Inconsistent behavior with software restriction

danbaver
New Contributor III

When Mojave was released, we learned that our anti-virus software would prevent a Mojave system from booting, and they weren't going to have a patch released until late October. So, I created a software restriction to block the osinstallersetupd process.

Once the patch was released, I created two smart groups: one for the patched version, one for the unpatched version. I then added the group for the patched version to the exclusion list for the software restriction.

This mostly works well, however I have a handful of people who have the patched version who still get restricted from upgrading. I've checked in Jamf to make sure they are in the correct group, and they are. Sometimes they are able to after a day or so. Some folks can't even after multiple days. For these people, I add their machines individually to the exclusion list, and it seems to work.

Does anyone have any suggestions?

Thanks!

6 REPLIES 6

jtrant
Valued Contributor

The restricted software XML file (blacklist.xml) doesn't seem to be updated in any consistent way. Running 'jamf manage' from Terminal (or putting a button in Self Service that runs the command) should do the trick.

We have Self Service policies for upgrading to High Sierra, and 'jamf manage' is the first thing that runs under "Files & Processes" before the installer opens/runs. This ensures a consistent experience and less frustration for end-users.

anpender
New Contributor

I came here today regarding this exact issue - Mojave installer restricted software block failing to lift, even though the computers in question were removed from the scope almost two weeks ago. I'm trying to work a 'jamf manage' into the process as well, but it doesn't run from within the Self Service script that performs the upgrade, and Jamf is insisting on running the script first before the Files & Processes entry, even though it's marked "after". Guess I will be daisy-chaining policies to force the order.

And I suppose I should open a ticket to complain about the very slow (or possibly non-existent) automatic update of the restriction, though we are on 10.7.1 so I'm sure their first answer would be to upgrade.

anpender
New Contributor

@jtrant Is your jamf manage actually running successfully as part of a policy? I keep getting "the management framework will be enforced as soon as all policies are done executing" which means it'll work on the second try, but not the first. I'm thinking I may just need to schedule a daily 'jamf manage' and make sure that the block is removed several days before I put the policy into Self Service for general consumption.

jtrant
Valued Contributor

It's very unclear where/when jamf manage runs, so I've resorted to adding it to any policy that would involve a restricted software record. There are a bunch of threads on Jamf Nation on the subject, so I don't think we're alone on this one.

The way I managed OS upgrades are by daisy-chaining as anpender suggested above. In our case we call the OS installer using the below command. This is the only way I could have the management framework and blacklist.xml update before the installer launched.

jamf manage; sleep 15; open "/Applications/Install macOS High Sierra.app"

danbaver
New Contributor III

Thanks for the suggestions. I'm still waiting to hear back from folks as to whether or not this works.

Cheers!

bobbyclare
New Contributor

:)