Tonight, Apple released macOS Catalina.
See below on how to block this upgrade with Jamf Pro.
Contents
Why block?
As with any new OS release, you might have some required software titles which are not compatible with the new OS & especially some of the more security focused changes.
For example, today Adobe released a KB with some details around issues with Creative Cloud Packages & macOS Catalina, below is an excerpt.
The writing has been on the wall for 32-bit apps since 10.13.4, & at WWDC this year it was mentioned that Catalina would not support 32-bit apps.
So, you might need to block Catalina whilst some of these needed software titles are updated.
But we deferred?
Deferral only works for updates, not upgrades.
So, 10.14.x updates. Not the macOS 10.15 upgrade.
Enter Restricted Software
Restricted Software can be used here as one method to block folks from installing macOS Catalina.
Admittedly, there are methods to subvert this. But they are better discussed elsewhere.
To block macOS Catalina via Restricted Software, see the below:
You can tweak these options as per your requirements, but the above should be the bare minimum. The scope & message etc should all be set as per your organisational needs.
I will advise not to check “Delete Application” as from previous experience, Apple will push the install.app, if deleted.
Also, wildcards might not work currently as their appears to be a Jamf Pro PI around them at the moment.
There is no step 2!
Actually there is, the Restricted Software setting will only apply to devices within scope one their Management Framework has refreshed.
This happens periodically on macOS devices, but you can force this via the below when ran as sudo:
/usr/local/bin/jamf manage
The above is handy for running locally when testing the Restricted Software setting, & once happy you can wait for the clients to perform their periodic Management Framework or push a policy that runs the above once per computer on your check-in interval.
So, there is no step 3? Right?
There is an optional step, as per:
With more steps:
When ready to release Catalina, you can then revert this via:
/usr/sbin/softwareupdate --reset-ignored
Is that it?
Well, not really.
As mentioned, there are ways that folks can circumvent the Restricted Software setting. (But come to the MacAdmins Slack to ask about that).
Let alone methods outside of the booted OS, so you might want to look at setting a firmware password too.
We have run into this in the past with Seirra, High Seirra, and Mojave. The cherubs just change the Install MacOS Mojave to something else and voila they upgrade it.
What we did was instead was Kill the hidden process Install Assistant. It looks like this is still an option in Catalina as I just tried it and it stopped the entire process in its tracks.
If I could post a screen shot of the settings I would.
Hello:
If you want something a little more robust and ease of updating Firmware password than Jamf Pro default support I recommend trying out our Firmware Password Manager. It will work with Jamf Pro or any other management solutions.
Here is the GitHub repository…
https://github.com/univ-of-utah-marriott-library-apple/firmware_password_manager
And here is a blog post…
https://apple.lib.utah.edu/firmware-password-manager-for-os-x/
Question, is using an Apple SUS server, like NetSUS or Reposado not a option to manage which OS updates the end systems have access? Or is it frowned on, because Apple might take it away someday?