Looking for input from fellow jamfers. I have found a handful of machines that have not been getting the latest .blacklist file for Apps. This file should be updated with the creation or removal of record in the Restricted Software. In not wanting to spend too much time determining the specific machines that have been affected I decided to just refresh everyones .blacklist file... My fix was to create a policy scoped to my fleet and have it run rm -rf /Library/Application Support/JAMF/.blacklist.xml & jamf manage from the Execute Command under Files and Processes. Looks like it worked so far, just wondering how everyone else would have handled it?
@mojo21221 The .blacklist file should update when the machines check in so I'd suggest taking a look at the JSS History for one of the machines exhibiting the problem and see if the logs show errors that might have prevented the update from downloading (although if your "fix" policy fires that'd indicate policies are working on those machines)
@StoneMagnet Yeah other policy has been working fine, on the machines. I found the issue when I was caching the Sierra installer APP and having it auto-kickoff. We used to block the sierra install prior to security approving it for our environment. The user said they were getting the unapproved app message... It appeared that the only thing that was not updating properly was the .blacklist.xml.
We block OS installers until we place the machines in a list for upgrade--- Keeps users from upgrading OS's until our environment ready...
(and allows us to do sanity checking.. for example, how full is their disk? What apps wont' work?)
When added to a static group, the machine is exempted from the restriction...
What i've found is that the restriction lifting is not predictable.. the only way to be sure it changes seems to be what @mojo21221 described.
I think this has been broken for a while... wonder if anyone has reported this to jamf?
@kstrick It's a known, and supposedly rare, issue but I don't have a PI for it. To force the
/Library/Application Support/JAMF/.blacklist.xml file to be regenerated you can do a
jamf manage via a Policy Files and Processes payload but if you are on High Sierra that might cause issues with UAMDM.