Jamf Nation Community

david_yenzer · ‎10-22-2013

Does anybody know specifically how to block the Mavericks update?

We are currently on JSS v8.52 using the Restricted Software function. Most of our machines are still Lion, though there have been some machines approved to move to Mtn Lion.

We currently have the following blocks in place:
Install OS X Lion.app
Install Mac OS X.app
Install OS X Mountain Lion.app
Install OS X Mavericks.app

Is there something more specific that you can provide to block the Mavericks update?

Thanks!

daniel_behan · ‎10-23-2013

It may be too late but if the culture of your company allows it, I have the app store itself blocked so no one should be getting the installer to begin with. I have the Mavericks installer blocked as well, so if I see a 10.9 machine show up in my smart group, they'll be having a huge talk with me and infosec.

FastGM3 · ‎10-23-2013

At what point should I expect the Installer to quit?
I've ran the sudo jamf manage on my test box, yet I'm still able to get through the EULA and up to the Install screen.

Here's my Restricted Software setting, am I missing something?

http://imgur.com/WItmsu5

Thanks,
Chuck

mm2270 · ‎10-23-2013

@FastGM3

Since I'm not using Casper Suite 9 yet I can't really test anything, but I do know that Restricted Software under version 9 now uses the same scoping mechanism as a policy, unlike in 8.x where it just applied to everyone unless they were in the exclusion list. Is it possible your Mac just isn't in the Scope to get the Restricted Software item applied? If it is, and it still isn't working, this may be a bug.

FastGM3 · ‎10-23-2013

@mm2270

I think you're right about the scoped computer, for whatever reason my first box didn't work. The second test box worked PERFECTLY!

Thank you, Thank you!
Chuck

kirkd · ‎10-23-2013

Thanks a bunch for the help everyone. The restriction works!!

darms21 · ‎10-23-2013

We configured email notifications for Restricted Software yesterday. At that time we were running 8.62. While at 8.62 we successfully received numerous email notifications of attempted Maverick upgrades. Later in the day, we upgraded to 8.73 and now we are no longer receiving email notifications. Anyone else come across this after upgrading to 8.73?

TomDay · ‎10-23-2013

I don't get the restricted software email notifications in 8.72, was getting ready to call them but sounds like its a more widespread issue. Email notifications work perfectly for database backups, policy errors etc

dgreening · ‎10-23-2013

Yeah, email notifications in Restricted Software have not worked for me for quite a while. All other email notifications work fine though.

bthomason · ‎10-23-2013

I get multiple notifications per client. I have already got 4 users today trying to update, even though I sent an email saying don't. haha.

pickerin · ‎10-23-2013

Under 9.2, I'm not getting any email notifications either, even though they are check on both my profile for Notifications and in the policy to send the email.

I know the policy is working, I watched the installer quit.

FastGM3 · ‎10-23-2013

@pickern

I'm running 9.2 and the email notifications seem to be working just fine. Under Settings>SMTP Server, you may want to double check the account that the JSS server is sending to. Just to ensure the address you were expecting the messages to appear in, is the one setup in the JSS.

Chuck

evarona · ‎10-23-2013

Coming in late on this topic. Thanks for the great ideas but I'm annoyed that Mavericks is bypassing SUS altogether. We have strict policies and cannot allow users to upgrade at this time so the policy idea is great. But has anyone figured out how to prevent the upgrade from showing up at all in Software Update? I ran 'sudo softwareupdate -l' and Mavericks was not listed. Makes sense since it's an upgrade and not a patch but I'd still prefer to prevent users from seeing it at all. Thanks.

stevehahn · ‎10-23-2013

@darms21 My 8.64 server doesn't send emails about Restricted Software violations either, and my 9.2 test server sends out 4 emails on each violation. I opened a ticket with support and they said both of these are known issues that they are working on.

pickerin · ‎10-24-2013

@FastGM3

I get all of my other notifications, just not Restricted Software Violations. @stevehahn stated he opened a ticket with Jamf and they've acknowledged this as a known issue. Seems it just doesn't affect everyone the same.

jshipman · ‎10-24-2013

@mm2270 I have done exactly as you have said and I can't get the process to kill. Any more suggestions? I'm running JSS 8.72.

ernstcs · ‎10-26-2013

@mm2270 @tanderson I've updated another system to Mavericks from 10.8 and the hidden account was still intact.

ImAMacGuy · ‎10-30-2013

I thought I saw somewhere there was a way to actually block Mavs from being displayed in the app store as being available so users wouldn't be tempted to click on it, but unfortunately I can't find it anymore - does anybody know the command or anything?

zmbarker · ‎12-30-2013

Does anyone know of a way to Allow Mavericks upgrade via Self-Service but Block the upgrade if ran from the App Store or from a USB flash drive or from a DVD?

david_yenzer · ‎12-30-2013

We have Mavericks blocked completely whenever it calls the processes mentioned above (Install OS X Mavericks.app). For users that we authorize to do the upgrade, we just edit the restriction and add those users/machines to the exempt list. Basically the way ours is set up, anybody can download the Mavericks app, but when they try to launch it the process gets noticed and is blocked. I'm not sure if there's another way to do it based on "source of download".

Jamf Nation Community

How to block Mavericks update