Restrict Monterey

Fardoomz
New Contributor II

I am trying to restrict Monterey Installations for the time being using Software Restriction in Jamf.

I have 2 restrictions.  1 for Beta and 1 for release.

Fardoomz_2-1633705830735.png

When the installer runs I see the process name in Activity Monitor

Install macOS Monterey beta.app

I have this listed in the Restrict Software under Process Name.

Fardoomz_1-1633705796960.png

But when I run the installer the process does not kill on the machine that is being restricted.

Is something not correct in my Restrict Software setup?

Thank you.

29 REPLIES 29

mainelysteve
Valued Contributor II

You have restrict exact process name checked. You'd need to run the installer and grab the process name from Activity Monitor to use that. If it's unchecked it will use the file name which could be renamed if you have intrepid users who want some Monterey action.

sdagley
Esteemed Contributor II

@Fardoomz You can block the GUI for all macOS installers by blocking the process named "InstallAssistant" and specifying "Restrict exact process name". This does not block the `startosinstall` tool however so depending on how persistent your users are you may want to block that process as well.

Ken_Bailey
New Contributor III

When I've setup my restrictions, I don't believe I have ever used quotes in the field. Not sure if that may affect it. Also I had to create an Install macOS 12 Beta.app when they first released, but think that was corrected and they all comedown as Install macOS 12 Beta.app.

Also we are still playing around with these and ensuring that they behave the way we want them to.2021-10-08_13-55-30.png2021-10-08_13-54-29.png

@Ken_Bailey are you using JAMF Cloud ?   We are still JAMF on prem, running JAMF 10.27, and not seeing the same options within Defer updates as you have above.    Putting it down to a later release of JAMF which incorporates that granular level of control.  More reason for us to upgrade to latest JAMF release I guess, and all the work that involves  😞Screen Shot 2021-10-20 at 1.50.45 pm.png

Ken_Bailey
New Contributor III

We just migrated to the cloud last week. We were on prem when I posted this and running the latest version of Jamf Pro at the time.

johnsz_tu
New Contributor III

@Ken_Bailey I'm struggling to figure out how to set the above so that Monterey is deferred for 90 days but allow things like the Big Sur 11.6.1 update released today.

Would Big Sur 11.6.1 be considered a "minor software update" ? 

I'm waiting for the 11.6.1 Big Sur Update to start showing as available here so I can play around with the settings to try and figure it out.

We want to ensure people are still getting any Big Sur updates that Apple releases, but not Monterey. 

Ken_Bailey
New Contributor III

@johnsz_tu we ended up pushing the configuration profile with just Defer updates of Only major software updates for 90 Days. We have a number of users who have upgraded to 11.6.1. None have been able to update to Monterey yet. So the Big Sur updates should be minor software updates, based on what I am seeing in our environment. The major update should only be a new OS like Big Sur to Monterey.

Screen Shot 2021-10-27 at 7.37.04 AM.png

Also to state we are also still leveraging the Software Restrictions for Monterey, on top of this Defer updates.

johnsz_tu
New Contributor III

Thanks @Ken_Bailey i'll give this a go! 

 


@Ken_Bailey wrote:

We have a number of users who have upgraded to 11.6.1. None have been able to update to Monterey yet


Perfect this is exactly what we are after. Much appreciated. 

What version of JAMF pro are you running? We are on 10.30.3 and don’t have the same deferral options. 

We migrated to the cloud recently. Currently on 10.32.2

gleeblezoid
New Contributor II

Based on the release notes for Jamf 10.32 the deferral options are only compatible with macOS 11.3+ (unless I'm reading that wrong). 

I'm also seeing the behaviour that Fardoomz outlined, though in this case with an inexact match to Install macOS Monterey*

dstranathan
Valued Contributor II

I'd like to know this too. We still have a lot of macOS 10.15 Catalina Macs in production and we want to prevent them from seeing Monterey in the Software Update pref pane (Defer).

RPA_Sma4
New Contributor III

Its seems like we can add this to the list of broken functions within Jamf relating to software updates. Software update policies have been broken since Big Sur and now the config profiles. I have Only Major software updates deferred for 60 days, and so far I've tested on a device running 11.2.3 > Allows Monterey install. Device running 11.5.2 > shows only 11.6.1 available for install. Device running 11.6 > Shows on latest allowed by organization and no option to install 11.6.1. It looks like the payload is just broken. Have a case open with Jamf and waiting to hear back

 

For what it's worth, based on the notes here it looks like that feature is only compatible with 11.3+

RPA_Sma4
New Contributor III

That's unfortunate, so for devices running Catalina, or anything lower than 11.3, we would have to block all OS updates, or update to Monteray? That seems like a massive oversite

 

mainelysteve
Valued Contributor II

That's par for the course especially with a two year old OS to not have the latest and greatest MDM capabilities. I think you answered your own question here as well. Apple's biggest desire is to have its user base on the latest OS release if the hardware supports it. 

Agreed, but they also make it impossible for us to easily manage OS updates by making framework changes and breaking MDM functionality (which Jamf still has not resolved). It's unfortunate Apple still cannot recognize the needs of enterprise are different than consumers

 

@RPA_Sma4 For Catalina - putting aside the config profile inconsistencies- my testing has shown that you CAN still block Monterey using the "softwareupdates --ignore "macOS Monterey".   This method is deprecated/no longer works for Big Sur 11.x onwards, BUT if you are fortunate/unfortunate enough to still have mac devices in your fleet running Catalina, this method will work. 

djg13
New Contributor

no, it doesn't work. I am on catalina 10.15.7 :

sudo softwareupdate --ignore "macOS Monterey"
Ignored updates:
(
"macOSInstallerNotification_GM"
)

Software Update can only ignore updates that are eligible for installation.
If the label provided to ignore is not in the above list, it is not eligible
to be ignored.

Ignoring software updates is deprecated.

it would appear that the update is not being presented to the mac device you are using.  Perhaps you have deferrals in place.  I can confirm 100% that the process I detailed in previous post DOES work IF the update is presented to the device.  As already covered, yes the function is deprecated from Big Sur onwards, however does work for Catalina devices.  Also - the device needs to be MDM managed.  There was another post JN relating to this.  Apple mandated this was a requirement in order to use this --ignore functionality.    

djg13
New Contributor

Thanks RJH, seems I have to learn more about this MDM stuff. All this is new for me and I don't yet understand the conditions involved for this to work. I am on Intel based MBpro - Catalina 10.15.7.

mainelysteve
Valued Contributor II

Apple documentation states that here  as well. 

EDIT: Link fixed. Sorry about that.

@mainelysteve broken LINK there ?   "

This page isn’t working"

mainelysteve
Valued Contributor II

Link is fixed now. Appears that the previous link contained a bunch of text from an aborted earlier reply.

 

That link didn't work for me either. Is it this? https://support.apple.com/en-gb/guide/mdm/mdm02df57e2a/web 

Hrrmmm... I just looked at it again and just had to clear out the entire post and retype it. The link html kept including saved text from an earlier reply. Hopefully it works and doesn't make me look at ID10T.

Yep, that's the page I was referring to.

EdLuo
Contributor II

It has been 98 days since Monterey was released.  Is there a way to restrict major software update past the 90 days limit in Config Profile, restrictions, functionality (tab), defer update?  I don't mind people downloading and updating it but I rather not have it advertised as the default option when updating.