Preventing users from applying software updates

AVmcclint
Honored Contributor

I discovered that end users with Standard User permissions are freely able to install any and all system software updates via the App Store.app - including updating from 10.10.4 to 10.10.5. How can I block this?

4 REPLIES 4

bcheney
Release Candidate Programs Tester

Do you want them to see/have them available? You could always point their SUS to an empty server, or you could pick and choose the updates you want them to have available.

Someone might be able to help you change the system preference for 'automatically check for updates' also, standard users aren't able to change that preference in System Preferences > App Store.

AVmcclint
Honored Contributor

I don't mind if they see it, we just can't have users applying updates to their Macs before they've been tested and approved. They need to focus on their jobs while I focus on mine: maintaining the Macs.

  • point to an empty SUS: I'd have to undo that before applying the updates myself.
  • run our own SUS and just control what's available: unfortunately this would involve dealing with a very strong anti-Mac-server contingent to get approval for a new server on the network.
  • It's my understanding that we can't block the App Store.app since VPP relies on it. is this correct? If I block the App Store.app would I still be able to run the softwareupdate command via ARD or SSH?

jarednichols
Honored Contributor

Run your own SUS and put a gate on updates so you can test. Do it with Reposado on whatever hardware your server folks will support. SUS is really just modified Apache. JAMF's offering in a VM is about as easy as you can get (it's Reposado under the hood).

However, keep in mind that software updates are the #1 protection against security vulnerabilities so don't get stuck in perpetual "testing" where nothing gets updated.

AVmcclint
Honored Contributor

We don't get into perpetual testing loops. We just want to avoid catastrophes like the MS Office 14.5.0 update. I realize that's a 3rd party app not handled by SUS but the event was pretty bad and if you've been supporting Macs for a while you know that Apple is not immune to those same kinds of screw-ups.