We thought we were ready...
This morning, having previously notified people that Big Sur was being blocked and deferred, I start work to several messages that it was being offered by the Software Update tool.
We have the 'Defer major updates' config profile in place, scoped to everyone:
but in every case it was there plain as day in the GUI tool, though not listed by
softwareupdate -l, which just showed the 10.15.7 supplemental update.
More curiously, despite the fact that it has supposedly been deprecated. I've now successfully run
softwareupdate --ignore "macOS Big Sur" on these machines, and it works. The gui tool went back to offering only the supplemental update.
I'm forcing this to run as a 'Files and processes' policy and will follow up once that has had time to spread. Anyone else having similar issues this week?
If it matters: all our macs are MDM enrolled (Apple Business Manager). We're also using a config profile to stop the .app running, but we regard this as a fallback in case the above fails.
softwareupdate --ignore "macOS Big Sur" was brought back by Apple in the final updates of 10.13, 10.14 and 10.15, but only for computers enrolled with User-Approved MDM, and it will only ignore updates that are available at the time the command is run. So, as @dan-snelson suggested, it pays to combine it with some monitoring of what updates are listed via
@sheltond3 Good spot, I put the wrong screenshot in. Fixed in OP :)
@dan-snelson Yep, we've been using that for a while now.
@grahamrpugh That explains a lot, thanks. Also explains why the above extension attribute isn't showing many of our machines with big sur in the ignore list yet. If it has to be available to the mac before it's blocked (We're not using our own SuS), then not everyone can block it yet. Which means I'm going to have to run the policy repeatedly for the next week or so to make sure it sticks...
If you use a Restricted Software configuration with a Process name of "InstallAssistant" then the GUI for all recent macOS installers (definitely HS, Mojave, Catalina, and BS) will be blocked, yet you'll still be able to run a script like macOSUpgarde to run the installer via an approved workflow.
@sdagley We do have that already, though I'm using it to block the app:
Without the explicit match checked, as I understand it, this will also block the InstallAssistant (and other processes) contained within. I still see this as a fallback, however; I'm trying to remove visibility and make it not downloadable in the first place.
So far, having the
--ignore policy repeat on check-in appears to be having the desired effect, but only for those machines where Apple SUS is offering the update in the first place...
@terrydooher I'm using a bock on InstallAssistant, a --ignore for
softwareupdate, and a Configuration Profile with Defer Software Updates enabled and a 90 Day Delay. The latter should stop the advertisement from System Preferences -> Software Update immediately as opposed to needing
softwareupdate to be aware of Big Sur before it can be ignored. Between the 3 I think that covers all the bases.
@msample We've did that as a simple 'execute command' policy with Catalina, but the results seem to be patchy and take a long time to apply to every machine (despite running on check-in); the extension attribute showed Catalina still being ignored for several days after the policy was made live.
Tempted to do it as a script this time so we can do more error checking.
Bringing this up again. I created a script and ran it as a policy on all machines and it's been working, but the Big Sur upgrade is starting to appear in software updates for some users. Does this command expire after 90 days? I'm also restricting the information by blocking the .app so hopefully that works. I'm testing that now.
We have been using JAMF Restricted Software configuration and Sophos central Application Control to prevent Big Sur installation. A couple of users got around my use of JAMF's Restricted Software configuration by renaming the package, but Sophos Application Control stoped those.
If you use sophos central they have info here https://support.sophos.com/support/s/article/KB-000039501?language=en_US
I had a Restricted Software rule to stop everyone but IT from installing major upgrades but a few users were able to do it anyway and of course they have an app or two or printer driver that's not compatible yet. Years ago it was a pain getting users to update. Now it's a pain stopping them. Doesn't anyone else find this ridiculous? JAMF knows we all struggle with this - where's the simple toggle switch? Why do I have to create profiles, run special scripts, etc.? IT'S 2021 for crying out loud. /r
@mpenrod Sadly this is a failure on Apple's part. If they don't release the APIs needed to manage the updates, Jamf can't do anything about it. Apple has become increasingly hostile to enterprise users in the past few years. I can understand wanting to keep computers updated, but aggressively pushing OS releases is not the answer. MacOS versions are generally supported with security updates for 3 years after release; why should enterprise users have OS releases shoved in our face every single year? I understand there are new "security" features released with each new OS version, but those are becoming increasingly anti-enterprise as well.
@tmehary Yes that would be a Policy using a Script to run the command. Jamf has some great user guides here.