Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-5765: How to block OS X updates via Group Policy

Centrify Identity Service, Mac Edition ,  

28 September,17 at 08:44 PM



Question:

Whenever a major new version of macOS is released, it is necessary to update the Centrify agent first, before the OS itself is updated. If the OS is updated before the agent, it can lead to an environment where the agent version is no longer compatible with the OS; potentially blocking AD users from being able to login to the machine again. This can be fixed by logging into the Mac with a local administrator account and manually updating the Centrify agent.

Is there a way to prevent users from updating their OS before IT can determine version compatibility?



Answer:

macOS updates are applied using a Mac executable called "InstallAssistant". As with any app on the system - if the CFBundleIdentifier string of the executable can be retrieved - then the app can be blocked from executing via the Centrify Application Access Group Policies.

Notes: For more information on locating CFBundleIdentifiers, see the following KB: KB-1938: How to find the CFBundleIdentifier of applications on Mac systems
 
To block users from updating macOS to High Sierra, Sierra or El Capitan releases, use the below steps. If High Sierra has already been installed over an incompatible version of the Centrify agent and login is failing, please see KB-9048: Login fails after installing macOS High Sierra with Centrify DirectControl Agent for Mac (Centrify login required).



Set the global restriction policy:
  1. Configure the GP at:
    • User Configuration / Policies / Centrify Settings / Mac OSX Settings / Application Access Settings / "Permit/prohibit access to applications"
  2. Use the following options:
    • ​Access mode: User can open all applications except these
    • Uncheck: User can also open all applications on local volumes
    • Uncheck: Allow approved applications to launch non-approved applications
    • Uncheck: Allow UNIX tools to run
          User-added image



Set the app restriction policy:
  1. Configure the GP at:
    • User Configuration / Policies / Centrify Settings / Mac OSX Settings / Application Access Settings / "Permit/prohibit access to user-specific applications
          User-added image



Add the BundleIdentifier:
  1. Click the Add button and enter the desired identifier string from the below table into the group policy application list:
Package NameCFBundleIdentifier
OS X 10.11 El Capitan final releasecom.apple.InstallAssistant.ElCapitan
macOS Sierra final releasecom.apple.InstallAssistant.Sierra​
macOS High Sierra developer preview releasecom.apple.InstallAssistant.Seed.macOS1013Seed1
macOS High Sierra final releasecom.apple.InstallAssistant.HighSierra
    
     User-added image




Make the application restriction policy active without user logout/login:


Once the application restriction policy above is enabled, this group policy takes effect when users log out and back in. Administrators that wish to apply the “Prohibit Application Access” policy without having the user to logout or reboot may choose to deploy a custom script (attached to the bottom of this article) using the Copy Files group policy. This policy setting allows administrators to copy a file or set of files from Active Directory to numerous machines using DirectControl.

Files can be copied from a joined or trusted domain's directory in SYSVOL, or a share on any Windows machine joined to the domain or a trusted domain.
 
       1.    On the Active Directory server machine, copy the attached script “zmcxrefresh.sh” to the folder “C:\Windows\SYSVOL\domain\scripts\
       2.    On the Group Policy Management Console, open the Computer Group Policy “Computer Configuration / Policies / Centrify Settings / Common Unix Settings / Copy files”.
       3.    Enable the policy to copy the file with the below options:
 
  • Origin: Domain name of the sysvol location where the file was copied to
  • Filename: scripts/zmcxrefresh.sh (from step 1)
  • Destination: /usr/local/share/centrifydc/mappers/user/
  • Check “Specify permissions and ownership”
    • File permissions in octal: 0755
    • File Owner UID: 0
    • Owner Group GID: 0
          User-added image

       4. The policy will update on the Mac at the next default interval of 90 minutes or manually by running the command adgpupdate on the Mac using the Terminal application



Enable Loopback Processing mode:
  1. If the GPO is to be applied to an OU that contains the Mac computer objects directly (rather than blocking at the User OU level), then configure the following GP:
    • Computer Configuration / Policies / Administrative Templates / System / Group Policy / "User Group Policy loopback processing mode"
  2. Use the following option:
    • Mode: Merge
          User-added image

Once deployed, AD users receiving these policies will no longer be able to run the specified update package(s):
 
User-added image

 


Notes:
  • For more information on setting up Centrify Group Policies, see:
  • For more information on loopback processing, see:
  • To check if the GP has been successfully applied, login as a target AD user and run the Terminal command:
    • adgpresult
       
    • If the GP was pushed successfully, the User's GP Settings section should contain entries that look similar to:

      Resultant Set of Policy
      ====================
      software/policies/centrify/centrifydc/settings/macmcx/applicationaccess:
          General Testing: 
              AdditionalApplicationList = 0000000001,
              AllowUnbundledApps = 0000000000,
              ApprovedAppLaunchesOthers = 0000000000,
              EnableAccessList = 1,
              OpenItemsInternalDrive = 0000000000,
              accessmode = deny,

      software/policies/centrify/centrifydc/settings/macmcx/applicationaccess/additionalapplicationlist:
          General Testing: 
              Application1 = com.apple.InstallAssistant.HighSierra


       
  • Alternatively, if the Mac Diagnostic Tool can be found at:
    • /Library/Application Support/Centrify/MacDiagnosticTool.app
       
    • Open the tool and go to the Group Policy tab, push the [ User Policy ] button and look for entries that look similar to:

      User-added image
       
  • If the entries cannot be found, then the GP did not make it to the Mac system. For troubleshooting steps, see:
Attachments:

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.