Blocking macOS Upgrades

If you think Catalina broke stuff, wait’ll you get Big Sur shoved down your throat. From recent FileWave release notes:

MacOS 11 "Big Sur" prevents automatic installation of profiles using the command line "profiles" command.  This was introduced for security reasons (to prevent malware from installing silently profiles which could damage the device installation), this has an impact on how profiles must be installed with FileWave.

I realize that this may come as a shock to Apple, but, not every school in the universe is ready with a full-blown MDM solution yet. Some of us are still relying on Munki. And when we tell our admin-enabled staff not to upgrade, guess what they do?

So, to buy time, this is a little package you can install with, say, Munki or Apple Remote Desktop, that will prevent a user from being able to install a new version of macOS. (Note that it will allow the installer to launch, but will cause a weird error message to appear when they try to proceed.)

This pkg installs two files:

- /usr/local/etc/  <- the script that actually breaks the macOS installer if the user tries to run it

- /Library/LaunchDaemons/com.munki.block_applications.plist  <- the launchdaemon that makes sure the aforementioned script is always running

The pkg then runs a postinall script to permanently load the LaunchDaemon. So it’s a tiny little watchdog checking to see if the OS installer is running, and if it is, it kills it. 

Zipped pkg source:

pgrep -x osinstallersetupd
if [ $? -eq 0 ]
	pkill -x osinstallersetupd

com.munki.block_applications.plist source:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "">
<plist version="1.0">