Disable users from installing Software Updates

New Contributor III

Is it possible to block users from initiating a software update? At the moment, we turn off scheduling updates and use JAMF policies to push them out, but users can still initiate it themselves.

Is there any way to block the update window and show "your software updates are managed by the system administrator" or something of the sort?


Honored Contributor

It would be best to re-route your clients to an internal SUS. That way you can control the flow of your updates.

New Contributor II

Building off this question, what about when they are offsite and can't contact the JSS but need an update from our internal SUS? This biggest issue we have run into is that they plug in a USB printer at home and Apple Software Update launches but they can't connect to get the updates.

We can obviously push all the updates while they are on-site, but for someone that is away for long periods of time, it can be tricky.

Only solution I have for users is to VPN to get the updates.

Legendary Contributor III


There is another solution, but it involves some setup and planning, and may not always work in certain cases.

If you use JAMF's NetSUS appliance, a feature of the Reposado tools being used under the hood is that you can have the actual updates come from Apple, but still control the actual Software Update catalog the clients use. In other words, like an Apple SUS, you can control what updates appear for them, such as disabling Firmware updates if you need to, but enabling iTunes and printer software. but when they install the updates the software itself is coming from Apple, not from your internal SUS.

If you couple that with the ability to point Software Update to a local catalog file stored on the Mac, its possible to cache down a copy of your catalog file on a regular basis to a location on the Mac, like /Users/Shared/ or /private/var/, etc and script it to point Software Update to that file instead of your internal server.
This has the end effect of allowing them to run Software Update and see updates when not connected to any of your network, but still controlling the updates they actually see.

However, there are caveats to the approach. We almost went this route, but the one issue you could run into is catalog files going stale if users are off your network for an extended period of time. Since you can't update that local file without them hitting your Casper server, unless you use an externally facing Limited Access JSS, or just expose your entire JSS to the outside world, some clients may remain with an out of date catalog file on their Macs and would end up with the same problem in the end.

But it may be worth exploring this. If you do have an externally facing JSS, it could be pretty practical to look at.