Jamf Nation Community

Wonder if it'll get caught in SUS before it hits clients.

"Hope you have caching server set up! You have all moved to that by now, right?" -Apple

Real Nice, so if I disable automatic updates, I miss Gatekeeper and XProtect updates, but block Sierra

@mrice that TARDIS is looking good right about now

Thanks for the heads up @AVmcclint

Larry

So what's the best way to disable automatic updates?

I've used a simple policy that pushes out the following command to turn on "Download newly available updates in the background" in the past:

defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist AutomaticDownload -bool YES

Change the YES to NO should do the trick. You can do a configuration profile to do the same.

My question is, if I want to keep download in the background enabled but not for that particular update. Has anyone seen the macOS Safari upgrade appear when running "softwareupdate --list --all"? I want to see if I can use --ignore to just prevent that upgrade from downloading in the background.

@LSinNY These are separate settings. You can have automatic downloads turned off but still have "Install system data files and security updates" enabled which is what xprotect and gatekeeper defs fall under.

@iJake hmmm so if you turn automatic downloads off but have ConfigDataInstall and CriticalUpdateInstall set to true, the Mac will still automatically download and install xprotect, gatekeeper, and critical updates automatically?

So if I have Sierra as a restricted software, will it download and then automatically delete itself...and then download again?

@dgreening Yes. We enforce via custom configuration profile

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>AutomaticCheckEnabled</key>
    <true/>
    <key>ConfigDataInstall</key>
    <true/>
    <key>CriticalUpdateInstall</key>
    <true/>
</dict>
</plist>

I too have Sierra set as restricted software. My hope is it doesn't automatically open the installer app causing all users to get a pop up. Has anyone seen it in the wild yet?

I see the following in SUS

I would guess that this is part of the mechanism to deliver the upgrader. Not sure if it's required or not.
We have it disabled for now.

Verified this can be downloaded from App Store.app's Updates tab WITHOUT being logged in with an Apple ID.

This package is getting picked up by local Caching Server but NOT SUS. When local Caching servers are disabled, the client will go out to Apple on the Internet despite local SUS catalog UR. My corp has a proxy so I'm not sure which Apple server... most likely AppStore CDN...

Is this the first App Store App from the App store that does not need an Apple ID?

Also, the App placeholder in the Applications folder while being downloaded is called "macOS Sierra" in stead of "Install macOS Sierra".

Did anyone get awareness from Apple?

That's the same name for the app when you push via VPP, btw.

Rather than stop this automatic download, I'd like to use it in place of caching an installESD.dmg to fuel a Self Service upgrade policy.

Anybody already doing this or have any ideas as I start to dig into that concept?

Yep, just showed up in my reposado box. @milesleacy that is interesting. @iJake liking the profile.

Just had a watchman alert telling me one of our developers updated. He claims it just installed on its own as well.

I have an El Capitan VM set to download but not automatically install all available updates (from App Store preferences).

I suspect if the Mac had Install OS X Updates selected, that it would upgrade on the next reboot.

(my production Macs have the top 5 boxes managed to enabled)

I hope not. The way I understood it that would only work for 10.x.x
updates but not an update to a new 10.x version

Can someone who knows that they have a Mac that has received the automatic download (and has not yet installed the update) report on the contents of that Mac's /Library/Updates/ directory?

Can everyone confirm this is only hitting El Cap Macs as the article states? Want to make sure earlier OS's aren't impacted.

> Just had a watchman alert telling me one of our developers updated. He claims it just installed on its own as well.

I find that very hard to believe. The information we have available on this automatic download all points to requiring the user to initiate or approve the upgrade.

I'm almost positive it required interaction.

Users lie.

Users also click "Ok" without reading dialogs or Notification Center messages.

I am waiting for my 10.11.6 Mac to get the automatic download so I can see the message, but I suspect it will be similar to the automatic update messaging in Notification Center.

Just spoke with Enterprise AppleCare and they pointed me to the following KB:

https://support.apple.com/en-us/HT201475

I also confirmed the following w/ AppleCare rep:

1.) As mentioned, only 10.11.5 and above will be auto downloaded
2.) Unchecking "Download newly available updates in the background" prevents the download
3.) The installer that is auto downloaded is still "Install macOS Sierra.app"

Our restrictions policy should catch the installer app and kill it. I pushed out a script yesterday afternoon to all El Cap clients based on the string above:

defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist AutomaticDownload -bool NO

The "macOS Installer Notification" update showed up on my SUS this morning. It must've downloaded it last night. But there's no "Install macOS Sierra" update showing.

We have the "Download newly available updates in the background" option checked ON in our client machines so they can get regular updates, but I set up two Restricted Software rules in JSS to block Sierra. I'm hoping that'll be enough to keep it from showing up in my users' screens.

@milesleacy >Can someone who knows that they have a Mac that has received the automatic download (and has not yet installed the update) report on the contents of that Mac's /Library/Updates/ directory?

I don't see anything Sierra related in that directory, just the Sierra installer in /Applications.

Good info, I will keep watching this thread

The following seemed like it would work, but didn't.

I tried replacing line 6 with a symlink instead of a hard link, as well as using cp. The policy that includes "Install Cached Install macOS Sierra.InstallESD.dmg" failed in all of these cases. Anyone have any ideas why?

Does "caching a package" do anything other than put the package in Waiting Room and create an XML file?

#!/bin/bash

# Step 1
# copy installesd to /Library/Application Support/JAMF/Waiting Room/Install macOS Sierra.InstallESD.dmg

ln -F /Applications/Install macOS Sierra.app/Contents/SharedSupport/InstallESD.dmg /Library/Application Support/JAMF/Waiting Room/Install macOS Sierra.InstallESD.dmg

# Step 2
# Create and populate /Library/Application Support/JAMF/Waiting Room/Install macOS Sierra.InstallESD.dmg.cache.xml

## Get package ID from JSS
packageID=$(/usr/bin/curl --silent --show-error --connect-timeout 30 --request GET --user apiUser:apiPassword https://my.jss.ext:8443/JSSResource/packages/name/Install%20macOS%20Sierra.InstallESD.dmg | xpath //id[1] | awk -F'>|<' '/id/{print $3}')

## Write XML file
echo "<?xml version="1.0" encoding="UTF-8"?>" > /Library/Application Support/JAMF/Waiting Room/Install macOS Sierra.InstallESD.dmg.cache.xml
echo "<cachedPackage>" >> /Library/Application Support/JAMF/Waiting Room/Install macOS Sierra.InstallESD.dmg.cache.xml
echo "   <id>"$packageID"</id>" >> /Library/Application Support/JAMF/Waiting Room/Install macOS Sierra.InstallESD.dmg.cache.xml
echo "   <fut>false</fut>" >> /Library/Application Support/JAMF/Waiting Room/Install macOS Sierra.InstallESD.dmg.cache.xml
echo "   <feu>false</feu>" >> /Library/Application Support/JAMF/Waiting Room/Install macOS Sierra.InstallESD.dmg.cache.xml
echo "   <type>package</type>" >> /Library/Application Support/JAMF/Waiting Room/Install macOS Sierra.InstallESD.dmg.cache.xml
echo "   <suppressFromDock>false</suppressFromDock>" >> /Library/Application Support/JAMF/Waiting Room/Install macOS Sierra.InstallESD.dmg.cache.xml
echo "   <ignoreConflicts>false</ignoreConflicts>" >> /Library/Application Support/JAMF/Waiting Room/Install macOS Sierra.InstallESD.dmg.cache.xml
echo "   <isOSInstall>true</isOSInstall>" >> /Library/Application Support/JAMF/Waiting Room/Install macOS Sierra.InstallESD.dmg.cache.xml
echo "</cachedPackage>" >> /Library/Application Support/JAMF/Waiting Room/Install macOS Sierra.InstallESD.dmg.cache.xml

exit 0

Contents of Waiting Room After Using the Above Script

bash-3.2# ls -l /Library/Application Support/JAMF/Waiting Room/
total 9308072
-rw-r--r--  1 root  wheel  4765726488 Oct  4 16:04 Install macOS Sierra.InstallESD.dmg
-rw-r--r--  1 root  wheel         273 Oct  4 16:10 Install macOS Sierra.InstallESD.dmg.cache.xml

Contents of Waiting Room After Running a Policy that Caches Install macOS Sierra.InstallESD.dmg

bash-3.2# ls -l /Library/Application Support/JAMF/Waiting Room/
total 9308072
-rw-r--r--  1 root  wheel  4765726488 Oct  4 16:18 Install macOS Sierra.InstallESD.dmg
-rw-r--r--  1 root  wheel         277 Oct  4 16:18 Install macOS Sierra.InstallESD.dmg.cache.xml

/var/log/jamf.log related to the above:

Tue Oct 04 16:26:44 computerName jamf[processID]: Checking for policy ID xxxx...
Tue Oct 04 16:26:44 computerName jamf[processID]: Executing Policy Upgrade to macOS Sierra v10.12
Tue Oct 04 16:26:44 computerName jamf[processID]: Verifying package integrity...
Tue Oct 04 16:27:08 computerName jamf[processID]: Installation failed. The package could not be verified.
Tue Oct 04 16:27:09 computerName jamf[processID]: Blessing in-place OS upgrade directory...
Tue Oct 04 16:27:09 computerName jamf[processID]: /OS X Install Data is not a directory

It seems that the package was not verified and the directory "/OS X Install Data" was not created (I've verified the latter in the file system).

I hadn't noticed it while testing, but now looking at the post, I see a slight size difference in my XML file vs the one created by Casper.

Any idea what's missing?

Thanks for the headsup!

I've disabled automatic downloads temporary using @pcrandom's method.

@milesleacy What JSS version?

Apple changed things with 10.12 so the location to bless is not "OSX install data" but "macOS Install Data" (well similar to those).

I know this was noted in COSXIP

Here's the issue that was opened on GitHub for createOSXInstallPkg (COSXIP):

https://github.com/munki/createOSXinstallPkg/issues/18

@iJake Doing the profile intrigues me but I've never created a profile with custom settings. Where would I start? Can I just paste this into a text file to upload? Does the file need to be named something specific if that's the case?

@jhuls You need to create a .plist file in the proper XML. One of the easiest ways and what I did in this case is set Software Update how I want it, open my local plist and save it somewhere else retaining only the keys I want to manage as shown in my post above. You'll want the name of the plist to be the same as the original so when you upload the file to Casper it can read the domain name which is how when the Mac gets the profile it knows where to apply those keys.

@iJake Thanks...knowing this will be very useful.

@bentoms JSS v9.96

Thanks for the link @rtrouton

To clarify, as I don't think I had said so in as many words... I'm trying to leverage the auto-downloaded Sierra installer in an "Upgrade to macOS Sierra v10.12" Self Service policy in order to save time and bandwidth over caching the InstallESD from the JSS.

@milesleacy I've never done this before, so forgive me if this is a dumb question, but would you have to still add a copy of the InstallESD to the JSS with Casper Admin so that there's a valid matching package for the policy to install the "cached" package that is actually copied from the auto-downloaded Sierra installer? Is it possible that the InstallESD pulled from the installer and the InstallESD in the JSS doesn't quite match and that's why it failed verification?

If you actually cache a copy of the InstallESD from the JSS does it install successfully?