Jamf Nation Community

DylanAckley · ‎10-05-2023

We are a school district with staff setup as standard users on their Macbooks. We do not allow the App Store because, by law, we have to approve apps to protect student data. I just found out today that our M1 Macbooks that have been updated to MacOS Sonoma are completely bypassing any "Restricted Software" settings in Jamf. So users that update are able to open terminal, the App store, etc. even though the restrictions are setup and were working on Ventura.

We are on Jamf version 10.49.0 so I don't believe the update is the issue. Any suggestions are appreciated!

sdagley · ‎10-05-2023

@DylanAckley You're going to need to update to JSS 10.50, and have all of your Macs on macOS 14.0 restart after that upgrade for Restricted Software configurations to work (see the https://learn.jamf.com/bundle/jamf-pro-release-notes-current/page/Important_Notices.html section of the JSS 10.50 release notes). This is because the audit subsystem is no longer enabled by default in macOS 14, and the Restricted Software feature requires it for functionality. The jamf agent with JSS 10.50 will enable it.

View solution in original post

sdagley · ‎10-05-2023

@DylanAckley You're going to need to update to JSS 10.50, and have all of your Macs on macOS 14.0 restart after that upgrade for Restricted Software configurations to work (see the https://learn.jamf.com/bundle/jamf-pro-release-notes-current/page/Important_Notices.html section of the JSS 10.50 release notes). This is because the audit subsystem is no longer enabled by default in macOS 14, and the Restricted Software feature requires it for functionality. The jamf agent with JSS 10.50 will enable it.

DylanAckley · ‎10-06-2023

Thank you! Thank you! I tried looking through the known issues and searching for this info but all I was getting was results about blocking the Sonoma upgrade.

I will work on this today!

DylanAckley · ‎10-06-2023

Thank you again @sdagley ! It worked. It looks like it requires a inventory update as well and then restart of the Macbook to get the new Restricted Software configurations to work.

ctarbox · ‎10-12-2023

Many thanks for this info, sdagley!

boberito · ‎10-06-2023

You can also use this rule from the macOS Security Compliance Project to re-enable Auditd

https://github.com/usnistgov/macos_security/blob/main/rules/audit/audit_auditd_enabled.yaml

sdagley · ‎10-06-2023

For people who don't speak yaml here's a standalone bash script that does what the yaml file @boberito linked to does:

#!/bin/bash

# Enable the audit subsystem if it isn't running

LAUNCHD_RUNNING=$(/bin/launchctl list | /usr/bin/grep -c com.apple.auditd)
AUDITD_RUNNING=$(/usr/sbin/audit -c | /usr/bin/grep -c "AUC_AUDITING")
if [[ $LAUNCHD_RUNNING == 1 ]] && [[ -e /etc/security/audit_control ]] && [[ $AUDITD_RUNNING == 1 ]]; then
	echo "auditd running, nothing to do here"
else
	echo "auditd isn't running, so enable it"
	if [[ ! -e /etc/security/audit_control ]] && [[ -e /etc/security/audit_control.example ]]; then
		/bin/cp /etc/security/audit_control.example /etc/security/audit_control
	fi

	/bin/launchctl enable system/com.apple.auditd
	/bin/launchctl bootstrap system /System/Library/LaunchDaemons/com.apple.auditd.plist
	/usr/sbin/audit -i
fi

exit 0

JevermannNG · ‎12-29-2023

On a Mac with 13.6.3 I received the following log, how can I solve this:

Script result: /usr/sbin/audit: illegal option -- c
Usage: audit -e | -i | -n | -s | -t
auditd isn't running, so enable it
Bootstrap failed: 5: Input/output error
Trigger sent.

JevermannNG · ‎12-29-2023

We are on Jamf Pro 10.50.

Do Clients to reboot to get this to work?

Works fine on Macs running macOS 14.x

ctarbox · ‎12-29-2023

Yes, I found that giving them a reboot and running recon were needed.

brunerd · ‎10-16-2023

Just to chime in on this… this is not the behavior I am seeing with Restricted Software on Jamf `v10.50.0-t1693149930` and Sonoma 14.0. Instead, I find that a Restricted Software app will stay open until a `jamf manage` kicks off and then the app is closed. This is nowhere near the responsiveness that it used to be.

It's puzzling given all the time Jamf has had to address the changes in Sonoma that they couldn't come up with their own solution to do this in a persistent manner like Hannes Juutilainen did with Big Sur Blocker?

pgy_jamf_help · ‎11-28-2023

I was on Ventura 13.5 and it allowed me to upgrade to Sonoma even if we blocked it. I check on other computers and it is locked down.
I think that when the notification from Apple Update comes in it magically unlocks the update. So it basically overwrites JAMF settings.
In the case the user does not click on Upgrade and restarts the Mac then it is locked down again.

Jamf Nation Community

Restricted Software no longer working on Sonoma! Help! SOS