Jump to content

macOS Ventura blocking


Josh Levitsky

Recommended Posts

  • Moderators

Just curious if folks have been looking at how to block Ventura upgrades from earlier OS versions?

This is on GitHub: https://github.com/Theile/venturablocker

In the FW KB: https://fwkb.atlassian.net/wiki/spaces/KB/pages/4329971/macOS+-+Block+Apple+Install+macOS+Application

The FileWave KB article worked for Monterey, Big Sur and prior. I haven't been able to test it for Ventura but wanted to get a thread going so people could consider if you are going to block it, and how you are going to block it if you know you have certain apps that aren't yet compatible since it's just around the corner. 

  • Thanks 1
Link to comment
Share on other sites

Josh Levitsky
This post was recognized by Josh Levitsky!

mbrownktx was awarded the badge 'Helpful' and 5 points.

I can confirm the configuration in the second link above is working in our environment with the appropriate tweak to the "MinimumBlockedVersion" key (set to 18, the version number corresponding to Ventura) in the "com.filewave.blockmacosinstaller_user.plist" file.

Screen Shot 2022-10-24 at 7.14.01 PM.png

Screen Shot 2022-10-24 at 7.14.15 PM.png

  • Thanks 1
Link to comment
Share on other sites

  • Moderators
2 hours ago, Damjan Gruicic said:

thank you for good script, it works fine for me too, but it goes to start Installer second time when you leave "Blocked Installation" windows up. So if you click "OK" on "An error.." and starta again Installer, do goes to upgrade to Ventura.

Thanks for mentioning that. I'll have to take a look at if there's a way to avoid the persistent person who launches it, leaves the dialog up, and launches again. We can look to improve that. 

  • Like 1
Link to comment
Share on other sites

I've also tested the github package above and it's worked on all the Macs I've tested it on. I have also altered the provided uninstaller script to work with the Ventura blocker, it seems it wasn't updated from the Big Sur one. After running it allows the Ventura installer to run on the Macs I've tested it on.

 

current_user_uid=$( echo "show State:/Users/ConsoleUser" | scutil | awk '/UID 😕 && ! /loginwindow/ { print $3 }' )

 

launchd_item_path="/Library/LaunchAgents/dk.envo-it.venturablocker.plist"

launchctl bootout gui/${current_user_uid} "${launchd_item_path}"

 

rm -f /Library/LaunchAgents/dk.envo-it.venturablocker.plist

rm -f /usr/local/bin/venturablocker

 

pkgutil --forget dk.envo-it.venturablocker

WorkMacBookProScreenshot 5.png

Edited by Jimmy Stearns
Deleted the emoji it auto added
Link to comment
Share on other sites

  • 2 months later...
  • Moderators

I already have an updated version that is due to be posted, but if the script doesn't act as expected, then it is likely it hasn't set the count and so the Custom Field is just a victim.

Hopefully it will be live soon.

Link to comment
Share on other sites

@Sean, is there a reason why you choose to use both a launch agent and a launch daemon? (The previous fileset only used a launch agent.)

Also, the Watch Paths key got stripped from the new/revised .plist. (Was that intentional?)871478454_Screenshot2023-01-25at8_57_24PM.png.d123cbb0eb8c3e0952efedb1dc347179.png

 

Finally, I also wanted to highlight the changes to the kill_macos_major_update.sh file. (In case anyone was wondering "what changed".)

1681561572_Screenshot2023-01-25at9_07_00PM.png.28e099b23a8364520d0a34b4935c7430.png

Link to comment
Share on other sites

  • Moderators

Yes two separate launch items.  Users are able to disable LaunchAgents, but it has always required shell command knowledge, but it is generally easier to do user interaction with an Agent rather than a Daemon.  However, with Ventura, LaunchAgents are just viewed in System Preferences and you can just tick a box to turn them off or on.

Hence, Launch Daemon does the killing of the App, user can't disable that (unless they are Admin), Launch Agent informs the user; if they want to turn that off, so be it.

As such, everything has been changed to adapt to this new setup.

  • Like 1
Link to comment
Share on other sites

  • 7 months later...

@Sean I'm getting ready to block individuals from upgrading to macOS Senoma. I noticed that the `MinimumBlockVersion` key in the .plist file is different from the minimum_block_version variable that's referenced in the .sh script.

Is that correct?

Screenshot2023-09-19at2_37_24PM.png.d2b29f995a774b059d2707a95de7d96f.png

 

I'm referring to the Fileset that can be found here: https://kb.filewave.com/books/software-updates-apple/page/fileset-to-block-apple-install-macos-applications

Link to comment
Share on other sites

  • Moderators

Doesn't matter. The script 'if' block is just there in case the value is empty, but the value shouldn't actually ever be empty, the plist should always have a value.

By all means alter it as you desire, but as suggested it should never be read.  The example shows how you can manipulate the script with the plist to define the minimum version regardless.

  • Thanks 1
Link to comment
Share on other sites

  • Moderators

I've altered the Fileset and moved the trigger to a hidden file.  Whilst doing this, I amended the script so that the default block version is an older version.  There should never be the instance that the file is not there to supply a version, so this would be unexpected, hence blocking an older version as an error capture.

The version that was in the KB would trigger the user warning if the script was to be changed; that shouldn't happen anymore.

Link to comment
Share on other sites

Great! This fileset should prevent folks from upgrading via the MacOS App store.

And...the MDM Restrictions profile can be used to prevent users from upgrading via the System Settings app.Screenshot2023-09-29at2_27_36PM.png.16c6eb3327f492c06d977eaf54b4fdd5.png

 

Word of warning, before applying any changes to an existing Restrictions profile, ensure you review and modify any unchecked settings. (New options might have been added to since the last time the profile was modified.)

Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
×
×
  • Create New...