OS X Yosemite

Araneta
New Contributor III

Any first take? What to watch for? Positive or Negative feedbacks?

99 REPLIES 99

jwojda
Valued Contributor II

to use that, do i just copy/paste your mobileconfig file into a plist and upload it to JAMF's Config Profile under Custom settings?
When I save the mobileconfig off the github site and upload it to casper, it still wants the PLIST file..

golbiga
Contributor III
Contributor III

Yup, copy & paste it and name the file whateveryouwant.mobileconfig. Just update it to your environment and if your users are admins you might want to add a section to require a password to remove. When creating a new profile, just upload and set to apply to computer level.

Allen

jwojda
Valued Contributor II

when I did that, casper still prompted for a plist file.

i tried saving the github to a plist file and uploaded that... but I don't know that it will do the trick.

golbiga
Contributor III
Contributor III

I just uploaded it but I'm noticing that my JSS (8.73) and my dev JSS (9.32) are stripping the mcx settings. I'm going to test this out more, but it looks like Im going to have package this up with a postinstall script. I really wish Casper's profile options actually matched Profile Manager. It would make this so much easier.

jwojda
Valued Contributor II

at least it's not my imagination

jennifer
Contributor

Try saving the file @golbiga made as a .plist, then create a config profile using the custom settings and upload the file.

golbiga
Contributor III
Contributor III

@jennifer_unger That works! I just created a com.apple.SoftwareUpdate.plist with AllowPreReleaseInstallation set to false and it applies properly. Thanks!

jwojda
Valued Contributor II

@jennifer_unger that's what I did, wasn't sure if that would work or not...
guess there's only one way to tell, and that's wait for the public beta to go live.

golbiga
Contributor III
Contributor III

I just updated my profile https://github.com/golbiga/Profiles/blob/master/blockosxbeta.mobileconfig and I tested against 8.73 and 9.32. This time there are no issues when pushed by my JSS. com.apple.SoftareUpdate in /Library/ManagedPreferences now shows AllowPreReleaseInstallation being set to false.

Allen

jwojda
Valued Contributor II

@golbiga thank you!

golbiga
Contributor III
Contributor III

Removed.

mm2270
Legendary Contributor III

First off, thanks @golbiga for pointing out the Apple KB and method. And thanks to whomever at Apple that got this in place. Apparently someone there is looking out for us poor Mac admins!

That said, I noticed one thing to mention in testing. The Apple method seems to only work with the actual OS X Yosemite Beta, not against the 10.10.Developer Preview from earlier in the year. This makes sense I guess, but thought I'd mention it, just in case any user gets their hands on a Dev Preview installer. It would not work to stop them from installing that.
So, probably a good idea to take a double shotgun approach and keep the Casper Suite Restricted Software item in place for everything (or at least the Dev Preview) and also have this Config profile or MCX setting in place for the Public Beta version.
The process is still called "Install Assistant" so as long as that's in place, Casper will/should still catch it and shut it down before the Config Profile even needs to stop anything.

scottb
Honored Contributor

Has anyone yet tested the old method above to see if the name/process changed? I'm not going to push out the Profile, and I'm wondering if the previous process still works?

mm2270
Legendary Contributor III

It hasn't changed. The executable is still "InstallAssistant" as I mentioned. Tested and confirmed that our existing Restricted Software still blocks the Public Yosemite Beta installer.

scottb
Honored Contributor

@mm2270][/url: Apologies. I read the thing too fast to grasp your last sentence. D'oh!

Re: the Apple KB posted, the DL link for the sample profile is broken...is this the same as posted above? If so, was it pulled?

kstrick
Contributor III

confirmed that restricting "Install OS X Yosemite Beta.app" works....
currently using that restriction and the MCX to block users

znilsson
Contributor II

Let's assume I can't push config profiles to our users right now, will just blocking the process "Install OS X Yosemite Beta.app" work, without doing anything else?

scottb
Honored Contributor

@kstrick: But using that method I believe will not cover the install of the user changes the name. I can't confirm, but I'd test that if you use only the app name...

kstrick
Contributor III

@boettchs True, a name change might be a workaround but I'm hoping between restricting the process name and with the mcx blocking the installation once the installer is launched that it should weed out most of the troublemakers.

If i block "InstallAssistant" as mentioned above, can it block other potentially 'legit' installers other than OS X installers, or is that really just part of the current OS X installers...

mm2270
Legendary Contributor III

I suggest using "InstallAssistant" as the process to look for and block, not the app bundle name. This is discussed earlier up the thread on why so I won't repeat it again in this post.

Edit: @kstrick - I haven't seen "InstallAssistant" used anywhere else, but I can't say 100% that it couldn't block other legit installers. Personally I'd rather use that and if someone reports that another installation is getting blocked as well, we can adjust it later.

golbiga
Contributor III
Contributor III

I can confirm that the profile works. Upon launching the installer, when you go to choose which disk you want to install Yosemite on, a pop-up will show up saying, "The prerelease version of OS X Yosemite cannot be installed on this Mac due to the Software Update Policy in effect."

Allen

scottb
Honored Contributor

Apparently, that is not supposed to be "out there" (Profile). Apple is asking me where I got the link and I simply stated the twitter-sphere... Just a heads up. But glad it works, in concept.

jennifer
Contributor

Isn't it the link in Apple's document? http://support.apple.com/kb/HT6311

Thats where I assumed it came from.

golbiga
Contributor III
Contributor III

The link was broken in the KB article, but someone dug it up. I removed the link from this thread, but the one on my github page was created by following the directions in http://support.apple.com/kb/HT6311.

Allen

scottb
Honored Contributor

All, FWIW, I let Apple know about the KB and it's now online and fixed - the Profile is downloadable and OK to share. Just wanted to make sure we keep on the good side of things, and they say it's fine now and I did in fact just download the Profile. Carry on.

jstrauss
Contributor

Anyone noticing inconsistent FV2 reporting in Yosemite? Some machines show encrypted, others show unencrypted, others show status "Decrypting" or "Encrypting" when they're fully encrypted. My machine, fully encrypted, shows as No Partitions Encrypted in both JSS 8.73 and 9.32.

denmoff
Contributor III

Having a strange issue where the Mac is reporting 'MDM Capability' as 'No'. Not sure if that's just a weird issue that only this one that i'm testing Yosemite is having.

Edit: Just wiped it and loaded an unbooted 10.10 image(via AutoDMG) and reenrolled into JAMF. The JSS MDM Profile loads fine and shows as Verified in Profile Settings on the Mac, but i still get a MDM Capability: No in JAMF. I also can't select this machine when scoping out a config profile(as expected i guess).

JSS 9.31

ItsMe_Sean
Contributor

@denmoff][/url

Pretty sure it only shows as MDM Capable: No, is because it is beta and therefore unsupported in a production environment.

My machine which I am running Yosemite on reports MDM Capable: No, also.
Once Yosemite is officially released and JAMF release the version of the JSS to support it, it should be fine.

acdesigntech
Contributor II

@Shadow_Within is right - it's because it's in beta and not a production OS that Casper knows about. Easily worked around by making a smart group scoped to 10.10 Macs, and applying MCX/Profiles to that group.

denmoff
Contributor III

Thanks @Shadow_Within][/url That makes sense, i guess. Thanks for the workaround @acdesigntech][/url. I'll give it a shot.

Edit: The workaround doesn't seem to be working. The profile seems to be scoped to the 10.10 Mac, but it has not yet received it.

mm2270
Legendary Contributor III

I would say that until JAMF releases a 9.x version of Casper that supports Yosemite, you're likely to see all kinds of odd issues when testing it in the JSS. I wouldn't be too concerned about any of those just yet. JAMF always waits until the official release from Apple before they unveil their own updated product.

acdesigntech
Contributor II

here's to hoping they release an 8.x patch that support 10.10 as well. yeah, i'm still on 8.73...

mm2270
Legendary Contributor III

I would not count on that. I know they did it for Mavericks because 9.x had just been released and they knew a lot of customers were still on the 8 series, but I wouldn't hold my breath for any 8.x patch to support 10.10. Development is focused on the 9 series I'm being told.
We're also still on 8.73 here, but we're planning our move to Casper Suite 9 for late summer because, well, the handwriting is on the wall there. Anyway, 9.x has matured a bit and doesn't have nearly the amount of issues it had when it was first released. Time to make the move methinks.

acdesigntech
Contributor II

<rant>

TAM just emailed me about that actually. JAMF is not planning a code patch for 8.x. Extremely disappointing since 9 hasn't even been out a year yet. This AFTER we just finished talking about how to move my MCXs to Config profiles easily (where are the actual plists I have are located on the JSS, so I can grab them and run them through MCXtoProfile), how I'm not able to grab them in the JSS on v8.x, and MCXs won't move over in the upgrade from 8.73 to 9.x (in testing this has always held partially true).

I can't plan any move to 9.x until we figure out our server sitch (stuck on 10.6.8 servers ATM and windows VMs are sort of out of the picture because of other dependencies). *VERY frustrating*.

</rant>

Sorry to hijack, folks.

scottb
Honored Contributor

@acdesigntech: you're disappointed, which is fine, but at the same time you are running on 10.6.8 servers? Not sure that your infrastructure being so far behind matches the need to run Yosemite Macs. You can't expect them to keep adding new OS support to an old version of the JSS software - IMHO.
Seems like getting your server sitch settled first is a good idea...

RobertHammen
Valued Contributor II

Casper 9 is the future and yeah, you should be planning your migration strategy. I'm guessing cloud-hosted JSS isn't an option for you either? Been replacing a lot of non 3,1 Xserve's with Mac mini servers...

bentoms
Release Candidate Programs Tester

@acdesigntech, I remember a thread I was on/started where someone confirmed a level or 10.9 support on v8. But not full & not further.

Kindof to follow what @RHammen has said, why not a macmini running v9 for the newer macs?

Matt
Valued Contributor

I would assume 10.10 and 8.X support won't be available. Too many new things with 10.10.

znilsson
Contributor II

10.10 is available today. Here's what I have for blocking Yosemite installs in Casper (Restricted Software):

- Block process name: Install OS X 10.10 Developer Preview
- Block process name: InstallAssistant

Can anybody verify that these will work to block the installation of Yosemite? And is there a more specific string I can use other than InstallAssistant, in the interest of only blocking Yosemite installs and not anything else?

emily
Valued Contributor III
Valued Contributor III

The Apple website has this as the link to the App Store for Yosemite:
https://itunes.apple.com/WebObjects/MZStore.woa/wa/viewSoftware?id=915041082&mt=12

Nothing there yet but I bet if enough people click the link it will magically go somewhere.