Ignore Catalina Upgrade Prompt in Software Update

nstrauss
Contributor II

a46b39387e3c42ac86ee1fc7424ef465

Lots of discussion in #catalina on the MacAdmins Slack on how to disable the above prompt. Turns out even though Catalina isn't a traditional software update, it does still exist as a software update catalog entry and can be ignored in the same way. Run this command to ignore on a single machine...

sudo softwareupdate --ignore "macOS Catalina"

The Catalina banner in Software Update should disappear almost immediately. To send that out to your entire fleet with Jamf Pro, create a new policy with Files and Processes. Under execute command add that command. Scope to whichever Macs you don't want to be prompted. Problem solved! Thanks to folks on MacAdmins Slack for working through this.

3e8e48f353404528a248da8e5934c969

To undo what you just did and remove ignored software update entries run...

sudo softwareupdate --reset-ignored

To collect inventory information on what Macs have this ignore software update in place I have an EA. Tested on High Sierra, Mojave, and Catalina. Returns a list of ignored software updates added with the --ignore command. Useful to run advanced searches or smart groups against as needed.

https://github.com/nstrauss/jamf-extension-attributes/blob/master/ignored_softwareupdates.py

54 REPLIES 54

kellyjackson
New Contributor

@elsmith @jtrant Our restriction also failed to stop the post macOS security update 2020-03 triggered Catalina upgrades, this was remedied by adding the ".app" suffix to the process name in the restriction. Previously it read "install macOS Catalina" now it says "install macOS Catalina.app" and is working again. Hope this helps.

RJH
Contributor

hi all - has anyone seen this issue re-appear. I have been successfully able to block Catalina appearing on the fleet (running Mojave) using for the last 10 or so months using the the softwareupdate --ignore with "macOS Catalina" and "macOS Catalina 10.15" included in the exclusions. After the recent "Security Update 2020-003 10.14.6" has been applied, the macOS Catalina 10.15.5 is now appearing in software update with the annoying red (1) appearing. I have catalina installer blocked with restricted software, so ultimately it will be blocked from running (unless users rename the installer) but somehow Apple have changed something so these ignore entries no longer work. Any one come across this, and worked out how to resolve - additional entry in ---ignore list perhaps? I have tried adding "macOS Catalina 10.15.5" but didnt work :(. thx all

schiemsk
New Contributor III

Hi @RJH
Same Here, the last sec update breaks the "softwareupdate ignore" setting.

RJH
Contributor

It has been confirmed, using the softwareupdate --ignore is no longer a method that can be used to block Catalina. see Apple Support Article here. "Major new releases of macOS are no longer hidden when using the softwareupdate(8) command with the --ignore flag
This change also affects macOS Mojave and macOS High Sierra after installing Security Update 2020-003."

rmckellar
New Contributor III

According the linked article (thank you, btw @RJH ), Apple went back and allowed major OS updates to be hidden by the softwareupdate(8) --ignore flag with 15.6

RJH
Contributor

@rmckellar Thats fantastic news - thanks for bringing that to my/our attention!. 10.15.6 was not out at the time of my original post, but Apple have clearly listened and back-pedalled on this change, both for the Catalina and I also note, for Mojave and High Sierra with the 2020-004 Security update applied. I note that there is a requirement that the macOS device must be "managed", via Apple Business mgr/School mgr or user-approved MDM, which is a fair and reasonable caveat ie. if its managed, we will allow the devices upgrades to major releases be "managed" by Admins etc.. Relieved to see that common sense has prevailed! :)

rmckellar
New Contributor III

@RJH Agreed!

pabohr
New Contributor III

@RJH I have a test device on macOS Mojave 10.14.6 with 2020-004 Security update applied (18G6020) and user-approved MDM. I ran the softwareupdate --ignore "macOS Catalina" and softwareupdate --ignore "macOS Catalina 10.15.6 Update" from Jamf and macOS Catalina 10.15.6 is still showing in Software updates. In terminal, I only see "macOS Catalina 10.15.6 Update" in the list of ignored updates and I still see the "Ignoring software updates is deprecated" message.
Am I missing something?

RJH
Contributor

@pabohr I think my/our celebrations were a bit premature. I also see the the deprecated message, although with the correct exclusion in place ie. Catalina/10.15 etc. I now see an update pending, but the description is not showing correctly. Either way - the update is then available to install for a user, which is not the desired outcome. Still investigating and completing further testing. Let me know if this is also the behaviour you are seeing also.

pabohr
New Contributor III

@RJH I opened a ticket with Apple support for this issue and here is their answer:
*There is an issue we are actively tracking on this. For a comprehensive answer I’m going to be thorough.

On 10.14.6 with the Security Update 2020-004 systems the current expected behavior is:
softwareupdate —ignore can be used to prevent the macOS 10.15 installer from appearing in System Preferences > Software Update
This requires either User Approved MDM (UAMDM) enrollment, or enrollment through DEP (is in Apple Business Manager)

However, currently only Mac hardware enrolled in Apple Business Manager, and thus DEP are correctly respecting softwareupdate —ignore. UAMDM devices do not. Product Engineering is investigating this issue.*

RJH
Contributor

@pabohr thanks for the update. For the environment I work in all the Macs are UAMDM, so this is at least confirmation of the issue, and behaviour we are seeing. I'd be interested to hear back if you get an update from Apple as to perm fix/timelines.

pabohr
New Contributor III

@RJH I just got an update from the Apple engineer informing the issue was solved with the Security Update 2020-005 Mojave, however I was not able to install it. After verification it seems it has been pulled back by Apple yesterday due to some major issues (https://mrmacintosh.com/mojave-2020-005-security-update-causing-major-problems-updated/). I reached out to Apple again to get a confirmation and a new timeline for the fix.

porteusconf
New Contributor

https://github.com/hjuutilainen/bigsurblocker may be useful once big-sur drops, when, tho not sure you can avoid nags to install big-sur (instead of catalina) more than 90 days. Details and alternatives are mentioned at github site but Apple does not want to let you delay major os upgrades for than 90 days, and that is for both os-upgrades and security updates.. For our edu folks, it will make sense to stay on 10.14 another year until Fall 2021. So we need ways to reliably block 10.15 or newer as long as possible, and only abandon 10.14 when apple stops issuing security updates for 10.14. The poor ordinary folks without mdm may just need to put up with incessant nagging not only for 10.15 or newer, but also be wary to avoid immediate installs of bricking updates like 2020-005 which took 6 days for Apple to pull. Apple then confusingly later replaces it with identically named but actually a hopefully fixed 2nd version of the 2020-005 update and misnamed "Safari14.0MojaveAuto" train-wreck]

markopolo
Contributor
Any fixes for when "sudo softwareupdate --reset-ignored" doesn't actually reset the ignored list?

Having the same problem as @kevin.v. on about half the machines I've tried. I'm trying to reset this for several test machines. I can successfully run the reset command but the update still isn't available (have tried multiple times with restart). I was kind of relying on reversing this for when we make Big Sur generally available. Anyone know of a fix?

oartola
New Contributor II

We deployed this out to our users to prevent Big Sur from being an option in the System Preferences. This works perfectly fine but this seems to be causing issues when even trying to update from 10.15.1 to 10.15.7. I've tried running the ignore command and running the 10.15.1 to 10.15.7 update, via system preferences but that didnt seem to work either. I've tried NVRAM resets, running the software update via terminal but nothing works.