Help

Restrict Mac OSX 10.13.5

jcosma
New Contributor II

Posted on ‎06-06-2018 06:39 AM

Hello,

Has anyone built a software restriction in Jamf to prevent 10.13.5? When I went to download it I don't see it as a "Install MacOS HighSierra" in my downloads folder so I'm not sure what to block. I want to block this so I can test before users get the new OS. Any ideas what the .app is or what else I can build to restrict this? Thanks in advance.

Best,

Jason

Labels:
0 Kudos
Reply
7 REPLIES 7

dgreening
Valued Contributor II

Posted on ‎06-06-2018 06:48 AM

In terms of the .app installer, you have to restrict the High Sierra installer in general: restricted software task for "Install macOS High Sierra*" which kills the process.

In terms of Software Update (App Store), it would be a SUS binary command: "softwareupdate --ignore macOSInstallerNotification_GM" to ignore the OS upgrade nag (with download) for Macs on a down version of the OS, and then "softwareupdate --ignore macOS High Sierra 10.13.5 Update" and "softwareupdate --ignore macOS High Sierra 10.13.5 Combo Update" to ignore the specific updates via Jamf deployed script.

When you are ready to release, do a "softwareupdate reset--ignored" coupled with "softwareupdate --ignore macOSInstallerNotification_GM", as you really don't ever want Apple downloading 6+gb .app installers automatically, nor nagging users to upgrade.

Reply

jcosma
New Contributor II

Posted on ‎06-06-2018 07:08 AM

Thank you @dgreening !

Reply

donmontalvo
Esteemed Contributor III

Posted on ‎06-06-2018 10:19 AM

Might want to sprinkle a dash of "delay" on it...

5f121fb87288489ea49f22b3ff5db44a

For details on the keys used, look for forceDelayedSoftwareUpdates and enforcedSoftwareUpdateDelay on Apple's Configuration Profile Reference page (the first only applies to 10.13.4 or later, the second applies to 10.13 or later):

Guides and Sample Code | Configuration Profile Reference

9978bee815844521b3bc4893cc193bcf

Might also want to disable SUS notifications (DisableSoftwareUpdateNotifications) too:

2f4f458d90d7476b9d2a04eb54f3837d

Which is also described:

Guides and Sample Code | Configuration Profile Reference

cfcefcec0ffd499cb93a6e84daa4d219

--
https://donmontalvo.com
Reply

jcosma
New Contributor II

Posted on ‎06-06-2018 01:24 PM

Thanks so much @donmontalvo. Quick follow up, how/where would I create that plist? Just write it out in Terminal and then bring it into Composer? I've never done this before, so I'm not sure. I know how to create the Custom Profile within JAMF but not sure how to create that .plist. Appreciate the feedback.

0 Kudos
Reply

mm2270
Legendary Contributor III

Posted on ‎06-06-2018 01:42 PM

@jcosma Create a new plist with just the entries you want in it. The name of the plist (domain) must match the target domain it's applying to, so be sure to use the same name.

defaults write ~/Desktop/com.apple.applicationaccess.plist forceDelayedSoftwareUpdates -bool true
defaults write ~/Desktop/com.apple.applicationaccess.plist enforcedSoftwareUpdateDelay -int 90

Then convert the new plist file

plutil -convert xml1 ~/Desktop/com.apple.applicationaccess.plist

Then upload it into the Custom Payload section of a new Config Profile.

Do the same thing for the SUS notification entry

defaults write ~/Desktop/com.apple.appstore.plist

Follow the steps from above to convert it and upload to a Config Profile.

Reply

donmontalvo
Esteemed Contributor III

Posted on ‎06-06-2018 11:08 PM

@mm2270 excellent breakout.

--
https://donmontalvo.com
0 Kudos
Reply

AquibS
New Contributor

Posted on ‎09-25-2019 05:33 AM

@donmontalvo how to verify the above once after configuration profile installed to Mac. how would be the behaviour.

Thanks

0 Kudos
Reply