Posted on 09-09-2016 01:18 AM
Hi, we need to implement a software restriction policy for the new MacOS prior to it being released
Does anyone know the name of the installer .app to block or has that not been released yet ?
Thanks as always in advance
Solved! Go to Solution.
Posted on 09-09-2016 08:42 AM
Posted on 09-09-2016 04:09 AM
What I do is set restricted software to block "Install macOS Sierra.app" and slap a firmware password on the Mac for anyone with bright ideas on upgrading before we are ready.
That should shutdown all but the very most determined.
Posted on 09-09-2016 04:21 AM
To give you an idea...if users don't have admin rights, restricted software is set and firmware password is set that blocks most vectors including target disk mode.
The only other way I know involves having physical access to their hard disk drive/flash storage and I won't detail that here in case my end users are watching this.
Posted on 09-09-2016 08:42 AM
Posted on 09-09-2016 08:47 AM
@scottb brilliant, thank you
Posted on 09-09-2016 03:42 PM
We wrote a LaunchAgent that watches for the Sierra Installer process and if it finds it it kills it and then alerts the user sending them to our community post about how to properly upgrade. The Software Restriction popups are just too limiting. This is the script that the LaunchAgent calls. We want to prompt with Yo.app as its branded for us and much nicer looking but if its missing we fall back to jamfhelper.
#!/bin/bash
NCutil="/Path/To/NCutil.py"
yo="/Path/To/yo.app/Contents/MacOS/yo"
title="Manual OS Upgrade Alert"
icon="/Applications/Install macOS Sierra.app/Contents/Resources/InstallAssistant.icns"
yoNotifSettings()
{
$NCutil -i com.github.sheagcraig.yo
$NCutil -a alerts com.github.sheagcraig.yo
$NCutil --show-on-lock-screen true com.github.sheagcraig.yo
sleep 2
}
yoPrompt()
{
if [[ -e $yo ]]
then
yoNotifSettings
$yo -d -t "$title" -b "Continue" -B "open https://URLGOESHERE" -s "$1" -n "$2" -p -i "$icon"
else
$3
fi
}
osUpgradeAlertPrompt()
{
msg="Message.
Goes here.
Can be multiple lines."
/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType utility -title "$title" -description "$msg" -icon "$icon" -button1 "Continue" -defaultButton 1 -lockHUD -startlaunchd -windowPosition ur
open https://URLGOESHERE
}
until [[ ! -z $(ps aux | grep -v grep | grep "Install macOS Sierra.app/Contents/MacOS/InstallAssistant" | awk '{print $2}') ]]
do
sleep 5
done
echo "OS Installer Detected. Killing and alerting..."
kill $(ps aux | grep -v grep | grep "Install macOS Sierra.app/Contents/MacOS/InstallAssistant" | awk '{print $2}')
yoPrompt "Manual Upgrade Detected" "Click Continue to follow the Cisco Guide" "osUpgradeAlertPrompt"
exit 0
Posted on 09-12-2016 05:58 AM
Why not setup in the JSS "Restricted Software" which will delete the app if a user tries to run it?
"Restricted Software"
Display Name "Install macOS Sierra.app"
Process Name "Install macOS Sierra.app"
X - Restrict exact process name
X - Delete application
X - Delete the application running the restricted process
X - Send email notification on violation
X - Kill process
Message: Process has been killed, Help Desk is not ready to install this Mac OS X.
Posted on 09-12-2016 06:03 AM
I am with @dmichels but that's only half of it... if you don't add a firmware password, that only blocks the cursory upgrader... adding the firmware password blocks target disk mode and someone getting cute building a bootable thumb drive.
Posted on 09-25-2018 11:07 AM
@blackholemac that really me out thank you! Of course I get impatient wondering why it didn't catch the downloading of the macOS installer. The system caught it when the installer launched.
Posted on 09-26-2018 02:39 PM
Yeah, there's some twisted satisfaction when you set to "delete" the installer...I know I shouldn't feel that way but... :)
Posted on 09-27-2018 01:22 AM
@dmichels is correct takes 2 minutes to set up, for Mojave the app name is Install macOS Mojave.app
We add a little note in the message area saying we are working on bringing as soon as possible.