High Sierra Upgrade Nags

gskibum
Contributor III

How can these nags be suppressed? I'm stumped!

5bd634ef1d1e45b59d9b760619893452

24 REPLIES 24

Nix4Life
Valued Contributor

remove this update from last week:

fae73e0ac1e243ecbc767620d4103f59

gskibum
Contributor III

@Nix4Life Is that related to my question, and I'm not seeing how?

AVmcclint
Honored Contributor

I am also getting bombarded with queries from my users who are seeing this prompt and ask me if it's ok to install. Luckily none of my users have admin rights so they wouldn't be able to install anyway, but it does eat up a lot of my time when I have to field questions from everyone asking the same question.

Nix4Life
Valued Contributor

@gskibum Yes . Apple pushed that update on Nov 7th. And the notification started. If your machines are set to autoupdate, they received this update. I provided the ID in case you wanted to roll it back or remove it from your SUS

L

jmahlman
Valued Contributor

@Nix4Life I think you may be confusing them with your wording.

If you have an internal software update server (above is a screenshot of resposado/margarita) you can remove that update from it. However I can tell you from experience that it doesn't work all of the time for some reason.

jhalvorson
Valued Contributor

Does the nag only appear if the "Install macOS High Sierra.app" is located in /Applications? Would the nags go away if the "Install macOS High Sierra.app" was deleted from each client, at least until Apple decides to stage the installer again?

Nix4Life
Valued Contributor

@jhalvorson ..Good point, maybe worth a shot. @jmahlman thanks for that, best not to assume

gskibum
Contributor III

There may be some confusion here. This is the prompt to get non-High Sierra systems to upgrade to High Sierra. Not a .x maintenance update.

I have auto update disabled on all Macs with a softwareupdate --schedule off policy that runs once per day, but I am still seeing this nag far and wide. I'm also not using a SUS, I'm using Caching Server.

None of these systems have the "Install macOS High Sierra.app" in their Applications folder. This is the nag Apple puts out to get people to go into the MAS app, and then download the installer.

I'm blocking the installer, but like @AVmcclint says, it's time consuming to have to field the same question again and again.

EDIT: I think I see what's going on now. Apple is staging the installer onto the systems, like it or not. Which really sucks for my limited bandwidth networks.

Is there a way of preventing the installer from being staged?

jmahlman
Valued Contributor

@gskibum Sorry for the confusion here; the "update" we were referring to is actually a config that gets added to software update servers. It's something that usually gets installed on machines even if autoupdates are disabled (it's the last checkbox I think)
90d493dd98d3497db8f96dc6864833b3

If you have all of those checkboxes off, then you may have to consider a more drastic option: block something on a firewall (maybe the apple update servers) but this will stop all apple updates from working.

So, the best method is to not list it on your internal update server. If you don't have one, you have to block the server.

Someone will probably correct me since I'm probably wrong :)

howardgmac
New Contributor III

The macOSInstallerNotification_GM.pkg just puts a file called "OSXNotification.bundle" into the LibraryBundles folder, and contains no install scripts according to Suspicious Package. Simply removing the bundle MAY turn the notification off.

mahughe
Contributor

I was looking at this earlier today if someone wants to try it out and let us know how it works?

http://blog.eriknicolasgomez.com/2015/10/01/paradise-island-hiding-el-capitans-free-upgrade-banner/#method-2---deploying-file

jmahlman
Valued Contributor

@mahughe That just hides the banner in the App Store, not the notification nag.

AVmcclint
Honored Contributor

I found that all our Macs have downloaded the High Sierra installer without permission from anyone. I used ARD to delete it from /Applications/ on every one of them. A few days later I found that it was re-downloaded on all the computers again. This is really getting obnoxious that Apple is "trying to make things easy" when in fact they are making it way more complicated for those of us in corporate environments. My next attempt to stop this is to just create a blank file called "Install macOS High Sierra.app" and lock the file down so it can't be replaced with the real deal.

jhalvorson
Valued Contributor

To prevent the automatic download of the HS installer, I am going to follow the suggestions posted here by @rtrouton https://derflounder.wordpress.com/2016/10/03/managing-the-automatic-download-of-the-macos-sierra-ins...

I've changed our version of the script to set the App Store prefs as follows:b6650777d2734c03af92a719cc0de8b3

#!/bin/bash

# System Preferences >> App Store

# This is the 1st of the 5 settings in the GUI within 10.11, 10.12
/usr/sbin/softwareupdate --schedule on

# GUI System Preferences >> App Store >> enable Download newly available updates in the background
# This is the 2nd of the 5 settings in the GUI within 10.11, 10.12
/usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticDownload -bool FALSE

# System Preferences >> App Store >> enable Install app updates
# This is the 3rd of the 5 settings in the GUI within 10.11, 10.12
/usr/bin/defaults write /Library/Preferences/com.apple.commerce AutoUpdate -bool TRUE

# System Preferences >> App Store >> 4 of 5 enable Install OS X updates
# This is the 4th of the 5 settings in the GUI within 10.11, 10.12
/usr/bin/defaults write /Library/Preferences/com.apple.commerce AutoUpdateRestartRequired -bool TRUE

# This is the 5th of the 5 settings in the GUI within 10.11, 10.12
# enable XProtect and Gatekeeper updates to be installed automatically
/usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -bool TRUE
# enable automatic security updates to be installed automatically
/usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -bool TRUE

# This is a one time action to trigger a background check with normal scan (critical and config-data updates only)
/usr/sbin/softwareupdate --background-critical

exit 0

gskibum
Contributor III

Since I push the "softwareupdate --schedule off" command daily, this is what the App Store pref pane looks like. But Apple is still pushing the High Sierra installer onto many of these boxes.

But I suspect the download is being triggered either by my daily "softwareupdate -da" command or my daily XProtect-Gatekeeper update script I run.

#!/bin/bash

sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -bool true
/bin/sleep 2
sudo softwareupdate --background-critical
/bin/sleep 5
sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -bool false

397f45ccaa254501bc3a8601b4a57627

gskibum
Contributor III

Never mind. No workie.

Nix4Life
Valued Contributor

sgorney
New Contributor III

Hi,

I am getting these nags too and some how it seems to be circumventing my software blocks in the JSS. I am blocking the following in Restricted Software:

osinstallersetupd
InstallAssistant
High Sierra

Those blocks all work fine if you try an download the installer from the app store and run it. But if a user clicks "Install" on the alert nag it runs the macOS installer and doesn't trigger any of the blocks. Has anyone else seen that? Should I be blocking something additionally? This is the first time I've had this issue with any macOS installers.

sam_g
Contributor
Contributor

We have a four prong strategy currently that seems to be working to prevent High Sierra from being automatically downloaded and users from being notified to install Hi C.

1) A monthly policy that runs on all our managed macs that disables automatic updates. This policy simply executes the following command: sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticDownload -boolean FALSE
2) All managed macs are pointed to a SUS that is running Server.app and all the updates to install High Sierra or install the notification are disabled (we are slowly migrating to reposado but that's still another month or two away, but same concept remains). I think there are currently two separate Install macOS High Sierra updates and one macOS Installer Notification update. All three are disabled in Software Update inside Server.app.
3) We have a policy that suppresses the giant island/banner in App Store>Updates encouraging users to install Hi C. This was done by adapting Erik Gomez's instructions on his blog. http://blog.eriknicolasgomez.com/2015/10/01/paradise-island-hiding-el-capitans-free-upgrade-banner
4) And last but not least, we have a JAMF Restricted software policy that prevents the Install High Sierra.app from running if the user actually somehow manages to download the installer.

All those things implemented, we've had very few numbers of users hitting the restricted software option. Maybe 2-3 a week, and usually its the same users who are just a little bit more tech savvy and probably went to the app store to download it. This process has also prevented unwanted installs of Hi C. Out of the under 1000 macs we manage, only 10 macs have Hi C running, and each of those was intended/allowed by us for testing purposes.

RobertHammen
Valued Contributor II

Something like this might work... it's an adaptation of the method used for sierra, just started researching/going to test this in my environment, but if others would like to test to see if this suppresses the notification dialog:

#!/bin/bash
/usr/bin/defaults write /Library/Preferences/com.apple.noticeboard.plist LastNoticeboardCatalogCheck "$(date -u "+%F %T %z")"
/usr/bin/defaults write /Library/Preferences/com.apple.noticeboard.plist "com.apple.noticeboard.notification.highsierra.1.0" -dict dismissalCount 4 lastDismissedDate "$(date -u "+%F %T %z")"
/usr/bin/defaults write /Library/Preferences/com.apple.noticeboard.plist identifiers -array "com.apple.noticeboard.notification.highsierra.1.0"

bradtchapman
Valued Contributor II

Hi @RobertHammen, I tested this on a VM running 10.10. The name of the notification came out to com.apple.noticeboard.notification.10.13.1.0 . Not sure if it changed, or if you were using 'high sierra' as a guess.

dardal
New Contributor

@RobertHammen Where did you get "highsierra1.0" from? Just looking to wrap my head around it.

khuong_lai
New Contributor II

Hi guys,

Would this be the same with Mojave?

andrewtadkins5
New Contributor II

Using howardgmac's suggestion of setting a policy to run weekly (or daily, if you like) to remove /Library/Bundles/OSXNotification.bundle has removed the Mojave upgrade notifications as well as keeping the High Sierra notifications away on Sierra Macs.

It has not, however, removed the banner from the App Store.