Posted on 10-26-2021 07:29 AM
Hello All,
We attempted blocking Monterey via a software restriction for the exact process name, "install macOS Monterey.app", which we're having mixed results on it actually working within the organization. One of the major issues is that it appears this process name is different based off the lanuage preference set for the machine. One example would be the german process, "macOS Monterey installieren" is not restricted when attempting to restrict the exact process listed above.
In attempt to have a catch all I configured an addition restriction where we're not checking for the exact process name, and just "macOS Monterey".
Anyone seen this issue and been able to come up with a catch all?
Solved! Go to Solution.
Posted on 10-26-2021 07:57 AM
Hello MrHacker,
Are you trying to block just macOS Monterey, or block any major OS installation? We use a software restriction that kills the "InstallAssistant" process , scoped to all managed clients, which covers any macOS major upgrade. This still allows users to install software updates/security patches freely. We then utilize Self Service to allow our staff to upgrade to the newer OS once we have everything tested, or at the end of the deferral period of 90 days (Since with Big Sur, you can now only defer up to 90 days and cannot use the software --ignore "macOS" flag anymore).
Posted on 10-26-2021 07:57 AM
Hello MrHacker,
Are you trying to block just macOS Monterey, or block any major OS installation? We use a software restriction that kills the "InstallAssistant" process , scoped to all managed clients, which covers any macOS major upgrade. This still allows users to install software updates/security patches freely. We then utilize Self Service to allow our staff to upgrade to the newer OS once we have everything tested, or at the end of the deferral period of 90 days (Since with Big Sur, you can now only defer up to 90 days and cannot use the software --ignore "macOS" flag anymore).
Posted on 10-26-2021 09:10 AM
May be the route we have to take. We specifically wanted to restrict Monterey to allow users to upgrade to Big Sur as we're still on Mojave/Catalina. This seems like the catch all though so might have to look at utilizing self service like you said. Not a bad idea 💡
Posted on 10-28-2021 05:36 AM
What else does this impact though? A majority of my users are admins, what else would this potentially kill? ONLY macOS installers?
Posted on 10-28-2021 06:20 AM
This only should impact macOS Installers. This process only runs on a macOS Installer.app launch. There are a couple ways to get around this for your admin users. You can scope a static group (one you create with your admin user machines designated) to the exclusion, which will allow any computer in the exclusion to run the macOS installers still. Another way to handle this is creating a Self Service Upgrade policy, which will allow you to scope a macOS Monterey upgrade to any computer of your choosing.
In our School District, macOS Installers are restricted across the board. We utilize Self Service upgrade policies to upgrade major macOS versions. To test macOS Monterey, I add my other admins/coworkers to the (macOS Installer Restriction) exclusion list.
Posted on 10-28-2021 06:27 AM
Thanks
Posted on 10-26-2021 07:59 AM
we also restrict the InstallAssistant
Posted on 10-27-2021 09:24 AM
This is how I restrict Monterey without restricting computers to update to Big Sur if on Catalina/Mojave
Posted on 11-08-2021 12:25 AM
Maybe you should kill "Install macOS Monterey*.app" if you have different process name
Posted on 11-22-2021 11:38 AM
You need also to use a configuration profile. Its a 2 steps situation.. I work with a global company. The internal file paths are always in english.