Posted on 02-18-2019 06:14 AM
Hi everybody,
the past showed that a very high amount of (Security-) Updates needs to be blocked as there are side effects, bugs etc.
Currently I only know a way to block specific updates, which is a problem in reality as some users are really fast on installing updates after a release.
So my question is: Is there any way to make it the other way round? I'd like to block all updates and then maintain a whitelist of allowed ones.
Thanks!
Posted on 02-18-2019 08:15 AM
The most effective way would be to run your own SUS (preferably using Reposado or Jamf's NetSUS) and point all Macs to it, then set it to default to disable any new updates until you've had a chance to look them over and enable only the ones you want. That way you have complete control over what shows up for any devices and when.
Outside of that, you could go crazy and lock down all sorts of stuff on the Macs, such as preventing access to the Software Update Preference pane (Mojave) or App Store (High Sierra and under) and also making sure the settings for software update do not auto install any updates other than the critical system data stuff, which takes care of Gatekeeper updates. But if you do that, it will be up to you to download all Apple updates (that you want to deploy), upload them back up to your Jamf Pro environment and push them out that way, since users will not be able to install anything on their own. But maybe that's what you're looking for?
Also, I hope you aren't blocking security updates indefinitely? Because that would not be a good thing. Blocking them for a short while until you can vet them is one thing. Blocking them altogether would leave your Mac clients vulnerable to a number of security issues.