Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-5765: How to block OS X updates via Group Policy

Centrify Identity Service, Mac Edition ,  

13 June,17 at 10:13 PM

Applies to: Centrify Identity Service, Mac Edition



Question:

Whenever a major new version of OS X is released, it is necessary to update the Centrify agent first, before the OS itself is updated. If the OS is updated before the agent, it can lead to an environment where the agent version is no longer compatible with the OS; potentially blocking AD users from being able to login to the machine again.

This can be fixed by logging into the Mac with a pure Local Admin account and updating the Centrify agent that way, but the situation is not ideal.

Is there a way to prevent users from updating their OS before IT can determine version compatibility?



Answer:

OS X updates are applied using a Mac executable called "InstallAssistant". As with any app on the system - if the CFBundleIdentifier string of the executable can be retrieved - then the app can be blocked from executing via the Centrify Application Access GPs.

Notes:  
Package NameCFBundleIdentifier
OS X 10.11 El Capitan GM releasecom.apple.InstallAssistant.OSX11Seed1
OS X 10.11 El Capitan final releasecom.apple.InstallAssistant.ElCapitan
macOS Sierra developer preview releasecom.apple.InstallAssistant.OSX12Seed1
macOS Sierra final releasecom.apple.InstallAssistant.Sierra​
macOS High Sierra developer preview releasecom.apple.InstallAssistant.Seed.macOS1013Seed1

To block users from updating OS X to El Capitan, Sierra or High Sierra releases, use the following steps:

Set the global restriction policy
  1. Configure the GP at:
    • User Configuration / Centrify Settings / Mac OSX Settings / Application Access Settings / "Permit/prohibit access to applications"
  2. Use the following options:
    • ​Access mode: User can open all applications except these
    • Uncheck: User can also open all applications on local volumes
    • Uncheck: Allow approved applications to launch non-approved applications
    • Uncheck: Allow UNIX tools to run
          User-added image




Add the specific application names to be blocked
  1. Configure the GP at:
    • User Configuration / Centrify Settings / Mac OSX Settings / Application Access Settings / "Permit/prohibit access to user-specific applications"
  2. Enter the following string: 
    • Blocking Sierra (final release):  com.apple.InstallAssistant.Sierra
    • Blocking High Sierra (developer preview release):  com.apple.InstallAssistant.Seed.macOS1013Seed1​​
     User-added image



Enable Loopback Processing mode
  1. If the GPO is to be applied to an OU that contains the Mac computer objects directly (rather than blocking at the User OU level), then configure the following GP:
    • Computer Configuration / Administrative Templates / System / Group Policy / "User Group Policy loopback processing mode"
  2. Use the following option:
    • Mode: Merge
          User-added image

Once deployed, AD users receiving these policies will no longer be able to run the specified update package(s):
 
User-added image

 


Notes:
  • For more information on setting up Centrify Group Policies, see:
  • For more information on loopback processing, see:
  • To check if the GP has been successfully applied, login as a target AD user and run the Terminal command:
    • adgpresult
       
    • If the GP was pushed successfully, the User's GP Settings section should contain entries that look similar to:

      Resultant Set of Policy
      ====================
      software/policies/centrify/centrifydc/settings/macmcx/applicationaccess:
          General Testing: 
              AdditionalApplicationList = 0000000001,
              AllowUnbundledApps = 0000000000,
              ApprovedAppLaunchesOthers = 0000000000,
              EnableAccessList = 1,
              OpenItemsInternalDrive = 0000000000,
              accessmode = deny,

      software/policies/centrify/centrifydc/settings/macmcx/applicationaccess/additionalapplicationlist:
          General Testing: 
              Application1 = com.apple.InstallAssistant.ElCapitan,


       
  • Alternatively, if the Mac Diagnostic Tool can be found at:
    • /Library/Application Support/Centrify/MacDiagnosticTool.app
       
    • Open the tool and go to the Group Policy tab, push the [ User Policy ] button and look for entries that look similar to:

      User-added image

       
  • If the entries cannot be found, then the GP did not make it to the Mac system. For troubleshooting steps, see:

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.