID (which will make it harder for those "savvy" users) then you should check out this:
Link: https://github.com/hjuutilainen/bigsurblocker

Too bad Apple doesn't care that many of their users can't simply buy new hardware and/or update third-party mission critical software that doesn't work on their new releases [at launch].

@ScottSimmons - same here. Running that policy (script) daily to keep most in line. Only four out of ~1000 on one instance have managed to bypass, so I am OK at this point.
All I'm trying to say is that beyond some basic, low-bar methods, I'm not killing myself to herd cats.

@ScottSimmons How is the command setup? As a policy? I'm a bit green, trying to also get this done for my org.

@vanschip-gerard what payload do you use to create the config profile to delay software updates ? I'm trying to test the delay of macOS Big Sur using option #2 below. I have option #1 working for Big Sur

Its my understanding that the 2 main methods for blocking software updates are:
1. softwareupdate --ignore "macOS 10.13.4 Update"
2. configuration profile where you can delay it.

nevermind i found it configuration profile --> restriction --> functionality

Run this as ongoing. As long as there's no notification there's nothing compelling them to upgrade. All this does is turn off the notifications. Works on (at least) mojave and catalina

#!/bin/sh
rm -rf /Library/Bundles/OSXNotification.bundle

softwareupdate --ignore macOSInstallerNotification_GM