Blocking the newest MacOS

AlistairCarr
New Contributor II

Hi, we need to implement a software restriction policy for the new MacOS prior to it being released

Does anyone know the name of the installer .app to block or has that not been released yet ?

Thanks as always in advance

1 ACCEPTED SOLUTION
10 REPLIES 10

blackholemac
Valued Contributor III

What I do is set restricted software to block "Install macOS Sierra.app" and slap a firmware password on the Mac for anyone with bright ideas on upgrading before we are ready.

That should shutdown all but the very most determined.

blackholemac
Valued Contributor III

To give you an idea...if users don't have admin rights, restricted software is set and firmware password is set that blocks most vectors including target disk mode.

The only other way I know involves having physical access to their hard disk drive/flash storage and I won't detail that here in case my end users are watching this.

scottb
Honored Contributor

AlistairCarr
New Contributor II

@scottb brilliant, thank you

iJake
Valued Contributor

We wrote a LaunchAgent that watches for the Sierra Installer process and if it finds it it kills it and then alerts the user sending them to our community post about how to properly upgrade. The Software Restriction popups are just too limiting. This is the script that the LaunchAgent calls. We want to prompt with Yo.app as its branded for us and much nicer looking but if its missing we fall back to jamfhelper.

#!/bin/bash

NCutil="/Path/To/NCutil.py"
yo="/Path/To/yo.app/Contents/MacOS/yo"
title="Manual OS Upgrade Alert"
icon="/Applications/Install macOS Sierra.app/Contents/Resources/InstallAssistant.icns"    

yoNotifSettings()
{
$NCutil -i com.github.sheagcraig.yo
$NCutil -a alerts com.github.sheagcraig.yo
$NCutil --show-on-lock-screen true com.github.sheagcraig.yo
sleep 2
}

yoPrompt()  
{
if [[ -e $yo ]]
    then
        yoNotifSettings
        $yo -d -t "$title" -b "Continue" -B "open https://URLGOESHERE" -s "$1" -n "$2" -p -i "$icon"

    else
        $3
fi
}

osUpgradeAlertPrompt()
{
msg="Message.

Goes here.

Can be multiple lines."
/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType utility -title "$title" -description "$msg" -icon "$icon" -button1 "Continue" -defaultButton 1 -lockHUD -startlaunchd -windowPosition ur
open https://URLGOESHERE
}

until [[ ! -z $(ps aux | grep -v grep | grep "Install macOS Sierra.app/Contents/MacOS/InstallAssistant" | awk '{print $2}') ]]
    do
        sleep 5
done

echo "OS Installer Detected. Killing and alerting..."
kill $(ps aux | grep -v grep | grep "Install macOS Sierra.app/Contents/MacOS/InstallAssistant" | awk '{print $2}')
yoPrompt "Manual Upgrade Detected" "Click Continue to follow the Cisco Guide" "osUpgradeAlertPrompt"

exit 0

dmichels
Contributor II

Why not setup in the JSS "Restricted Software" which will delete the app if a user tries to run it?

"Restricted Software"

Display Name "Install macOS Sierra.app"

Process Name "Install macOS Sierra.app"

X - Restrict exact process name

X - Delete application
X - Delete the application running the restricted process
X - Send email notification on violation

X - Kill process

Message: Process has been killed, Help Desk is not ready to install this Mac OS X.

blackholemac
Valued Contributor III

I am with @dmichels but that's only half of it... if you don't add a firmware password, that only blocks the cursory upgrader... adding the firmware password blocks target disk mode and someone getting cute building a bootable thumb drive.

vickih
Contributor

@blackholemac that really me out thank you! Of course I get impatient wondering why it didn't catch the downloading of the macOS installer. The system caught it when the installer launched.

scottb
Honored Contributor

Yeah, there's some twisted satisfaction when you set to "delete" the installer...I know I shouldn't feel that way but... :)

MatG
Contributor III

@dmichels is correct takes 2 minutes to set up, for Mojave the app name is Install macOS Mojave.app

We add a little note in the message area saying we are working on bringing as soon as possible.