Early experience of blocking Big Sur

terrydooher
New Contributor II

We thought we were ready...

This morning, having previously notified people that Big Sur was being blocked and deferred, I start work to several messages that it was being offered by the Software Update tool.

We have the 'Defer major updates' config profile in place, scoped to everyone:

0fc15d28235342a28d352e068eddef8f

but in every case it was there plain as day in the GUI tool, though not listed by softwareupdate -l, which just showed the 10.15.7 supplemental update.

More curiously, despite the fact that it has supposedly been deprecated. I've now successfully run softwareupdate --ignore "macOS Big Sur" on these machines, and it works. The gui tool went back to offering only the supplemental update.

I'm forcing this to run as a 'Files and processes' policy and will follow up once that has had time to spread. Anyone else having similar issues this week?

If it matters: all our macs are MDM enrolled (Apple Business Manager). We're also using a config profile to stop the .app running, but we regard this as a fallback in case the above fails.

23 REPLIES 23

dan-snelson
Valued Contributor II

Thanks for the post, @terrydooher.

We're also leveraging @nstrauss's ignored_softwareupdates.py to monitor the status of your command.

kerouak
Valued Contributor

I've used restricted software to block 'install Mac os Big Sur.. Which seems to work.

Eltord
Contributor

Out of curiosity, why are you saying to defer Applications instead of "Software Updates" or the "Applications and Software Updates" options?

grahamrpugh
Release Candidate Programs Tester

@terrydooher softwareupdate --ignore "macOS Big Sur" was brought back by Apple in the final updates of 10.13, 10.14 and 10.15, but only for computers enrolled with User-Approved MDM, and it will only ignore updates that are available at the time the command is run. So, as @dan-snelson suggested, it pays to combine it with some monitoring of what updates are listed via softwareupdate -l.

terrydooher
New Contributor II

@sheltond3 Good spot, I put the wrong screenshot in. Fixed in OP :)

@dan-snelson Yep, we've been using that for a while now.

@grahamrpugh That explains a lot, thanks. Also explains why the above extension attribute isn't showing many of our machines with big sur in the ignore list yet. If it has to be available to the mac before it's blocked (We're not using our own SuS), then not everyone can block it yet. Which means I'm going to have to run the policy repeatedly for the next week or so to make sure it sticks...

sdagley
Esteemed Contributor II

If you use a Restricted Software configuration with a Process name of "InstallAssistant" then the GUI for all recent macOS installers (definitely HS, Mojave, Catalina, and BS) will be blocked, yet you'll still be able to run a script like macOSUpgarde to run the installer via an approved workflow.

terrydooher
New Contributor II

@sdagley We do have that already, though I'm using it to block the app:

8c769513e10d4743be5fd3c785166a8d

Without the explicit match checked, as I understand it, this will also block the InstallAssistant (and other processes) contained within. I still see this as a fallback, however; I'm trying to remove visibility and make it not downloadable in the first place.

So far, having the --ignore policy repeat on check-in appears to be having the desired effect, but only for those machines where Apple SUS is offering the update in the first place...

sdagley
Esteemed Contributor II

@terrydooher I'm using a bock on InstallAssistant, a --ignore for softwareupdate, and a Configuration Profile with Defer Software Updates enabled and a 90 Day Delay. The latter should stop the advertisement from System Preferences -> Software Update immediately as opposed to needing softwareupdate to be aware of Big Sur before it can be ignored. Between the 3 I think that covers all the bases.

dnelson2813
Contributor

We're probably not going to be allowing this update any time soon, but how do you allow Big Sur again if you run softwareupdate --ignore? This is the first time I've really needed to explicitly block an OS update in a while so I'm not sure what it is.

sdagley
Esteemed Contributor II

@dnelson2813 softwareupdate --reset-ignored clears the list of ignored updates

msample
Contributor II

@dnelson Hi. Did you use software update --reset-ignored in a script by itself or attach it to a policy?

terrydooher
New Contributor II

@msample We've did that as a simple 'execute command' policy with Catalina, but the results seem to be patchy and take a long time to apply to every machine (despite running on check-in); the extension attribute showed Catalina still being ignored for several days after the policy was made live.

Tempted to do it as a script this time so we can do more error checking.

CSCC-JS
Contributor II

Combination of running "softwareupdate --ignore "macOS Big Sur" and restriction process of
Install macOS Big Sur.app has been working well for us.

Stubakka
Contributor II

Once you run "softwareupdate --ignore "macOS Big Sur", how do you undo it? Having issues with that on Catalina and Mojave

rqomsiya
Contributor III

@Stubakka :

If you want to reset the updates you’ve ignored, run the command

 sudo softwareupdate --reset-ignored

micmil
New Contributor III

@terrydooher Sadly this doesn't seem to work for InstallAssistant. I think because the assistant actually launches the Installer process.

EDIT: I was wrong. I'm now seeing InstallAssistant being blocked. Seems to be hit or miss depending on how the update is launched.

jtrant
Valued Contributor

We defer updates using an MDM profile for other reasons, and for a much shorter period. Wouldn't deferring SWU 90 days put you way behind in terms of security updates and other important patches?

dnelson2813
Contributor

Bringing this up again. I created a script and ran it as a policy on all machines and it's been working, but the Big Sur upgrade is starting to appear in software updates for some users. Does this command expire after 90 days? I'm also restricting the information by blocking the .app so hopefully that works. I'm testing that now.

jtrant
Valued Contributor

I run the ignore command monthly to be safe and have not had it show up on any of our clients.

burdett
Contributor II

We have been using JAMF Restricted Software configuration and Sophos central Application Control to prevent Big Sur installation. A couple of users got around my use of JAMF's Restricted Software configuration by renaming the package, but Sophos Application Control stoped those.
If you use sophos central they have info here https://support.sophos.com/support/s/article/KB-000039501?language=en_US

mpenrod
New Contributor III

I had a Restricted Software rule to stop everyone but IT from installing major upgrades but a few users were able to do it anyway and of course they have an app or two or printer driver that's not compatible yet. Years ago it was a pain getting users to update. Now it's a pain stopping them. Doesn't anyone else find this ridiculous? JAMF knows we all struggle with this - where's the simple toggle switch? Why do I have to create profiles, run special scripts, etc.? IT'S 2021 for crying out loud. /r

tmehary
New Contributor

I am new to Macs and Jamf. Can some one explain how I can set this block up by running "softwareupdate --ignore "macOS Big Sur". Is that in a config policy

micmil
New Contributor III

@mpenrod Sadly this is a failure on Apple's part. If they don't release the APIs needed to manage the updates, Jamf can't do anything about it. Apple has become increasingly hostile to enterprise users in the past few years. I can understand wanting to keep computers updated, but aggressively pushing OS releases is not the answer. MacOS versions are generally supported with security updates for 3 years after release; why should enterprise users have OS releases shoved in our face every single year? I understand there are new "security" features released with each new OS version, but those are becoming increasingly anti-enterprise as well.

@tmehary Yes that would be a Policy using a Script to run the command. Jamf has some great user guides here.