Posted on 09-15-2015 04:57 AM
I discovered that end users with Standard User permissions are freely able to install any and all system software updates via the App Store.app - including updating from 10.10.4 to 10.10.5. How can I block this?
Posted on 09-15-2015 05:16 AM
Do you want them to see/have them available? You could always point their SUS to an empty server, or you could pick and choose the updates you want them to have available.
Someone might be able to help you change the system preference for 'automatically check for updates' also, standard users aren't able to change that preference in System Preferences > App Store.
Posted on 09-15-2015 05:49 AM
I don't mind if they see it, we just can't have users applying updates to their Macs before they've been tested and approved. They need to focus on their jobs while I focus on mine: maintaining the Macs.
Posted on 09-15-2015 07:51 AM
Run your own SUS and put a gate on updates so you can test. Do it with Reposado on whatever hardware your server folks will support. SUS is really just modified Apache. JAMF's offering in a VM is about as easy as you can get (it's Reposado under the hood).
However, keep in mind that software updates are the #1 protection against security vulnerabilities so don't get stuck in perpetual "testing" where nothing gets updated.
Posted on 09-15-2015 10:18 AM
We don't get into perpetual testing loops. We just want to avoid catastrophes like the MS Office 14.5.0 update. I realize that's a 3rd party app not handled by SUS but the event was pretty bad and if you've been supporting Macs for a while you know that Apple is not immune to those same kinds of screw-ups.