Tonight, Apple released macOS Catalina.
See below on how to block this upgrade with Jamf Pro.
An error on Mac saying ' Blocked Plug-in ' typically means that the system has prevented a specific plug-in from running. Most reports regarding this issue are associated with Adobe software, including Flash Player and Acrobat Reader. For instance, the alert may occur when a user tries to open an email link in Safari leading to a PDF document. Block connections to your Mac with a firewall A firewall can protect your Mac from unwanted contact initiated by other computers when you're connected to the internet or a network. However, your Mac can still allow access through the firewall for some services and apps.
Contents
Why block?
- On your Mac, choose Apple menu System Preferences, click Security & Privacy, then click Firewall. If the lock at the bottom left is locked, click it to unlock the preference pane. Click Firewall Options. If the Firewall Options button is disabled, first click Turn On Firewall to turn on the firewall for your Mac.
- Mac OS X 10.13 and above: 'System Extension Blocked' Message During Installation. Due to the increased security restrictions in recent versions of Mac OS X, anyone installing LeapFrog Connect on these versions of OS X will have to perform an extra step to properly install and use the software.
As with any new OS release, you might have some required software titles which are not compatible with the new OS & especially some of the more security focused changes.
For example, today Adobe released a KB with some details around issues with Creative Cloud Packages & macOS Catalina, below is an excerpt.
The writing has been on the wall for 32-bit apps since 10.13.4, & at WWDC this year it was mentioned that Catalina would not support 32-bit apps.
So, you might need to block Catalina whilst some of these needed software titles are updated.
But we deferred?
Deferral only works for updates, not upgrades.
So, 10.14.x updates. Not the macOS 10.15 upgrade.
Enter Restricted Software
Restricted Software can be used here as one method to block folks from installing macOS Catalina.
Admittedly, there are methods to subvert this. But they are better discussed elsewhere.
Blocks Download Mac Os X
To block macOS Catalina via Restricted Software, see the below:
You can tweak these options as per your requirements, but the above should be the bare minimum. The scope & message etc should all be set as per your organisational needs.
I will advise not to check 'Delete Application' as from previous experience, Apple will push the install.app, if deleted.
Also, wildcards might not work currently as their appears to be a Jamf Pro PI around them at the moment.
There is no step 2!
Actually there is, the Restricted Software setting will only apply to devices within scope one their Management Framework has refreshed.
This happens periodically on macOS devices, but you can force this via the below when ran as sudo:
The above is handy for running locally when testing the Restricted Software setting, & once happy you can wait for the clients to perform their periodic Management Framework or push a policy that runs the above once per computer on your check-in interval.
So, there is no step 3? Right?
There is an optional step, as per:
With more steps:
When ready to release Catalina, you can then revert this via:
Is that it?
Well, not really.
As mentioned, there are ways that folks can circumvent the Restricted Software setting. (But come to the MacAdmins Slack to ask about that).
Let alone methods outside of the booted OS, so you might want to look at setting a firmware password too.
I see some really bloated rule sets out there and I am left shaking my head going 'no!' the only rules you need to stop nasties are the ones I currently have. Do not add random block's to 'UDP' on service ports like 53 which is for DNS (Domain Name Service) or you will turn your internet off!
Contents
Why block?
- On your Mac, choose Apple menu System Preferences, click Security & Privacy, then click Firewall. If the lock at the bottom left is locked, click it to unlock the preference pane. Click Firewall Options. If the Firewall Options button is disabled, first click Turn On Firewall to turn on the firewall for your Mac.
- Mac OS X 10.13 and above: 'System Extension Blocked' Message During Installation. Due to the increased security restrictions in recent versions of Mac OS X, anyone installing LeapFrog Connect on these versions of OS X will have to perform an extra step to properly install and use the software.
As with any new OS release, you might have some required software titles which are not compatible with the new OS & especially some of the more security focused changes.
For example, today Adobe released a KB with some details around issues with Creative Cloud Packages & macOS Catalina, below is an excerpt.
The writing has been on the wall for 32-bit apps since 10.13.4, & at WWDC this year it was mentioned that Catalina would not support 32-bit apps.
So, you might need to block Catalina whilst some of these needed software titles are updated.
But we deferred?
Deferral only works for updates, not upgrades.
So, 10.14.x updates. Not the macOS 10.15 upgrade.
Enter Restricted Software
Restricted Software can be used here as one method to block folks from installing macOS Catalina.
Admittedly, there are methods to subvert this. But they are better discussed elsewhere.
Blocks Download Mac Os X
To block macOS Catalina via Restricted Software, see the below:
You can tweak these options as per your requirements, but the above should be the bare minimum. The scope & message etc should all be set as per your organisational needs.
I will advise not to check 'Delete Application' as from previous experience, Apple will push the install.app, if deleted.
Also, wildcards might not work currently as their appears to be a Jamf Pro PI around them at the moment.
There is no step 2!
Actually there is, the Restricted Software setting will only apply to devices within scope one their Management Framework has refreshed.
This happens periodically on macOS devices, but you can force this via the below when ran as sudo:
The above is handy for running locally when testing the Restricted Software setting, & once happy you can wait for the clients to perform their periodic Management Framework or push a policy that runs the above once per computer on your check-in interval.
So, there is no step 3? Right?
There is an optional step, as per:
With more steps:
When ready to release Catalina, you can then revert this via:
Is that it?
Well, not really.
As mentioned, there are ways that folks can circumvent the Restricted Software setting. (But come to the MacAdmins Slack to ask about that).
Let alone methods outside of the booted OS, so you might want to look at setting a firmware password too.
I see some really bloated rule sets out there and I am left shaking my head going 'no!' the only rules you need to stop nasties are the ones I currently have. Do not add random block's to 'UDP' on service ports like 53 which is for DNS (Domain Name Service) or you will turn your internet off!
😁
It's easier to just click stealth mode enabled, fire up WaterRoof click clear all previous rules and import the rule's from text and apply the rules.
Then as an added preferance if you dont want 120mb of disk space to be chewed up everytime your firewall blocks something and log's it you can just disable the log-file...
Firewall's on BSD & Linux are very much Configure & Forget!
Block Site On Mac
You really dont have to sit there watching them like a 'Hawk!'
😀
An if its already setup to block the bad stuff, by watching the blocked stuff, that just leads to Paranoia!
Then you end up blocking random stuff, that you actually need.
Caution when messing with firewall settings!
Feb 8, 2014 3:55 PM