macOS Sierra Available as an Automatic Download

AVmcclint
Valued Contributor III

macOS Sierra Available as an Automatic Download Starting Today

Oh boy. Just what we needed.

Starting today, Apple is making the new macOS Sierra operating system available as an automatic download to customers running OS X El Capitan in order to encourage them to update. Customers who have auto downloads enabled will see macOS Sierra start to download automatically, but it will not install without express user permission.

Better make sure Automatic updates are disabled on your managed systems or your bandwidth will suffer.

48 REPLIES 48

dgreening
Valued Contributor II

Hooooo boy. We definitely have Automatic Updates enabled via config profile as, well, we want to have clients download their updates and then prompt users to install them. Having to turn that off would suck.

mrice
New Contributor II

Wonder if it'll get caught in SUS before it hits clients.

dgreening
Valued Contributor II

"Hope you have caching server set up! You have all moved to that by now, right?" -Apple

Nix4Life
Valued Contributor

Real Nice, so if I disable automatic updates, I miss Gatekeeper and XProtect updates, but block Sierra

@mrice that TARDIS is looking good right about now

Thanks for the heads up @AVmcclint

Larry

jhuls
Contributor III

So what's the best way to disable automatic updates?

pcrandom
Contributor

I've used a simple policy that pushes out the following command to turn on "Download newly available updates in the background" in the past:

defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist AutomaticDownload -bool YES

Change the YES to NO should do the trick. You can do a configuration profile to do the same.

My question is, if I want to keep download in the background enabled but not for that particular update. Has anyone seen the macOS Safari upgrade appear when running "softwareupdate --list --all"? I want to see if I can use --ignore to just prevent that upgrade from downloading in the background.

iJake
Valued Contributor

@LSinNY These are separate settings. You can have automatic downloads turned off but still have "Install system data files and security updates" enabled which is what xprotect and gatekeeper defs fall under.

dgreening
Valued Contributor II

@iJake hmmm so if you turn automatic downloads off but have ConfigDataInstall and CriticalUpdateInstall set to true, the Mac will still automatically download and install xprotect, gatekeeper, and critical updates automatically?

danny_hanes
Contributor

So if I have Sierra as a restricted software, will it download and then automatically delete itself...and then download again?

iJake
Valued Contributor

@dgreening Yes. We enforce via custom configuration profile

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>AutomaticCheckEnabled</key>
    <true/>
    <key>ConfigDataInstall</key>
    <true/>
    <key>CriticalUpdateInstall</key>
    <true/>
</dict>
</plist>

jubei
New Contributor II

I too have Sierra set as restricted software. My hope is it doesn't automatically open the installer app causing all users to get a pop up. Has anyone seen it in the wild yet?

mrice
New Contributor II

I see the following in SUS 438a324d9ea54363a7874e12dd060504

I would guess that this is part of the mechanism to deliver the upgrader. Not sure if it's required or not.
We have it disabled for now.

Sonic84
Contributor III

Verified this can be downloaded from App Store.app's Updates tab WITHOUT being logged in with an Apple ID.

This package is getting picked up by local Caching Server but NOT SUS. When local Caching servers are disabled, the client will go out to Apple on the Internet despite local SUS catalog UR. My corp has a proxy so I'm not sure which Apple server... most likely AppStore CDN...

Is this the first App Store App from the App store that does not need an Apple ID?

Also, the App placeholder in the Applications folder while being downloaded is called "macOS Sierra" in stead of "Install macOS Sierra".

Did anyone get awareness from Apple?

iJake
Valued Contributor

That's the same name for the app when you push via VPP, btw.

milesleacy
Valued Contributor

Rather than stop this automatic download, I'd like to use it in place of caching an installESD.dmg to fuel a Self Service upgrade policy.

Anybody already doing this or have any ideas as I start to dig into that concept?

Nix4Life
Valued Contributor

Yep, just showed up in my reposado box. @milesleacy that is interesting. @iJake liking the profile.

ammonsc
Contributor II

Just had a watchman alert telling me one of our developers updated. He claims it just installed on its own as well.

milesleacy
Valued Contributor

I have an El Capitan VM set to download but not automatically install all available updates (from App Store preferences).

I suspect if the Mac had Install OS X Updates selected, that it would upgrade on the next reboot.

(my production Macs have the top 5 boxes managed to enabled)ee9687ffb0a04c41a738662e744084f4

ammonsc
Contributor II

I hope not. The way I understood it that would only work for 10.x.x
updates but not an update to a new 10.x version

milesleacy
Valued Contributor

Can someone who knows that they have a Mac that has received the automatic download (and has not yet installed the update) report on the contents of that Mac's /Library/Updates/ directory?

jubei
New Contributor II

Can everyone confirm this is only hitting El Cap Macs as the article states? Want to make sure earlier OS's aren't impacted.

alexjdale
Valued Contributor III

> Just had a watchman alert telling me one of our developers updated. He claims it just installed on its own as well.

I find that very hard to believe. The information we have available on this automatic download all points to requiring the user to initiate or approve the upgrade.

ammonsc
Contributor II

I'm almost positive it required interaction.

milesleacy
Valued Contributor

Users lie.

Users also click "Ok" without reading dialogs or Notification Center messages.

I am waiting for my 10.11.6 Mac to get the automatic download so I can see the message, but I suspect it will be similar to the automatic update messaging in Notification Center.

97499cfa78ca4850bbe2a2cc0a74404b

jubei
New Contributor II

Just spoke with Enterprise AppleCare and they pointed me to the following KB:

https://support.apple.com/en-us/HT201475

I also confirmed the following w/ AppleCare rep:

1.) As mentioned, only 10.11.5 and above will be auto downloaded
2.) Unchecking "Download newly available updates in the background" prevents the download
3.) The installer that is auto downloaded is still "Install macOS Sierra.app"

Our restrictions policy should catch the installer app and kill it. I pushed out a script yesterday afternoon to all El Cap clients based on the string above:

defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist AutomaticDownload -bool NO

itupshot
Contributor II

The "macOS Installer Notification" update showed up on my SUS this morning. It must've downloaded it last night. But there's no "Install macOS Sierra" update showing.

3608e73d6053420a858c82308c756f6b

We have the "Download newly available updates in the background" option checked ON in our client machines so they can get regular updates, but I set up two Restricted Software rules in JSS to block Sierra. I'm hoping that'll be enough to keep it from showing up in my users' screens.

thedanielmatt
New Contributor III

@milesleacy >Can someone who knows that they have a Mac that has received the automatic download (and has not yet installed the update) report on the contents of that Mac's /Library/Updates/ directory?

I don't see anything Sierra related in that directory, just the Sierra installer in /Applications.

Nix4Life
Valued Contributor

Good info, I will keep watching this thread

79ec4af04b264fc2b85e48f72d332be6

milesleacy
Valued Contributor

The following seemed like it would work, but didn't.

I tried replacing line 6 with a symlink instead of a hard link, as well as using cp. The policy that includes "Install Cached Install macOS Sierra.InstallESD.dmg" failed in all of these cases. Anyone have any ideas why?

Does "caching a package" do anything other than put the package in Waiting Room and create an XML file?

#!/bin/bash

# Step 1
# copy installesd to /Library/Application Support/JAMF/Waiting Room/Install macOS Sierra.InstallESD.dmg

ln -F /Applications/Install macOS Sierra.app/Contents/SharedSupport/InstallESD.dmg /Library/Application Support/JAMF/Waiting Room/Install macOS Sierra.InstallESD.dmg

# Step 2
# Create and populate /Library/Application Support/JAMF/Waiting Room/Install macOS Sierra.InstallESD.dmg.cache.xml

## Get package ID from JSS
packageID=$(/usr/bin/curl --silent --show-error --connect-timeout 30 --request GET --user apiUser:apiPassword https://my.jss.ext:8443/JSSResource/packages/name/Install%20macOS%20Sierra.InstallESD.dmg | xpath //id[1] | awk -F'>|<' '/id/{print $3}')

## Write XML file
echo "<?xml version="1.0" encoding="UTF-8"?>" > /Library/Application Support/JAMF/Waiting Room/Install macOS Sierra.InstallESD.dmg.cache.xml
echo "<cachedPackage>" >> /Library/Application Support/JAMF/Waiting Room/Install macOS Sierra.InstallESD.dmg.cache.xml
echo "   <id>"$packageID"</id>" >> /Library/Application Support/JAMF/Waiting Room/Install macOS Sierra.InstallESD.dmg.cache.xml
echo "   <fut>false</fut>" >> /Library/Application Support/JAMF/Waiting Room/Install macOS Sierra.InstallESD.dmg.cache.xml
echo "   <feu>false</feu>" >> /Library/Application Support/JAMF/Waiting Room/Install macOS Sierra.InstallESD.dmg.cache.xml
echo "   <type>package</type>" >> /Library/Application Support/JAMF/Waiting Room/Install macOS Sierra.InstallESD.dmg.cache.xml
echo "   <suppressFromDock>false</suppressFromDock>" >> /Library/Application Support/JAMF/Waiting Room/Install macOS Sierra.InstallESD.dmg.cache.xml
echo "   <ignoreConflicts>false</ignoreConflicts>" >> /Library/Application Support/JAMF/Waiting Room/Install macOS Sierra.InstallESD.dmg.cache.xml
echo "   <isOSInstall>true</isOSInstall>" >> /Library/Application Support/JAMF/Waiting Room/Install macOS Sierra.InstallESD.dmg.cache.xml
echo "</cachedPackage>" >> /Library/Application Support/JAMF/Waiting Room/Install macOS Sierra.InstallESD.dmg.cache.xml

exit 0

Contents of Waiting Room After Using the Above Script

bash-3.2# ls -l /Library/Application Support/JAMF/Waiting Room/
total 9308072
-rw-r--r--  1 root  wheel  4765726488 Oct  4 16:04 Install macOS Sierra.InstallESD.dmg
-rw-r--r--  1 root  wheel         273 Oct  4 16:10 Install macOS Sierra.InstallESD.dmg.cache.xml

Contents of Waiting Room After Running a Policy that Caches Install macOS Sierra.InstallESD.dmg

bash-3.2# ls -l /Library/Application Support/JAMF/Waiting Room/
total 9308072
-rw-r--r--  1 root  wheel  4765726488 Oct  4 16:18 Install macOS Sierra.InstallESD.dmg
-rw-r--r--  1 root  wheel         277 Oct  4 16:18 Install macOS Sierra.InstallESD.dmg.cache.xml

milesleacy
Valued Contributor

/var/log/jamf.log related to the above:

Tue Oct 04 16:26:44 computerName jamf[processID]: Checking for policy ID xxxx...
Tue Oct 04 16:26:44 computerName jamf[processID]: Executing Policy Upgrade to macOS Sierra v10.12
Tue Oct 04 16:26:44 computerName jamf[processID]: Verifying package integrity...
Tue Oct 04 16:27:08 computerName jamf[processID]: Installation failed. The package could not be verified.
Tue Oct 04 16:27:09 computerName jamf[processID]: Blessing in-place OS upgrade directory...
Tue Oct 04 16:27:09 computerName jamf[processID]: /OS X Install Data is not a directory

It seems that the package was not verified and the directory "/OS X Install Data" was not created (I've verified the latter in the file system).

milesleacy
Valued Contributor

I hadn't noticed it while testing, but now looking at the post, I see a slight size difference in my XML file vs the one created by Casper.

Any idea what's missing?

skeb1ns
Contributor

Thanks for the headsup!

I've disabled automatic downloads temporary using @pcrandom's method.

bentoms
Honored Contributor III
Honored Contributor III

@milesleacy What JSS version?

Apple changed things with 10.12 so the location to bless is not "OSX install data" but "macOS Install Data" (well similar to those).

I know this was noted in COSXIP

rtrouton
Valued Contributor III

Here's the issue that was opened on GitHub for createOSXInstallPkg (COSXIP):

https://github.com/munki/createOSXinstallPkg/issues/18

jhuls
Contributor III

@iJake Doing the profile intrigues me but I've never created a profile with custom settings. Where would I start? Can I just paste this into a text file to upload? Does the file need to be named something specific if that's the case?

iJake
Valued Contributor

@jhuls You need to create a .plist file in the proper XML. One of the easiest ways and what I did in this case is set Software Update how I want it, open my local plist and save it somewhere else retaining only the keys I want to manage as shown in my post above. You'll want the name of the plist to be the same as the original so when you upload the file to Casper it can read the domain name which is how when the Mac gets the profile it knows where to apply those keys. 29a8ba99ff17442abd481d7006afe3b7

jhuls
Contributor III

@iJake Thanks...knowing this will be very useful.

milesleacy
Valued Contributor

@bentoms JSS v9.96

Thanks for the link @rtrouton

To clarify, as I don't think I had said so in as many words... I'm trying to leverage the auto-downloaded Sierra installer in an "Upgrade to macOS Sierra v10.12" Self Service policy in order to save time and bandwidth over caching the InstallESD from the JSS.

pcrandom
Contributor

@milesleacy I've never done this before, so forgive me if this is a dumb question, but would you have to still add a copy of the InstallESD to the JSS with Casper Admin so that there's a valid matching package for the policy to install the "cached" package that is actually copied from the auto-downloaded Sierra installer? Is it possible that the InstallESD pulled from the installer and the InstallESD in the JSS doesn't quite match and that's why it failed verification?

If you actually cache a copy of the InstallESD from the JSS does it install successfully?