Posted on 11-04-2013 07:51 AM
Does anyone know the Mac App Store Software Update-only mode command for Mavericks? This doesn't seem to work.
http://support.apple.com/kb/ht5391
Posted on 11-04-2013 08:11 AM
Unfortunately it's broken. Here is the defect number from JAMF D-005395
Posted on 11-07-2013 06:40 AM
Just as an FYI - they removed the commands from Maverick to enable it.
the ability to enable software update only mode in 10.9 via defaults write or modifying any plist file has been specifically removed. The only way to accomplish this task starting with 10.9 Mavericks forward is via a configuration profile.
Posted on 11-20-2013 05:57 AM
Is anyone using restrict-store-softwareupdate-only in a configuration profile?
It does work as in it disables all tabs except "Updates", but the Updates tab itself won't load properly:
It does realize that there are updates (it shows the badge on the App Store icon), but the page won't load.
Same profile works as intended on 10.8
Posted on 11-20-2013 06:12 AM
maybe in rumored 10.9.1 it will work?
You got farther than I did with the config profile, mine disabled all tabs :(
Posted on 12-06-2013 07:13 AM
I've tried the Restrict App Store to software updates only, and it doesn't work. All my tabs are available including the App Store.
Posted on 12-06-2013 09:11 AM
yep. we went back to blocking the app store with restricted processes until it's resolved.
Posted on 12-06-2013 09:14 AM
I'm having the same results as Chris. After imaging the computer and applying the config profile, it disables all tabs except for the Updates, which is correct. It shows the badge icon that there are apps available, but the page never loads. I thought it was a firewall issue at first, but ML works fine.
Here's the weird thing, the exact same profile works fine if I do a clean install (not based off of an image). Maybe Mavericks doesn't like how the image was made???
Posted on 12-18-2013 12:11 AM
This seems to be working now in 10.9.1:
Although the only Setting that shows up in the Profile is "Restrict Installs To Admin Users":
external image link
"Software Update Only" and "Disable App Adoption" are not shown, but the settings are applied.
Posted on 12-18-2013 06:21 AM
@Chris Thank you!
Posted on 03-17-2014 05:20 AM
Obviously it's just working via config profile. To modify the .plist doesn't work. I still have the problem, that sometimes App Store doesn't list the updates, although I know there are updates available. Any suggestions? @Chris think you had the same probs. How did you solve it?
Posted on 03-17-2014 07:46 AM
same issue here fabsen83...
Posted on 03-17-2014 02:49 PM
Also seeing this issue. Ive even tried creating a separate profile in Profile Manager and got the same result. Looks to me like an Apple issue. I've opened a case with Enterprise support.
Posted on 03-17-2014 02:56 PM
@fabsen83 unfortunately this doesn't work consistently for us as well,
i couldn't really find a solution yet
Posted on 03-18-2014 12:49 AM
@Chris][/url Ok, that's really sad. Especially there is no solution from Apple yet. So how are your users able to run SoftwareUpdate? I cannot leave my students with a full AppStore, because they install all free crap on their machines.
Posted on 03-18-2014 02:13 AM
We're currently running Munki for Apple Updates:
http://code.google.com/p/munki/wiki/AppleSoftwareUpdatesWithMunki
Posted on 03-18-2014 02:26 AM
Working for me via managed preferences.
We trigger manual updates via a policy anyway.
Posted on 03-18-2014 06:35 AM
Posted on 03-18-2014 07:10 AM
@fabsen83 Use Casper's managed preferences. I'm on JSS v8.73.
System Level Enforced
Domain: /Library/Preferences/com.apple.appstore
Key: restrict-store-softwareupdate-only
Value: True
(that's key type boolean).
Posted on 03-18-2014 08:03 AM
@franton ...and the client has 10.9.x installed? I used MCX to restrict appstore on 10.8.x clients as well successfully but not on 10.9.x.
Posted on 03-18-2014 08:05 AM
Yes, exactly right. I'm not having an issue with this method at all.
But then for reasons to do with our infrastructure, i'm not using config profiles at all. Local MCX all the way.
Posted on 03-21-2014 01:04 AM
@franton Don't know what I am doing wrong, but the MCX is not applied by my clients. App Store still has all features open.
Posted on 03-21-2014 12:58 PM
Take a screenshot or two of how you've set things. Show me that and I can possibly point you in the right direction.
Posted on 10-30-2014 08:23 AM
Any update on this? I also can't get it working on my 10.9.x machines, so I have App Store restricted completely.
Posted on 10-30-2014 08:37 AM
@chlaird are you trying to make it so that your non-admin users can't update their software, or do you want them to be able to do that, but not be able to buy things from the App store?
I wanted to disallow my non-admin users from installing updates or buying apps, so I deployed a configuration profile and a script to implement it via policy (we're on 8.73 and we're not currently using MCX through Casper... long story). It alters the App Store so that an admin password is required to install apps or updates. It works well for us, but I'm not sure that's exactly what you want. What version are you using and are you using MCX?
Posted on 10-30-2014 08:39 AM
We're looking for a way to block non-admins from buying/downloading apps, but to keep the "Updates" tab enabled. We're trying to find a better way to keep our labs "current", but an "emergency" where a user in class couldn't install the newest update made us realize it might be nice if users can do updates, but nothing else
Posted on 10-30-2014 09:11 AM
Hey @chlaird][/url, I'm going to test something and get back to you. I'm modifying one of the boolean elements in my mobileconfig file to see if it will work for you. Additionally, we (and many others) have an option in Self Service that grants users temporary Admin access for just such occasions as the one you mention.
/url">@brockma9][/url wrote a great post (and provided scripts) on how to do that here: [https://jamfnation.jamfsoftware.com/discussion.html?id=6990
Posted on 10-30-2014 09:49 AM
@chlaird OK, so what I tested worked, with some caveats. The profiles utility (terminal) ignores the PayloadScope key when you run it, and so if you install the profile via /usr/bin/profiles as an admin or root user, the profile will take effect for all users. Run as the user, the profile is scoped solely to them. This could be accomplished by running the install as the user ($3 value).
As I said before, we're not using Casper's MCX capability currently. What I did was created a package to drop the mobileconfig file in place, then created a simple script to install it. Where you put your config file doesn't matter. We use a hidden directory on the root of our drives for such things. If you want to install the profile per user though, their account is going to need rights to the location of the mobileconfig file.
Here is a link to Apple's document on deploying configuration profiles in Mac OS X: http://training.apple.com/pdf/wp_osx_configuration_profiles_ml.pdf
Here is the data for the mobileconfig file (props to gregneagle at github for the original, I just modified it slightly)
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadType</key>
<string>com.apple.appstore</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadIdentifier</key>
<string>com.github.gregneagle.config.appstore</string>
<key>PayloadEnabled</key>
<true/>
<key>PayloadUUID</key>
<string>87885FB9-E4EA-40F5-9077-DA8C6940CDAA</string>
<key>PayloadDisplayName</key>
<string>App Store Configuration</string>
<key>restrict-store-softwareupdate-only</key>
<true/>
<key>restrict-store-disable-app-adoption</key>
<true/>
<key>restrict-store-require-admin-to-install</key>
<true/>
</dict>
</array>
<key>PayloadDescription</key>
<string>App Store configuration for Mavericks.</string>
<key>PayloadDisplayName</key>
<string>App Store Configuration</string>
<key>PayloadIdentifier</key>
<string>com.github.gregneagle.config.appstore</string>
<key>PayloadOrganization</key>
<string></string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>8E0D9AB3-7C0E-4D1F-8180-FB089A304F54</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
To install the profile it's a simple one-liner:
/usr/bin/profiles -I -F /Path/To/Config/File.mobileconfig
Hope this helps a little bit.
Posted on 10-31-2014 01:27 AM
Hey there,
@chlaird So for me the MCX worked fine - you just have to re-apply the MCX settings to the user or machine depending on what you have scoped it (User level / Computer level).
Remove Managed Prefs Folder first.
`rm -Rf /Library/Managed Preferences/`
To remove MCX for the computer:
`dscl . -mcxdelete /Computers/localhost`
To remove MCX for user
`dscl . -mcxdelete /Users/username`
So I did a little script which I can run via SelfService policy to delete the users as well as computer level MCX settings.
If you would like to use a profile, definitely do it the same way as @sunny.marie - deploying the profile via .pkg with imbedded postinstall script. This is something what works always, usually :)
Cheers!
Posted on 10-31-2014 03:46 AM
FWIW, we completely block the App Store and we use an internal Software Update Server, really doesn't matter which of these you use, Reposado, Munki, Apple Software Update Server.
Even with the above blocked, the command line works and non-admins have the ability to update since 10.9
softwareupdate
If you have an internal server, then they can only update what you've allowed and you can wrap the command into your own interface using Pashua, CocoaDialog, etc or add it as a Self Service item in Casper.
Posted on 10-31-2014 04:02 AM
Both is possible, but if you are working with VPP you can't block AppStore at all, unless you like to do everything manually right!? We also use it like @sean - just a little SelfService policy again.
Posted on 10-31-2014 06:52 AM
Our software supplier provides us with a VPP code for the software we purchase. I download them, package them with Composer and then distribute the app with our deployment software; no manual process client machine side.
Posted on 10-31-2014 09:05 AM
@chlaird if you've enabled MCX in your Casper setup, I'd definitely go that route, as @fabsen83 said. It'll be the simplest and cleanest overall. I like the idea that Sean had about adding a Self Service software update option. You can use that with Apple's SUS, but you'd have no way of validating updates before users got to them, which is where something like Munki comes into play. That would be a major concern in my environment, but may not be an issue in yours.
softwareupdate -ia
That short string will install all available updates on the machine. You could also use an -ir attribute to install recommended updates. If you wanted to make it totally hands off, you could create a policy to run outside business hours to install updates on all lab computers.
Posted on 10-31-2014 09:31 AM
If you're looking to bypass the App Store for Apple updates and wanted to use a custom process, there are plenty of those around. Threads here on JAMFNation for example have tons of examples you could look at.
I also have a script I published awhile back located here:
https://github.com/mm2270/CasperSuiteScripts/blob/master/selectable_SoftwareUpdate.sh
I think a few people may still be using it, although I only created it as an experiment in 'recreating' the older Software Update type of look and feel. I don't actually use it myself because all our users are admins. We do use an internal SUS, but they have full rights to the App Store and Software Update tab within it.
Posted on 11-03-2014 12:19 AM
Oh woooow, that's a complex one - nice! @mm2270
Instead of using an internal SUS, I also can recommend to use a 'Caching Server'. Especially if there are iOS devices to update, too!