I was looking to see how other admins are handling the impending Big Sur update. Though most of my testing has been positive I still have a few apps that need some polishing. With that said what are the recommended methods for preventing Big Sur from coming down to the fleet? Are people using the Configuration Profile > Restrictions > Functionality> Defer Updates? Any thoughts on https://github.com/hjuutilainen/bigsurblocker. I have never had much luck with the Restricted Software Payload. It always seems to let a few through here and there.
@alexjdale That's a great question. The reason I'm utilizing it is because I've had hit-or-miss success with the macOS updates in Restricted Software. This also looks at the CFBundleIdentifier and kills the app. It's a little more intrusive, but more accurate than looking for an app process. I've also had Restricted Software for an app process work in one OS version and not in another, where I had to change the name of the process. So, really, for me, utilizing CFBundleIdentifier makes me more comfortable.
Using the Jamf Pro Restricted Software feature is not reliable.
1. block the app by the app's name, which all the user has to do is rename the .app application bundle and you've bypassed the restriction -- aka not very hard at all
2. block all upgrades by using the process name; so if you had only wanted to block one upgrade version, you prevent your users from upgrading at all
I have a customized fork of AppBlocker (same thing that hjuutilainen's bigsurblocker is based on) as well that allows you to specify what you want to block (instead of solely a single app). I designed it to allow a more immediate update to the block list using Config Profiles to manage the list.
While all these options do block the Bundle ID which can be changed as well, it's at least a little more difficult for the average user to accomplish.
If users rename install app or other smart things, then it is more a HR issue than a system. My users are informed that it is blocked and they should not install. So if any do smart workarrounds to get it working, I will just say here you go, and the user can support it on his own
--ignore switch on
softwareupdate --ignore is no longer supported. Support was removed in Catalina for a few version as well. Thanks Apple.
So you could use it, but not for specific Catalina versions and isn't supported at all on Big Sur and forward. Apple does not want you blocking OS upgrades.
Supposedly the Defer Software Updates Config Payload will eventually support passing versions with it, so you can specify what you want blocked. I keep seeing this described by Jamf in their Webinars for a while now, but no idea when that functionality is coming. Nor how you're supposed to manage it. Push a new Config Profile for every new version? As per normal, Apple's device management concept is poorly conceptualized.
Thank you @MLBZ521
> Apple does not want you blocking OS upgrades
Apple, guess what, macOS is not only software running on enterprise Macs this days. There are so many software, tools, clients, services, and all of those should be updated, tested and approved until there is any chance business users loosing productivity because new shiny macOS is not compatible with, yet
@mhasman I completely agree. I would highly recommend sharing that with your Apple reps.
--ignore switch change is documented here: https://support.apple.com/en-us/HT210642
Apparently, on the latest versions of 10.13, 10.14, 10.15, to use it, the device has to meet specific conditions. I hadn't read that. Enjoy