Jamf Nation Community

@gspiese Disable the pref pane w/MCX? A saavy user can still run updates via Terminal though...

sudo softwareupdate -i -a

Totally ugly but:

sudo rm -rf /System/Library/CoreServices/Software Update.app
sudo rm -f /usr/sbin/softwareupdate

Package them first so you can re-deploy it.

You could also add softwareupdate and Software Update as restricted software.

In the severs section of the JSS where you have your ASUS defined, have you ticked: set system wide?

If not give it a go!

You could also add softwareupdate and Software Update as restricted software.

That is probably what I would do.

But, I'm not really clear what you're trying to achieve here. Do you just want to block your users from running Software Update.app or are you looking to completely stop Software Update from running even if initiated via Casper Suite?

What we want is:

OS X SUS running and downloading all updates, but not auto enabling them- which is how it is set now.

If a Casper Managed Mac user maunally iniitiates softwate update we want no updates downloaded to the Mac, We want this controlled by Casper. When the user initiaiates SUS on their Mac, they should get a message something like (sorry I don't have the verbatim wording) "An Administrator is already installing updates... try again later..."

The problem we are trying to solve is stopping the 90GB of SUS downloads that occur daily even though they can't actually install the software becasue they don't have admin rights.

I do have the SUS policy set to "System Wide" but that's not fixing the problem. Tried it deselected also, but that also didn't stop the problem.

The users aren't installing the software, becasue they can't but they can check for updates and download them- which is what we want to stop.

OK. Well, when the Casper Suite sets the SUS for a client, it does so in two places. At user level in /Library/Preferences/com.apple.SoftwareUpdate.plist, and also for the root user, /private/var/root/Library/Preferences/com.apple.SoftwareUpdate.plist.

I have not tested this, but I believe when a user (local admin, etc) runs Software Update, the Software Update application refers to the /Library/Preferences plist for where it should look for updates.
On the flip side, when the Casper Suite initiates downloads and installs SUS updates, it does so as root, so it refers to the plist located in /private/var/root/Library/Preferences.

My guess then is, if you change the Catalog URL for the /Library/Preferences/com.apple.SoftwareUpdate.plist to something like Greg mentions above, "file://localhost/dev/null", that would stop the Software Update app from working for the users. But if you leave the root account pointed to your SUS, whenever you start enabling those updates, you'll still be able to use a policy to pull down the updates silently.

The big problem you're going to run into is, Casper Suite will keep "correcting" the user level preference file when it enforce the framework on your managed Macs, and point them back to a proper URL as defined in your Servers/Software Update Servers section in the JSS, and as defined in your Network Segments.
I'm not really sure how to stop it from doing that, but you may want to look at something like a LaunchAgent/Daemon that will keep doing a defaults write /Library/Preferences/com.apple.SoftwareUpdate CatalogURL http://ip.add.re.ss:8088/
There are probably more efficient ways of ding that though.

I don't know if any of this helps. Also, if I'm wrong about how this works, someone please correct me. But that's my understanding of how it works inside the Casper Suite.