I wanted to restrict Mac users from upgrading to Mac OS v.10.12 Sierra by implementing a Restrict Software Policy and a Configuration Profile Scoped to All Systems. Is it possible for an end user to still be able to install the Mac OS v.10.12 onto their system if external from the corporate network. NOTE: Our JSS isn't external facing and since we on Office365 do users seldom use VPN to connect to corporate network unless Remote into Servers/Workstations. I just had a user upgrade their system to new Mac OS v.10.12. System hasn't checked-in or update jss inventory in a week. Any thoughts or suggestions? Need to understand where I have setup something wrong in Casper Suite.
Restricted applications in Casper are not dependent on a connection to your LAN. The apps are blocked by a definitions file that lives locally on your computer and is called by one of the JAMF launchagents or launchdaemons.
There are quite a few threads here about how to block macOS Sierra's installation. Refer to them and then double-check your settings on your Sierra restricted software entry. I've been using it successfully for several weeks and my students -- who take their computers home and off our LAN -- are being successfully prevented from upgrading to Sierra.
If you do not have a firmware password defined for the machine in question , it is very easy to get around the macOS Sierra upgrade block...you can make a thumb drive with the installation using any number of tools including the ones Apple provides without even knowing the local admin password of the machine. Even with the restriction and the firmware block, it is still possible but much, much harder. definitely do refer to the threads on here out how to block thoroughly.
Also remember the axiom if you have physical access to something, it is likely impossible to block every possibility. I could name one way to bypass both restriction and firmware password but won't spell it out here simply because my users or yours could be watching.
After you put the restrictions in place did you run an attempt to install Sierra to verify everything was set and working as expected? If not I'd start there. As someone mentioned there are a few other discussion topics regarding this.
As @damienbarrett mentioned, the file lives locally on the client machine so it shouldn't matter if it's off the network or not. Have you looked at the logs to make sure the machine(s) in question have been checking in regularly and the JAMF client is working as expected?
Thanks everyone for your valuable input and suggestions. I didn't follow the 6 or 7 P's depending on how you count them: Proper Planning Procedures Prevents Piss-Poor Performance... Period! After performing an update to our Dev JSS to JSS v9.96 our Dev JSS was hosed. Still working on a resolution with our TAM. This is besides the point. Thanks RobertHammen, I didn't have the Process Name correct. I also didn't have the correct version for Smart Group for Policy. Thanks also Brad_G; Some of the systems aren't checking into JSS regularly so I need to run the commands: sudo jamf checkjssconnection and sudo jamf recon for some systems. I suppose you do have to sometimes fail to succeed. Hopefully not too often. Much to learn I have....