Monterey Restriction

MrHacker
New Contributor

Hello All,

We attempted blocking Monterey via a software restriction for the exact process name, "install macOS Monterey.app", which we're having mixed results on it actually working within the organization. One of the major issues is that it appears this process name is different based off the lanuage preference set for the machine. One example would be the german process, "macOS Monterey installieren" is not restricted when attempting to restrict the exact process listed above.

In attempt to have a catch all I configured an addition restriction where we're not checking for the exact process name, and just "macOS Monterey".

Anyone seen this issue and been able to come up with a catch all?

1 ACCEPTED SOLUTION

Tlehr
New Contributor II

Hello MrHacker,

Are you trying to block just macOS Monterey, or block any major OS installation? We use a software restriction that kills the "InstallAssistant" process , scoped to all managed clients, which covers any macOS major upgrade. This still allows users to install software updates/security patches freely. We then utilize Self Service to allow our staff to upgrade to the newer OS once we have everything tested, or at the end of the deferral period of 90 days (Since with Big Sur, you can now only defer up to 90 days and cannot use the software --ignore "macOS" flag anymore).

Screen Shot 2021-10-26 at 10.48.14 AM.png

View solution in original post

9 REPLIES 9

Tlehr
New Contributor II

Hello MrHacker,

Are you trying to block just macOS Monterey, or block any major OS installation? We use a software restriction that kills the "InstallAssistant" process , scoped to all managed clients, which covers any macOS major upgrade. This still allows users to install software updates/security patches freely. We then utilize Self Service to allow our staff to upgrade to the newer OS once we have everything tested, or at the end of the deferral period of 90 days (Since with Big Sur, you can now only defer up to 90 days and cannot use the software --ignore "macOS" flag anymore).

Screen Shot 2021-10-26 at 10.48.14 AM.png

MrHacker
New Contributor

May be the route we have to take. We specifically wanted to restrict Monterey to allow users to upgrade to Big Sur as we're still on Mojave/Catalina. This seems like the catch all though so might have to look at utilizing self service like you said. Not a bad idea 💡

What else does this impact though? A majority of my users are admins, what else would this potentially kill? ONLY macOS installers?

Tlehr
New Contributor II

This only should impact macOS Installers. This process only runs on a macOS Installer.app launch. There are a couple ways to get around this for your admin users. You can scope a static group (one you create with your admin user machines designated) to the exclusion, which will allow any computer in the exclusion to run the macOS installers still. Another way to handle this is creating a Self Service Upgrade policy, which will allow you to scope a macOS Monterey upgrade to any computer of your choosing.

 

In our School District, macOS Installers are restricted across the board. We utilize Self Service upgrade policies to upgrade major macOS versions. To test macOS Monterey, I add my other admins/coworkers to the (macOS Installer Restriction) exclusion list.

Thanks

YanW
Contributor III

we also restrict the InstallAssistant

Screen Shot 2021-10-26 at 10.57.34 AM.png

sara_mccullar
New Contributor III

Screen Shot 2021-10-27 at 9.20.51 AM.png

 

 

 

 

 

 

 

 

This is how I restrict Monterey without restricting computers to update to Big Sur if on Catalina/Mojave

ghost21patron
New Contributor

Maybe you should kill "Install macOS Monterey*.app" if you have different process name

jmancuso
New Contributor III

You need also to use a configuration profile. Its a 2 steps situation.. I work with a global company. The internal file paths are always in english.