Part of our monthly software update process, we have the mac's check Apple for any software updates. I use a script that I put together and part of that script runs the command:
jamf runSoftwareUpdate -fromApple
I know we can use Restricted Software for the process "install MacOS... app", but will that prevent the OS upgrade from happening when it kicked off from the command jamf tool?
jamf runSoftwareUpdate -fromApple is simply using the jamf binary to facilitate the macOS built-in
softwareupdate command with whatever options you specify (for example: -fromApple). So, your policy that is running that command to have your clients check Apple for software updates is doing just that, not version upgrades. The upgrade process, as run from a client manually is handled through the App Store and then the .app upgrader being run.
If you're concerned about crafty users trying to bypass your Restricted Software entry by running the installer from Terminal via the
startosinstall command which is inside the macOS installer app then I suppose you could add a Restricted Software entry for startosinstall as well, but that would affect your potential use of that command for a policy-based upgrade.
Thank you for the clarification on the jamf command. This is what I wasn't sure about, how that actually worked. So if I'm understanding you correctly, when you use command line "jamf runSoftwareUpdate" or the Softwareupdate command, it's only checking for and installing "updates" NOT any new OS upgrades. Is that right?
Yeah, that's it. It's not much different than you opening up System Preferences > Software Update and installing any updates that show up there. It will never install a full operating system upgrade from there. Only updates to specific software titles, security patches and incremental OS updates. (like 10.14.2 > 10.14.4)