Prevent Users from Installing macOS Sierra using LANDESK Security Suite 2016

On September 20, 2016 Apple will release its next generation operating system, macOS Sierra.  While Apple may think it’s great that the Siri enabled Mac do “even more for us, so we can do more with our Mac”, as an organization, we may not be quite ready to introduce macOS Sierra into our environments.  If you you’re looking at your calendar trying to figure out if you’re going to be able finish validating your AV and your critical business applications are fully functioning with macOS Sierra, you can use LANDESK Security Suite to temporarily block the installer from running.  Going this route will give you the extra days/weeks you need to finish validating the OS without having to worry about who is going to install the update and be calling you tomorrow wondering why their VPN won’t work.

The process to block an application in LANDESK Security Suite is quite easy and should only take you a couple of minutes to setup your policy and get it deployed.

    1. Launch the LANDESK Console
    2. Go to Tools > Security and Compliance > Patch and complianceblocked-apps-menu
    3. From the menu bar, select the first button that may be titled All Types, but could be Antivirus, Blocked applications, Custom definition, Driver, LANDESK update, Security threat, Software update, Spyware or Vulnerability. Select Blocked applications if not already selected.
    4. Expand out the Blocked applications (all items) menu tree
    5. Right click on the Block folder and Add Fileadd-file-blocked-apps
    6. Insert “Install macOS Sierra.app” or whatever the final name of the OS installer is. Currently, the developer beta is “Install macOS Sierra Developer Beta.app”
    7. Check the box at the bottom that says Mac and uncheck the Windows box.blocked-apps-properties-panel
    8. If you don’t want to block the installer globally, click on the Block Status tab at the tab and select which Scopes the restriction should be applied to.block-status-tab
    9. Click OK.

Now that you have the blocked app definition created, you need to make sure the LANDESK security scanner has been enabled for blocked app scanning.  To validate this or to set this, go through the steps below:

  1. Go to Tools > Security and Compliance > Agent Settings
  2. From the All Agent Settings menu tree, click on Distribution and Patchdist-and-patch-settings
  3. Open the Distribution and Patch setting assigned to your Macs. If you have more than one, edit each one respectively.
  4. Go to the Scan Options section under Patch-only settings and make sure the Blocked applications checkbox is checked.blocked-apps-settings-copy
  5. Click Save

At this point, your machines will automatically receive the change and begin blocking the macOS installer the next time a security scan is initiated. If you created an entirely new Distribution and Patch setting, different from the one currently applied to the Mac, you’ll need to create a Change Agent Settings task.

  1. While still in the Agent Settings window, click on the Calendar/Clock icon, it’s the second one in the menu bar and then select Change Settings.change-settings
  2. Give your task an appropriate name, I named mine “Blocked Apps Agent Settings”
  3. Find Distribution and Patch from the list on the right hand side of the panel and click on the corresponding Keep agent’s current settings.
  4. Find your newly created Distribution and Patch setting and select it.change-settings-drop-down
  5. Now set your desired Task Settings (policy, push, policy supported push) and desired portal settings (required, recommended,optional). I used a policy-supported push and required.
  6. Add in your Targets
  7. Schedule your Change Settings task

That’s it.  Now, whenever someone attempts to launch the macOS Installer they’re going to get a nice Application Denied prompt like the one below.

application-denied