Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-4211: How to restrict the Mac App Store to "Software Update-Only Mode" via Group Policy

Mac & PC Management Service ,  

12 April,16 at 11:19 AM

Applies to: All versions of Centrify DirectControl on Mac OS X


Is it possible to restrict users from downloading new apps from the App Store, but still allow them to download updates to existing apps?


The Mac App Store has a setting called "Software-Update Mode". When this setting is enabled, users will only have access to the Updates section, all other sections will be disabled.

There are three possible methods to applying this setting:

Option 1: To apply the restriction system-wide: 
  1. Configure the following GP: 
    • Computer Configuration / Centrify Settings / Common UNIX Settings / "Specify commands to run" 
  2. Add the following command: 
    • sudo defaults write /Library/Preferences/ restrict-store-softwareupdate-only -bool yes

Option 2: To apply the restriction to specific users only: 
  1. Place this command into a login script:
    • defaults write restrict-store-softwareupdate-only -bool yes 
  2. Set up the script to be run from the following GP: 
    • User Configuration / Centrify Settings / Mac OS X Settings / Scripts / "Specify multiple login scripts" 

Option 3: Via a mobileconfig configuration profile:
  • Attached is an Apple Configuration Profile which can also be used to manage the setting in the App Store.
  1. Login to the Mac as Local Admin and download the mobileconfig to the Desktop
  2. Open the Terminal and run the command:
    • sudo profiles -I -F "~/Desktop/RestrictAppStore.mobileconfig"
  3. Logout and login as an AD user
  4. Open the App Store and the user should now only have access to the Updates section.

  • For further information on these configurations (including how to reverse the setting), please see the Apple KB:
  • For an example of how to set up a simple command within a login script, see the following KB:
  • It has been noticed that the Terminal commands described in Options 1 & 2 and from the Apple KB may no longer work for OS X 10.9 Mavericks and higher.
    • In these situations, Option 3 should still continue to work with no issue.

(All external links provided as a courtes)


Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.