Jamf Nation Community

I've used restricted software to block 'install Mac os Big Sur.. Which seems to work.

Out of curiosity, why are you saying to defer Applications instead of "Software Updates" or the "Applications and Software Updates" options?

@terrydooher softwareupdate --ignore "macOS Big Sur" was brought back by Apple in the final updates of 10.13, 10.14 and 10.15, but only for computers enrolled with User-Approved MDM, and it will only ignore updates that are available at the time the command is run. So, as @dan-snelson suggested, it pays to combine it with some monitoring of what updates are listed via softwareupdate -l.

@sheltond3 Good spot, I put the wrong screenshot in. Fixed in OP :)

@dan-snelson Yep, we've been using that for a while now.

@grahamrpugh That explains a lot, thanks. Also explains why the above extension attribute isn't showing many of our machines with big sur in the ignore list yet. If it has to be available to the mac before it's blocked (We're not using our own SuS), then not everyone can block it yet. Which means I'm going to have to run the policy repeatedly for the next week or so to make sure it sticks...

If you use a Restricted Software configuration with a Process name of "InstallAssistant" then the GUI for all recent macOS installers (definitely HS, Mojave, Catalina, and BS) will be blocked, yet you'll still be able to run a script like macOSUpgarde to run the installer via an approved workflow.

@sdagley We do have that already, though I'm using it to block the app:

Without the explicit match checked, as I understand it, this will also block the InstallAssistant (and other processes) contained within. I still see this as a fallback, however; I'm trying to remove visibility and make it not downloadable in the first place.

So far, having the --ignore policy repeat on check-in appears to be having the desired effect, but only for those machines where Apple SUS is offering the update in the first place...

@terrydooher I'm using a bock on InstallAssistant, a --ignore for softwareupdate, and a Configuration Profile with Defer Software Updates enabled and a 90 Day Delay. The latter should stop the advertisement from System Preferences -> Software Update immediately as opposed to needing softwareupdate to be aware of Big Sur before it can be ignored. Between the 3 I think that covers all the bases.

We're probably not going to be allowing this update any time soon, but how do you allow Big Sur again if you run softwareupdate --ignore? This is the first time I've really needed to explicitly block an OS update in a while so I'm not sure what it is.

@dnelson2813 softwareupdate --reset-ignored clears the list of ignored updates

@dnelson Hi. Did you use software update --reset-ignored in a script by itself or attach it to a policy?

@msample We've did that as a simple 'execute command' policy with Catalina, but the results seem to be patchy and take a long time to apply to every machine (despite running on check-in); the extension attribute showed Catalina still being ignored for several days after the policy was made live.

Tempted to do it as a script this time so we can do more error checking.

Combination of running "softwareupdate --ignore "macOS Big Sur" and restriction process of
Install macOS Big Sur.app has been working well for us.

Once you run "softwareupdate --ignore "macOS Big Sur", how do you undo it? Having issues with that on Catalina and Mojave

@Stubakka :

If you want to reset the updates you’ve ignored, run the command

 sudo softwareupdate --reset-ignored

@terrydooher Sadly this doesn't seem to work for InstallAssistant. I think because the assistant actually launches the Installer process.

EDIT: I was wrong. I'm now seeing InstallAssistant being blocked. Seems to be hit or miss depending on how the update is launched.

We defer updates using an MDM profile for other reasons, and for a much shorter period. Wouldn't deferring SWU 90 days put you way behind in terms of security updates and other important patches?

Bringing this up again. I created a script and ran it as a policy on all machines and it's been working, but the Big Sur upgrade is starting to appear in software updates for some users. Does this command expire after 90 days? I'm also restricting the information by blocking the .app so hopefully that works. I'm testing that now.

I run the ignore command monthly to be safe and have not had it show up on any of our clients.

We have been using JAMF Restricted Software configuration and Sophos central Application Control to prevent Big Sur installation. A couple of users got around my use of JAMF's Restricted Software configuration by renaming the package, but Sophos Application Control stoped those.
If you use sophos central they have info here https://support.sophos.com/support/s/article/KB-000039501?language=en_US

I had a Restricted Software rule to stop everyone but IT from installing major upgrades but a few users were able to do it anyway and of course they have an app or two or printer driver that's not compatible yet. Years ago it was a pain getting users to update. Now it's a pain stopping them. Doesn't anyone else find this ridiculous? JAMF knows we all struggle with this - where's the simple toggle switch? Why do I have to create profiles, run special scripts, etc.? IT'S 2021 for crying out loud. /r

I am new to Macs and Jamf. Can some one explain how I can set this block up by running "softwareupdate --ignore "macOS Big Sur". Is that in a config policy

@mpenrod Sadly this is a failure on Apple's part. If they don't release the APIs needed to manage the updates, Jamf can't do anything about it. Apple has become increasingly hostile to enterprise users in the past few years. I can understand wanting to keep computers updated, but aggressively pushing OS releases is not the answer. MacOS versions are generally supported with security updates for 3 years after release; why should enterprise users have OS releases shoved in our face every single year? I understand there are new "security" features released with each new OS version, but those are becoming increasingly anti-enterprise as well.

@tmehary Yes that would be a Policy using a Script to run the command. Jamf has some great user guides here.