Prevent software updates?

@pearlin Most people will set up their own ASUS on OSX Server or use Reposdado (which can be setup on NetSUS) & then point clients to those servers for updates.

You, the admin, can then approve updates as wanted.

Why can't you just turn off the software update schedule check in System Prefs --> App Store, or from the command line, see below.

sudo softwareupdate --schedule off

@bentoms, we do have our own SUS. The problem is we want the security updates to go to all of our other clients, just not to 10 specific iMacs. If I exclude the 10 from our SUS, won't they still get updates directly from Apple?

@damienbarrett, does this disable all software updates, or just App Store updates? Our issue is with system updates (specifically the 2015 security updates).

I was also thinking about blocking port 8088 on the target iMacs.

@pearlin If your internal SUS is a JAMF NetSUS device, or Reposado, you can create different update branches so that you can control what updates a group of computers sees. So you could have a general branch and an A/V branch that is specific for these iMacs. Then point the iMacs at the A/V branch.

The command that @damienbarrett gave you is to simply turn off the scheduled checking of software updates. It does not necessarily stop someone from manually checking for updates.

@stevewood, our SUS is an OS X Server (10.9.5). I use our JSS for configuration profiles that point our clients to the SUS. Is it possible to create the different branches of which you speak in this environment?

@pearlin I think I am in a similar situation as you, though I had previously disabled the App Store system preference pane from automatically checking. Unfortunately I pushed out this update without catching the bug on time.

Though I don't want to hijack the thread, do you have any information about the bug that you can share? Have you determined if the issue is solely with the 2015-002 update, or does it affect 2015-001 as well?

@dmohs, the bug affects both 2015-001 (where we first confirmed the issue) and 2015-002 updates (where we stepped in it again). Simply unplugging the display adapter "clears" the display freeze, but it will freeze again after about an hour of up time.

I can confirm, that a base 10.9.5 setup with no security updates from this year will perform without the display freezing.

@pearlin unfortunately, no, the Apple SUS that is included in Server does not allow for branching. As far as I know, only Reposado (and NetSUS) allow for branching.

If you can guarantee that no one is going to manually run software updates, then turning off the schedule as Damien mentioned above may be your easiest fix.

@pearlin - @stevewood is correct. You want to create a separate NetSus server. Make it a VM if you need to. Create a branch and then tell those 10 machines to only get updates from that server. Then you don't need to change any of your other machines talking to your Mac SUS server and those 10 machine can be managed different.

I understand what you're asking for. Your easiest solution then would be to set up a secondary SUS, and on that SUS turn off the problematic security updates. Then point the iMacs in question to this secondary SUS that will not offer the security updates.

Or, as Steve says, look into Reposedo for a branched solution (which I have no experience with).

Thanks to everyone for the advice. The best bet at this point is to disable the security update (and not enable any future ones) and rely on the pkgs from Apple to push future security updates, thus manually excluding the iMacs that we don't want to get it.

Time to go reimage...

Couldn't you create a script to run softwareupdate --ignore <yourupdate> on the clients you want to skips those updates on?

@Marker.43 You bet. You'd still need to block restrict the update to avoid potential manual override via the App Store. However, since they are a location that uses an SUS they would need to modify their entire update strategy/policies.

@Marker.43, I tried that with no success. Terminal confirms the update is blocked by name, but the App Store still loads it as an available update, even after a restart. That said, I have the update in question now blocked by our SUS and I'm reimaging the iMacs to avoid the security updates (not something that I want to do, but given the alternative, I don't have any other choice).

All in all, can't say I'm happy about this and I certainly didn't get any sympathy from Apple, which is no surprise these days. Thanks again to everyone for the insight!