I see that I can use Action -> Ignore to block the installation of specific software patches by Automox, but does that actually block the manual installation by a local user with admin privs? I’m attempting to block installation of Big Sur until we have had time to test with core applications, etc. Any ideas or suggestions?
I believe (correct me if im wrong) that ignoring a patch just refers to it showing in the list / checking for compliance. I doubt it has any sort of actual blocking involved on the OS itself.
This sounds more like a solution for an MDM, not necessarily a patching software. Check out JAMF, Manageengine, Meraki to name a few. We block all OS upgrades with JAMF’s “Restricted software” policies.
Currently Automox is not able to handle Major version upgrades in patching. It is likely this will not show in Automox as available for patching but, if you want to make absolutely sure that you do not apply it there are two ways one more short term than the other. Of course this will only work in restricting what Automox does in relation to this patch and not what users could to with their endpoints.
First, the short term. If Automox sees this patch, it will show on the software tab in the Dashboard. If you ignore this software from there, it should force all policies that would include it to not apply it to the endpoints those policies are tied to. This is short term because if an incremental version is put out, you would need to ignore that as well. So it’s not the best long term solution but it will be the quickest way to hold it from applying to your endpoints without having to change all patch policies that may include it.
Next, long term. If you wish to make this a more permanent solution, You can change your patch policies to not patch Big Sur. As an example, if you have a patch all policy, you could change this to a Patch All Except policy and have it exclude “Everything Big” with the word Big being the filter. Big should only be used for this particular patch for all Names of patches Automox handles on Mac so it should catch all versions from inception to end of life.
Hope that helps, let us know if you have anymore questions and if you need a bit more in-depth help, please email us at firstname.lastname@example.org
It’s Big Sur release day! Since major OS releases do not typically come through Apple’s Software Update Services as a patch, Automox does not detect for these upgrades. Apple tends to change things a bit every year to keep us on our toes, but we can still learn from what they have done in the past. We should have more definitive answers this morning as Apple typically releases the update at 10am PST.
Blocking the update:
The process name for a macOS installer historically has been “Install macOS XXX”. This year we expect the process name to be “Install macOS Big Sur”. If you have a 3rd party tool that blocks processes, you can use that. Otherwise you may choose to deploy this application via an Automox Required Software policy: https://github.com/hjuutilainen/bigsurblocker
Blocking update notifications:
Last year, Apple started sending push notifications to inform customers of the macOS Catalina upgrade as well as a dock icon in the System Preferences app. We have an existing Worklet to suppresses these notifications. Replacing “Catalina” with “Big Sur” in the Worklet should provide the desired results, and we will confirm today after the release.
I’ll update this post/thread as more information is released.
Update on Big Sur, it’s confirmed you can “ignore” the notifications. Add this to the remediation step to a Worklet and deploy to your fleet.
softwareupdate --ignore "macOS Big Sur"