How can these nags be suppressed? I'm stumped!
remove this update from last week:
@Nix4Life Is that related to my question, and I'm not seeing how?
I am also getting bombarded with queries from my users who are seeing this prompt and ask me if it's ok to install. Luckily none of my users have admin rights so they wouldn't be able to install anyway, but it does eat up a lot of my time when I have to field questions from everyone asking the same question.
Yes . Apple pushed that update on Nov 7th. And the notification started. If your machines are set to autoupdate, they received this update. I provided the ID in case you wanted to roll it back or remove it from your SUS
@Nix4Life I think you may be confusing them with your wording.
If you have an internal software update server (above is a screenshot of resposado/margarita) you can remove that update from it. However I can tell you from experience that it doesn't work all of the time for some reason.
Does the nag only appear if the "Install macOS High Sierra.app" is located in /Applications?
Would the nags go away if the "Install macOS High Sierra.app" was deleted from each client, at least until Apple decides to stage the installer again?
@jhalvorson ..Good point, maybe worth a shot. @jmahlman thanks for that, best not to assume
There may be some confusion here. This is the prompt to get non-High Sierra systems to upgrade to High Sierra. Not a .x maintenance update.
I have auto update disabled on all Macs with a softwareupdate --schedule off policy that runs once per day, but I am still seeing this nag far and wide. I'm also not using a SUS, I'm using Caching Server.
None of these systems have the "Install macOS High Sierra.app" in their Applications folder. This is the nag Apple puts out to get people to go into the MAS app, and then download the installer.
I'm blocking the installer, but like @AVmcclint says, it's time consuming to have to field the same question again and again.
EDIT: I think I see what's going on now. Apple is staging the installer onto the systems, like it or not. Which really sucks for my limited bandwidth networks.
Is there a way of preventing the installer from being staged?
@gskibum Sorry for the confusion here; the "update" we were referring to is actually a config that gets added to software update servers. It's something that usually gets installed on machines even if autoupdates are disabled (it's the last checkbox I think)
If you have all of those checkboxes off, then you may have to consider a more drastic option: block something on a firewall (maybe the apple update servers) but this will stop all apple updates from working.
So, the best method is to not list it on your internal update server. If you don't have one, you have to block the server.
Someone will probably correct me since I'm probably wrong :)
The macOSInstallerNotification_GM.pkg just puts a file called "OSXNotification.bundle" into the \Library\Bundles folder, and contains no install scripts according to Suspicious Package. Simply removing the bundle MAY turn the notification off.
I was looking at this earlier today if someone wants to try it out and let us know how it works?
@mahughe That just hides the banner in the App Store, not the notification nag.
I found that all our Macs have downloaded the High Sierra installer without permission from anyone. I used ARD to delete it from /Applications/ on every one of them. A few days later I found that it was re-downloaded on all the computers again. This is really getting obnoxious that Apple is "trying to make things easy" when in fact they are making it way more complicated for those of us in corporate environments. My next attempt to stop this is to just create a blank file called "Install macOS High Sierra.app" and lock the file down so it can't be replaced with the real deal.
To prevent the automatic download of the HS installer, I am going to follow the suggestions posted here by @rtrouton https://derflounder.wordpress.com/2016/10/03/managing-the-automatic-download-of-the-macos-sierra-installer-to-compatible-macs/
I've changed our version of the script to set the App Store prefs as follows:
# System Preferences >> App Store
# This is the 1st of the 5 settings in the GUI within 10.11, 10.12
/usr/sbin/softwareupdate --schedule on
# GUI System Preferences >> App Store >> enable Download newly available updates in the background
# This is the 2nd of the 5 settings in the GUI within 10.11, 10.12
/usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticDownload -bool FALSE
# System Preferences >> App Store >> enable Install app updates
# This is the 3rd of the 5 settings in the GUI within 10.11, 10.12
/usr/bin/defaults write /Library/Preferences/com.apple.commerce AutoUpdate -bool TRUE
# System Preferences >> App Store >> 4 of 5 enable Install OS X updates
# This is the 4th of the 5 settings in the GUI within 10.11, 10.12
/usr/bin/defaults write /Library/Preferences/com.apple.commerce AutoUpdateRestartRequired -bool TRUE
# This is the 5th of the 5 settings in the GUI within 10.11, 10.12
# enable XProtect and Gatekeeper updates to be installed automatically
/usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -bool TRUE
# enable automatic security updates to be installed automatically
/usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -bool TRUE
# This is a one time action to trigger a background check with normal scan (critical and config-data updates only)
Since I push the "softwareupdate --schedule off" command daily, this is what the App Store pref pane looks like. But Apple is still pushing the High Sierra installer onto many of these boxes.
But I suspect the download is being triggered either by my daily "softwareupdate -da" command or my daily XProtect-Gatekeeper update script I run.
sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -bool true
sudo softwareupdate --background-critical
sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -bool false
Never mind. No workie.
this seems to work
I am getting these nags too and some how it seems to be circumventing my software blocks in the JSS. I am blocking the following in Restricted Software:
Those blocks all work fine if you try an download the installer from the app store and run it. But if a user clicks "Install" on the alert nag it runs the macOS installer and doesn't trigger any of the blocks. Has anyone else seen that? Should I be blocking something additionally? This is the first time I've had this issue with any macOS installers.
We have a four prong strategy currently that seems to be working to prevent High Sierra from being automatically downloaded and users from being notified to install Hi C.
1) A monthly policy that runs on all our managed macs that disables automatic updates. This policy simply executes the following command: sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticDownload -boolean FALSE2) All managed macs are pointed to a SUS that is running Server.app and all the updates to install High Sierra or install the notification are disabled (we are slowly migrating to reposado but that's still another month or two away, but same concept remains). I think there are currently two separate Install macOS High Sierra updates and one macOS Installer Notification update. All three are disabled in Software Update inside Server.app.3) We have a policy that suppresses the giant island/banner in App Store>Updates encouraging users to install Hi C. This was done by adapting Erik Gomez's instructions on his blog. http://blog.eriknicolasgomez.com/2015/10/01/paradise-island-hiding-el-capitans-free-upgrade-banner4) And last but not least, we have a JAMF Restricted software policy that prevents the Install High Sierra.app from running if the user actually somehow manages to download the installer.
All those things implemented, we've had very few numbers of users hitting the restricted software option. Maybe 2-3 a week, and usually its the same users who are just a little bit more tech savvy and probably went to the app store to download it. This process has also prevented unwanted installs of Hi C. Out of the under 1000 macs we manage, only 10 macs have Hi C running, and each of those was intended/allowed by us for testing purposes.
Something like this might work... it's an adaptation of the method used for sierra, just started researching/going to test this in my environment, but if others would like to test to see if this suppresses the notification dialog:
/usr/bin/defaults write /Library/Preferences/com.apple.noticeboard.plist LastNoticeboardCatalogCheck "$(date -u "+%F %T %z")"
/usr/bin/defaults write /Library/Preferences/com.apple.noticeboard.plist "com.apple.noticeboard.notification.highsierra.1.0" -dict dismissalCount 4 lastDismissedDate "$(date -u "+%F %T %z")"
/usr/bin/defaults write /Library/Preferences/com.apple.noticeboard.plist identifiers -array "com.apple.noticeboard.notification.highsierra.1.0"
Hi @RobertHammen, I tested this on a VM running 10.10. The name of the notification came out to com.apple.noticeboard.notification.10.13.1.0 . Not sure if it changed, or if you were using 'high sierra' as a guess.
@RobertHammen Where did you get "highsierra1.0" from? Just looking to wrap my head around it.
Would this be the same with Mojave?
Using howardgmac's suggestion of setting a policy to run weekly (or daily, if you like) to remove /Library/Bundles/OSXNotification.bundle has removed the Mojave upgrade notifications, and also worked to keep the High Sierra notifications away on Sierra Macs.
It has not, however, removed the banner from the App Store.