Help

Temporary Lockdown of OSX Major OS Updates

wlong
New Contributor

Posted on ‎05-21-2018 08:46 AM - last edited Tuesday by Community Manager

I'm looking for a way to block the major OS updates, ie. El Capitan to Sierra or Sierra to High Sierra, so we can not have our users update right away for security and program purposes. Not sure if it's even possible through JSS or if it needs to be done otherwise.

Labels:
0 Kudos
Reply
2 REPLIES 2

Rklaffo1
New Contributor II

Posted on ‎05-21-2018 08:48 AM

You can set it up in the restricted software. Just set to restrict the software process name as well as Kill the process and delete it as well. af24784870da4de1a575bdad8d9bf599

Reply

wesleya
Contributor

Posted on ‎05-21-2018 09:40 AM

A caveat with this is you should also have a firmware lock in place. Otherwise, users can start Internet Recovery and install an OS. For a little more on doing this, see the article on Administering Open Firmware/EFI Passwords.

Also, I've found that Restricted Software can be fairly ineffective. In some cases it is as easy as renaming the app then running it. One way I've seen work is restricting InstallAssistant in addition to the OS installers. I would also look at using the Restrictions payload in Configuration Profiles to defer software updates (10.13.4 minimum), disallow Software Update Notifications, and Restrict App Store to software updates only.

Really, though, it seems that the most effective way to stop this would be to take away administrative privileges, but I understand that's not an easy topic to broach.

0 Kudos
Reply
Back to Top