I am also getting bombarded with queries from my users who are seeing this prompt and ask me if it's ok to install. Luckily none of my users have admin rights so they wouldn't be able to install anyway, but it does eat up a lot of my time when I have to field questions from everyone asking the same question.
There may be some confusion here. This is the prompt to get non-High Sierra systems to upgrade to High Sierra. Not a .x maintenance update.
I have auto update disabled on all Macs with a softwareupdate --schedule off policy that runs once per day, but I am still seeing this nag far and wide. I'm also not using a SUS, I'm using Caching Server.
None of these systems have the "Install macOS High Sierra.app" in their Applications folder. This is the nag Apple puts out to get people to go into the MAS app, and then download the installer.
I'm blocking the installer, but like @AVmcclint says, it's time consuming to have to field the same question again and again.
EDIT: I think I see what's going on now. Apple is staging the installer onto the systems, like it or not. Which really sucks for my limited bandwidth networks.
Is there a way of preventing the installer from being staged?
@gskibum Sorry for the confusion here; the "update" we were referring to is actually a config that gets added to software update servers. It's something that usually gets installed on machines even if autoupdates are disabled (it's the last checkbox I think)
If you have all of those checkboxes off, then you may have to consider a more drastic option: block something on a firewall (maybe the apple update servers) but this will stop all apple updates from working.
So, the best method is to not list it on your internal update server. If you don't have one, you have to block the server.
Someone will probably correct me since I'm probably wrong :)
I found that all our Macs have downloaded the High Sierra installer without permission from anyone. I used ARD to delete it from /Applications/ on every one of them. A few days later I found that it was re-downloaded on all the computers again. This is really getting obnoxious that Apple is "trying to make things easy" when in fact they are making it way more complicated for those of us in corporate environments. My next attempt to stop this is to just create a blank file called "Install macOS High Sierra.app" and lock the file down so it can't be replaced with the real deal.
To prevent the automatic download of the HS installer, I am going to follow the suggestions posted here by @rtrouton https://derflounder.wordpress.com/2016/10/03/managing-the-automatic-download-of-the-macos-sierra-ins...
I've changed our version of the script to set the App Store prefs as follows:
#!/bin/bash # System Preferences >> App Store # This is the 1st of the 5 settings in the GUI within 10.11, 10.12 /usr/sbin/softwareupdate --schedule on # GUI System Preferences >> App Store >> enable Download newly available updates in the background # This is the 2nd of the 5 settings in the GUI within 10.11, 10.12 /usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticDownload -bool FALSE # System Preferences >> App Store >> enable Install app updates # This is the 3rd of the 5 settings in the GUI within 10.11, 10.12 /usr/bin/defaults write /Library/Preferences/com.apple.commerce AutoUpdate -bool TRUE # System Preferences >> App Store >> 4 of 5 enable Install OS X updates # This is the 4th of the 5 settings in the GUI within 10.11, 10.12 /usr/bin/defaults write /Library/Preferences/com.apple.commerce AutoUpdateRestartRequired -bool TRUE # This is the 5th of the 5 settings in the GUI within 10.11, 10.12 # enable XProtect and Gatekeeper updates to be installed automatically /usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -bool TRUE # enable automatic security updates to be installed automatically /usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -bool TRUE # This is a one time action to trigger a background check with normal scan (critical and config-data updates only) /usr/sbin/softwareupdate --background-critical exit 0
Since I push the "softwareupdate --schedule off" command daily, this is what the App Store pref pane looks like. But Apple is still pushing the High Sierra installer onto many of these boxes.
But I suspect the download is being triggered either by my daily "softwareupdate -da" command or my daily XProtect-Gatekeeper update script I run.
#!/bin/bash sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -bool true /bin/sleep 2 sudo softwareupdate --background-critical /bin/sleep 5 sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -bool false
I am getting these nags too and some how it seems to be circumventing my software blocks in the JSS. I am blocking the following in Restricted Software:
Those blocks all work fine if you try an download the installer from the app store and run it. But if a user clicks "Install" on the alert nag it runs the macOS installer and doesn't trigger any of the blocks. Has anyone else seen that? Should I be blocking something additionally? This is the first time I've had this issue with any macOS installers.
We have a four prong strategy currently that seems to be working to prevent High Sierra from being automatically downloaded and users from being notified to install Hi C.
1) A monthly policy that runs on all our managed macs that disables automatic updates. This policy simply executes the following command: sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticDownload -boolean FALSE
2) All managed macs are pointed to a SUS that is running Server.app and all the updates to install High Sierra or install the notification are disabled (we are slowly migrating to reposado but that's still another month or two away, but same concept remains). I think there are currently two separate Install macOS High Sierra updates and one macOS Installer Notification update. All three are disabled in Software Update inside Server.app.
3) We have a policy that suppresses the giant island/banner in App Store>Updates encouraging users to install Hi C. This was done by adapting Erik Gomez's instructions on his blog. http://blog.eriknicolasgomez.com/2015/10/01/paradise-island-hiding-el-capitans-free-upgrade-banner
4) And last but not least, we have a JAMF Restricted software policy that prevents the Install High Sierra.app from running if the user actually somehow manages to download the installer.
All those things implemented, we've had very few numbers of users hitting the restricted software option. Maybe 2-3 a week, and usually its the same users who are just a little bit more tech savvy and probably went to the app store to download it. This process has also prevented unwanted installs of Hi C. Out of the under 1000 macs we manage, only 10 macs have Hi C running, and each of those was intended/allowed by us for testing purposes.
Something like this might work... it's an adaptation of the method used for sierra, just started researching/going to test this in my environment, but if others would like to test to see if this suppresses the notification dialog:
#!/bin/bash /usr/bin/defaults write /Library/Preferences/com.apple.noticeboard.plist LastNoticeboardCatalogCheck "$(date -u "+%F %T %z")" /usr/bin/defaults write /Library/Preferences/com.apple.noticeboard.plist "com.apple.noticeboard.notification.highsierra.1.0" -dict dismissalCount 4 lastDismissedDate "$(date -u "+%F %T %z")" /usr/bin/defaults write /Library/Preferences/com.apple.noticeboard.plist identifiers -array "com.apple.noticeboard.notification.highsierra.1.0"
Using howardgmac's suggestion of setting a policy to run weekly (or daily, if you like) to remove /Library/Bundles/OSXNotification.bundle has removed the Mojave upgrade notifications as well as keeping the High Sierra notifications away on Sierra Macs.
It has not, however, removed the banner from the App Store.