Tip: Beware process names from Activity Monitor for Restricted Software

stevenjklein
Contributor II

I wanted to block our users from installing Monterey until we get a chance to test it in our environment.

So I downloaded and launched the installer, then opened Activity Monitor to get the process name.

The installer showed up as:

Install macOS Monterey

 But when I tried blocking that process (with Restrict exact process name checked), it didn't work.

On a hunch I changed it to this:

 

Install macOS Monterey.app

 

That worked.

I'm not sure why this is the case, because there's definitely no .app in the process name.

1 ACCEPTED SOLUTION

I also have users upgrading from Mojave/Catalina to Big Sur. Restricting InstallAssistant prevents the user from launching Install macOS Big Sur.app but doesn't stop startOSinstall.

 

To perform the upgrades we run a policy in Self Service using this macOSUpgrade script. Users can only upgrade via this method or via Terminal. Works great and allows us to build in clean up scripts to the policy to run before the upgrade kicks off.

View solution in original post

4 REPLIES 4

Tribruin
Valued Contributor II

Good call out. Just an FYI, this is noted on the Restricted Software page:

 

Tribruin_0-1635195339945.png

 

MrRoboto
Contributor III

Restricting "InstallAssistant" works quite well with all versions of installers. This prevents any user from running the Install macOS xxx application. However you can still call the startOSinstall command via Terminal.

 

Screen Shot 2021-10-25 at 4.14.48 PM.png

stevenjklein
Contributor II

Domo Arigato, @MrRoboto .  In my environment, users are admins and are allowed to install approved updates.  I still have users running Mojave and Catalina, and I want them to update to Big Sur, but not Monterey (yet).  So blocking InstallAssistant won't work for me.

I also have users upgrading from Mojave/Catalina to Big Sur. Restricting InstallAssistant prevents the user from launching Install macOS Big Sur.app but doesn't stop startOSinstall.

 

To perform the upgrades we run a policy in Self Service using this macOSUpgrade script. Users can only upgrade via this method or via Terminal. Works great and allows us to build in clean up scripts to the policy to run before the upgrade kicks off.