Posted on 11-13-2017 06:36 PM
Posted on 11-13-2017 06:43 PM
remove this update from last week:
Posted on 11-14-2017 12:39 AM
@Nix4Life Is that related to my question, and I'm not seeing how?
Posted on 11-14-2017 04:21 AM
I am also getting bombarded with queries from my users who are seeing this prompt and ask me if it's ok to install. Luckily none of my users have admin rights so they wouldn't be able to install anyway, but it does eat up a lot of my time when I have to field questions from everyone asking the same question.
Posted on 11-14-2017 05:41 AM
@gskibum Yes . Apple pushed that update on Nov 7th. And the notification started. If your machines are set to autoupdate, they received this update. I provided the ID in case you wanted to roll it back or remove it from your SUS
L
Posted on 11-14-2017 05:59 AM
@Nix4Life I think you may be confusing them with your wording.
If you have an internal software update server (above is a screenshot of resposado/margarita) you can remove that update from it. However I can tell you from experience that it doesn't work all of the time for some reason.
Posted on 11-14-2017 06:46 AM
Does the nag only appear if the "Install macOS High Sierra.app" is located in /Applications? Would the nags go away if the "Install macOS High Sierra.app" was deleted from each client, at least until Apple decides to stage the installer again?
Posted on 11-14-2017 06:56 AM
@jhalvorson ..Good point, maybe worth a shot. @jmahlman thanks for that, best not to assume
Posted on 11-14-2017 07:59 AM
There may be some confusion here. This is the prompt to get non-High Sierra systems to upgrade to High Sierra. Not a .x maintenance update.
I have auto update disabled on all Macs with a softwareupdate --schedule off policy that runs once per day, but I am still seeing this nag far and wide. I'm also not using a SUS, I'm using Caching Server.
None of these systems have the "Install macOS High Sierra.app" in their Applications folder. This is the nag Apple puts out to get people to go into the MAS app, and then download the installer.
I'm blocking the installer, but like @AVmcclint says, it's time consuming to have to field the same question again and again.
EDIT: I think I see what's going on now. Apple is staging the installer onto the systems, like it or not. Which really sucks for my limited bandwidth networks.
Is there a way of preventing the installer from being staged?
Posted on 11-14-2017 08:28 AM
@gskibum Sorry for the confusion here; the "update" we were referring to is actually a config that gets added to software update servers. It's something that usually gets installed on machines even if autoupdates are disabled (it's the last checkbox I think)
If you have all of those checkboxes off, then you may have to consider a more drastic option: block something on a firewall (maybe the apple update servers) but this will stop all apple updates from working.
So, the best method is to not list it on your internal update server. If you don't have one, you have to block the server.
Someone will probably correct me since I'm probably wrong :)
Posted on 11-14-2017 09:49 AM
The macOSInstallerNotification_GM.pkg just puts a file called "OSXNotification.bundle" into the LibraryBundles folder, and contains no install scripts according to Suspicious Package. Simply removing the bundle MAY turn the notification off.
Posted on 11-14-2017 09:57 AM
I was looking at this earlier today if someone wants to try it out and let us know how it works?
http://blog.eriknicolasgomez.com/2015/10/01/paradise-island-hiding-el-capitans-free-upgrade-banner/#method-2---deploying-file
Posted on 11-14-2017 10:25 AM
@mahughe That just hides the banner in the App Store, not the notification nag.
Posted on 11-17-2017 06:01 AM
I found that all our Macs have downloaded the High Sierra installer without permission from anyone. I used ARD to delete it from /Applications/ on every one of them. A few days later I found that it was re-downloaded on all the computers again. This is really getting obnoxious that Apple is "trying to make things easy" when in fact they are making it way more complicated for those of us in corporate environments. My next attempt to stop this is to just create a blank file called "Install macOS High Sierra.app" and lock the file down so it can't be replaced with the real deal.
Posted on 11-17-2017 06:08 AM
To prevent the automatic download of the HS installer, I am going to follow the suggestions posted here by @rtrouton https://derflounder.wordpress.com/2016/10/03/managing-the-automatic-download-of-the-macos-sierra-ins...
I've changed our version of the script to set the App Store prefs as follows:
#!/bin/bash
# System Preferences >> App Store
# This is the 1st of the 5 settings in the GUI within 10.11, 10.12
/usr/sbin/softwareupdate --schedule on
# GUI System Preferences >> App Store >> enable Download newly available updates in the background
# This is the 2nd of the 5 settings in the GUI within 10.11, 10.12
/usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticDownload -bool FALSE
# System Preferences >> App Store >> enable Install app updates
# This is the 3rd of the 5 settings in the GUI within 10.11, 10.12
/usr/bin/defaults write /Library/Preferences/com.apple.commerce AutoUpdate -bool TRUE
# System Preferences >> App Store >> 4 of 5 enable Install OS X updates
# This is the 4th of the 5 settings in the GUI within 10.11, 10.12
/usr/bin/defaults write /Library/Preferences/com.apple.commerce AutoUpdateRestartRequired -bool TRUE
# This is the 5th of the 5 settings in the GUI within 10.11, 10.12
# enable XProtect and Gatekeeper updates to be installed automatically
/usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -bool TRUE
# enable automatic security updates to be installed automatically
/usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -bool TRUE
# This is a one time action to trigger a background check with normal scan (critical and config-data updates only)
/usr/sbin/softwareupdate --background-critical
exit 0
Posted on 11-20-2017 06:07 AM
Since I push the "softwareupdate --schedule off" command daily, this is what the App Store pref pane looks like. But Apple is still pushing the High Sierra installer onto many of these boxes.
But I suspect the download is being triggered either by my daily "softwareupdate -da" command or my daily XProtect-Gatekeeper update script I run.
#!/bin/bash
sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -bool true
/bin/sleep 2
sudo softwareupdate --background-critical
/bin/sleep 5
sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -bool false
Posted on 11-22-2017 06:44 AM
Never mind. No workie.
Posted on 11-22-2017 09:35 AM
Posted on 11-22-2017 09:37 AM
Hi,
I am getting these nags too and some how it seems to be circumventing my software blocks in the JSS. I am blocking the following in Restricted Software:
osinstallersetupd
InstallAssistant
High Sierra
Those blocks all work fine if you try an download the installer from the app store and run it. But if a user clicks "Install" on the alert nag it runs the macOS installer and doesn't trigger any of the blocks. Has anyone else seen that? Should I be blocking something additionally? This is the first time I've had this issue with any macOS installers.
Posted on 11-27-2017 01:55 PM
We have a four prong strategy currently that seems to be working to prevent High Sierra from being automatically downloaded and users from being notified to install Hi C.
1) A monthly policy that runs on all our managed macs that disables automatic updates. This policy simply executes the following command: sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticDownload -boolean FALSE
2) All managed macs are pointed to a SUS that is running Server.app and all the updates to install High Sierra or install the notification are disabled (we are slowly migrating to reposado but that's still another month or two away, but same concept remains). I think there are currently two separate Install macOS High Sierra updates and one macOS Installer Notification update. All three are disabled in Software Update inside Server.app.
3) We have a policy that suppresses the giant island/banner in App Store>Updates encouraging users to install Hi C. This was done by adapting Erik Gomez's instructions on his blog. http://blog.eriknicolasgomez.com/2015/10/01/paradise-island-hiding-el-capitans-free-upgrade-banner
4) And last but not least, we have a JAMF Restricted software policy that prevents the Install High Sierra.app from running if the user actually somehow manages to download the installer.
All those things implemented, we've had very few numbers of users hitting the restricted software option. Maybe 2-3 a week, and usually its the same users who are just a little bit more tech savvy and probably went to the app store to download it. This process has also prevented unwanted installs of Hi C. Out of the under 1000 macs we manage, only 10 macs have Hi C running, and each of those was intended/allowed by us for testing purposes.
Posted on 01-03-2018 01:00 PM
Something like this might work... it's an adaptation of the method used for sierra, just started researching/going to test this in my environment, but if others would like to test to see if this suppresses the notification dialog:
#!/bin/bash
/usr/bin/defaults write /Library/Preferences/com.apple.noticeboard.plist LastNoticeboardCatalogCheck "$(date -u "+%F %T %z")"
/usr/bin/defaults write /Library/Preferences/com.apple.noticeboard.plist "com.apple.noticeboard.notification.highsierra.1.0" -dict dismissalCount 4 lastDismissedDate "$(date -u "+%F %T %z")"
/usr/bin/defaults write /Library/Preferences/com.apple.noticeboard.plist identifiers -array "com.apple.noticeboard.notification.highsierra.1.0"
Posted on 01-22-2018 02:15 PM
Hi @RobertHammen, I tested this on a VM running 10.10. The name of the notification came out to com.apple.noticeboard.notification.10.13.1.0 . Not sure if it changed, or if you were using 'high sierra' as a guess.
Posted on 01-24-2018 06:47 AM
@RobertHammen Where did you get "highsierra1.0" from? Just looking to wrap my head around it.
Posted on 11-01-2018 02:36 AM
Hi guys,
Would this be the same with Mojave?
Posted on 01-09-2019 05:28 AM
Using howardgmac's suggestion of setting a policy to run weekly (or daily, if you like) to remove /Library/Bundles/OSXNotification.bundle has removed the Mojave upgrade notifications as well as keeping the High Sierra notifications away on Sierra Macs.
It has not, however, removed the banner from the App Store.