Posted on 06-02-2014 07:27 PM
Any first take? What to watch for? Positive or Negative feedbacks?
Posted on 07-24-2014 05:51 AM
to use that, do i just copy/paste your mobileconfig file into a plist and upload it to JAMF's Config Profile under Custom settings?
When I save the mobileconfig off the github site and upload it to casper, it still wants the PLIST file..
Posted on 07-24-2014 06:07 AM
Yup, copy & paste it and name the file whateveryouwant.mobileconfig. Just update it to your environment and if your users are admins you might want to add a section to require a password to remove. When creating a new profile, just upload and set to apply to computer level.
Posted on 07-24-2014 06:08 AM
when I did that, casper still prompted for a plist file.
i tried saving the github to a plist file and uploaded that... but I don't know that it will do the trick.
Posted on 07-24-2014 06:21 AM
I just uploaded it but I'm noticing that my JSS (8.73) and my dev JSS (9.32) are stripping the mcx settings. I'm going to test this out more, but it looks like Im going to have package this up with a postinstall script. I really wish Casper's profile options actually matched Profile Manager. It would make this so much easier.
Posted on 07-24-2014 06:40 AM
at least it's not my imagination
Posted on 07-24-2014 06:46 AM
Try saving the file @golbiga made as a .plist, then create a config profile using the custom settings and upload the file.
Posted on 07-24-2014 06:56 AM
@jennifer_unger That works! I just created a com.apple.SoftwareUpdate.plist with AllowPreReleaseInstallation set to false and it applies properly. Thanks!
Posted on 07-24-2014 07:13 AM
@jennifer_unger that's what I did, wasn't sure if that would work or not...
guess there's only one way to tell, and that's wait for the public beta to go live.
Posted on 07-24-2014 07:44 AM
I just updated my profile https://github.com/golbiga/Profiles/blob/master/blockosxbeta.mobileconfig and I tested against 8.73 and 9.32. This time there are no issues when pushed by my JSS. com.apple.SoftareUpdate in /Library/ManagedPreferences now shows AllowPreReleaseInstallation being set to false.
Posted on 07-24-2014 08:03 AM
Posted on 07-24-2014 09:19 AM
Posted on 07-24-2014 09:39 AM
First off, thanks @golbiga for pointing out the Apple KB and method. And thanks to whomever at Apple that got this in place. Apparently someone there is looking out for us poor Mac admins!
That said, I noticed one thing to mention in testing. The Apple method seems to only work with the actual OS X Yosemite Beta, not against the 10.10.Developer Preview from earlier in the year. This makes sense I guess, but thought I'd mention it, just in case any user gets their hands on a Dev Preview installer. It would not work to stop them from installing that.
So, probably a good idea to take a double shotgun approach and keep the Casper Suite Restricted Software item in place for everything (or at least the Dev Preview) and also have this Config profile or MCX setting in place for the Public Beta version.
The process is still called "Install Assistant" so as long as that's in place, Casper will/should still catch it and shut it down before the Config Profile even needs to stop anything.
Posted on 07-24-2014 09:46 AM
Has anyone yet tested the old method above to see if the name/process changed? I'm not going to push out the Profile, and I'm wondering if the previous process still works?
Posted on 07-24-2014 09:51 AM
It hasn't changed. The executable is still "InstallAssistant" as I mentioned. Tested and confirmed that our existing Restricted Software still blocks the Public Yosemite Beta installer.
Posted on 07-24-2014 09:53 AM
@mm2270][/url: Apologies. I read the thing too fast to grasp your last sentence. D'oh!
Re: the Apple KB posted, the DL link for the sample profile is broken...is this the same as posted above? If so, was it pulled?
Posted on 07-24-2014 10:26 AM
confirmed that restricting "Install OS X Yosemite Beta.app" works....
currently using that restriction and the MCX to block users
Posted on 07-24-2014 10:33 AM
Let's assume I can't push config profiles to our users right now, will just blocking the process "Install OS X Yosemite Beta.app" work, without doing anything else?
Posted on 07-24-2014 10:36 AM
@kstrick: But using that method I believe will not cover the install of the user changes the name. I can't confirm, but I'd test that if you use only the app name...
Posted on 07-24-2014 10:41 AM
@boettchs True, a name change might be a workaround but I'm hoping between restricting the process name and with the mcx blocking the installation once the installer is launched that it should weed out most of the troublemakers.
If i block "InstallAssistant" as mentioned above, can it block other potentially 'legit' installers other than OS X installers, or is that really just part of the current OS X installers...
Posted on 07-24-2014 10:41 AM
I suggest using "InstallAssistant" as the process to look for and block, not the app bundle name. This is discussed earlier up the thread on why so I won't repeat it again in this post.
Edit: @kstrick - I haven't seen "InstallAssistant" used anywhere else, but I can't say 100% that it couldn't block other legit installers. Personally I'd rather use that and if someone reports that another installation is getting blocked as well, we can adjust it later.
Posted on 07-24-2014 11:54 AM
I can confirm that the profile works. Upon launching the installer, when you go to choose which disk you want to install Yosemite on, a pop-up will show up saying, "The prerelease version of OS X Yosemite cannot be installed on this Mac due to the Software Update Policy in effect."
Posted on 07-24-2014 12:02 PM
Apparently, that is not supposed to be "out there" (Profile). Apple is asking me where I got the link and I simply stated the twitter-sphere... Just a heads up. But glad it works, in concept.
Posted on 07-24-2014 12:06 PM
Isn't it the link in Apple's document? http://support.apple.com/kb/HT6311
Thats where I assumed it came from.
Posted on 07-24-2014 12:31 PM
The link was broken in the KB article, but someone dug it up. I removed the link from this thread, but the one on my github page was created by following the directions in http://support.apple.com/kb/HT6311.
Posted on 07-25-2014 10:08 AM
All, FWIW, I let Apple know about the KB and it's now online and fixed - the Profile is downloadable and OK to share. Just wanted to make sure we keep on the good side of things, and they say it's fine now and I did in fact just download the Profile. Carry on.
Posted on 08-04-2014 10:36 AM
Anyone noticing inconsistent FV2 reporting in Yosemite? Some machines show encrypted, others show unencrypted, others show status "Decrypting" or "Encrypting" when they're fully encrypted. My machine, fully encrypted, shows as No Partitions Encrypted in both JSS 8.73 and 9.32.
Posted on 08-04-2014 01:04 PM
Having a strange issue where the Mac is reporting 'MDM Capability' as 'No'. Not sure if that's just a weird issue that only this one that i'm testing Yosemite is having.
Edit: Just wiped it and loaded an unbooted 10.10 image(via AutoDMG) and reenrolled into JAMF. The JSS MDM Profile loads fine and shows as Verified in Profile Settings on the Mac, but i still get a MDM Capability: No in JAMF. I also can't select this machine when scoping out a config profile(as expected i guess).
Posted on 08-04-2014 11:59 PM
Pretty sure it only shows as MDM Capable: No, is because it is beta and therefore unsupported in a production environment.
My machine which I am running Yosemite on reports MDM Capable: No, also.
Once Yosemite is officially released and JAMF release the version of the JSS to support it, it should be fine.
Posted on 08-05-2014 05:53 AM
@Shadow_Within is right - it's because it's in beta and not a production OS that Casper knows about. Easily worked around by making a smart group scoped to 10.10 Macs, and applying MCX/Profiles to that group.
Posted on 08-05-2014 06:58 AM
Thanks @Shadow_Within][/url That makes sense, i guess. Thanks for the workaround @acdesigntech][/url. I'll give it a shot.
Edit: The workaround doesn't seem to be working. The profile seems to be scoped to the 10.10 Mac, but it has not yet received it.
Posted on 08-05-2014 07:33 AM
I would say that until JAMF releases a 9.x version of Casper that supports Yosemite, you're likely to see all kinds of odd issues when testing it in the JSS. I wouldn't be too concerned about any of those just yet. JAMF always waits until the official release from Apple before they unveil their own updated product.
Posted on 08-05-2014 08:01 AM
here's to hoping they release an 8.x patch that support 10.10 as well. yeah, i'm still on 8.73...
Posted on 08-05-2014 08:24 AM
I would not count on that. I know they did it for Mavericks because 9.x had just been released and they knew a lot of customers were still on the 8 series, but I wouldn't hold my breath for any 8.x patch to support 10.10. Development is focused on the 9 series I'm being told.
We're also still on 8.73 here, but we're planning our move to Casper Suite 9 for late summer because, well, the handwriting is on the wall there. Anyway, 9.x has matured a bit and doesn't have nearly the amount of issues it had when it was first released. Time to make the move methinks.
Posted on 08-05-2014 09:47 AM
TAM just emailed me about that actually. JAMF is not planning a code patch for 8.x. Extremely disappointing since 9 hasn't even been out a year yet. This AFTER we just finished talking about how to move my MCXs to Config profiles easily (where are the actual plists I have are located on the JSS, so I can grab them and run them through MCXtoProfile), how I'm not able to grab them in the JSS on v8.x, and MCXs won't move over in the upgrade from 8.73 to 9.x (in testing this has always held partially true).
I can't plan any move to 9.x until we figure out our server sitch (stuck on 10.6.8 servers ATM and windows VMs are sort of out of the picture because of other dependencies). *VERY frustrating*.
Sorry to hijack, folks.
Posted on 08-05-2014 02:31 PM
@acdesigntech: you're disappointed, which is fine, but at the same time you are running on 10.6.8 servers? Not sure that your infrastructure being so far behind matches the need to run Yosemite Macs. You can't expect them to keep adding new OS support to an old version of the JSS software - IMHO.
Seems like getting your server sitch settled first is a good idea...
Posted on 08-05-2014 03:24 PM
Casper 9 is the future and yeah, you should be planning your migration strategy. I'm guessing cloud-hosted JSS isn't an option for you either? Been replacing a lot of non 3,1 Xserve's with Mac mini servers...
Posted on 08-05-2014 03:34 PM
@acdesigntech, I remember a thread I was on/started where someone confirmed a level or 10.9 support on v8. But not full & not further.
Kindof to follow what @RHammen has said, why not a macmini running v9 for the newer macs?
Posted on 08-06-2014 05:55 AM
I would assume 10.10 and 8.X support won't be available. Too many new things with 10.10.
Posted on 10-16-2014 10:39 AM
10.10 is available today. Here's what I have for blocking Yosemite installs in Casper (Restricted Software):
- Block process name: Install OS X 10.10 Developer Preview
- Block process name: InstallAssistant
Can anybody verify that these will work to block the installation of Yosemite? And is there a more specific string I can use other than InstallAssistant, in the interest of only blocking Yosemite installs and not anything else?
Posted on 10-16-2014 12:06 PM
The Apple website has this as the link to the App Store for Yosemite:
Nothing there yet but I bet if enough people click the link it will magically go somewhere.