Nine41 Consulting | Prevent Users from Installing macOS High Sierra using Ivanti Endpoint Security Suite 2017
apple, device management, dep, vpp, systems management, landesk, ivanti, lanrev, absolute, heat, mdm,
16898
post-template-default,single,single-post,postid-16898,single-format-standard,qode-quick-links-1.0,ajax_fade,page_not_loaded,,columns-3,qode-child-theme-ver-1.0.0,qode-theme-ver-11.0,qode-theme-bridge,wpb-js-composer js-comp-ver-5.1.1,vc_responsive
 

Prevent Users from Installing macOS High Sierra using Ivanti Endpoint Security Suite 2017

Prevent Users from Installing macOS High Sierra using Ivanti Endpoint Security Suite 2017

Apple will release its next generation operating system macOS High Sierra, today, September 25, 2017.  If as an organization you’re not quite ready to introduce macOS High Sierra into your environments, i.e. you’re still trying to figure out if your AV, VPN, and your other critical business applications are fully functioning with macOS High Sierra, you can use Ivanti Security Suite to temporarily block the installer from running.  Going this route will give you the extra days/weeks you need to finish validating the OS without having to worry about who is going to install the update and be calling you tomorrow wondering why their VPN won’t work.

The process to block an application in Ivanti Security Suite is quite easy and should only take you a couple of minutes to setup your policy and get it deployed.

    1. Launch the Ivanti Console
    2. Go to Tools > Security and Compliance > Patch and complianceblocked-apps-menu
    3. From the menu bar, select the first button that may be titled All Types, but could be Antivirus, Blocked applications, Custom definition, Driver, LANDESK update, Security threat, Software update, Spyware or Vulnerability. Select Blocked applications if not already selected.
    4. Expand out the Blocked applications (all items) menu tree
    5. Right click on the Block folder and Add Fileadd-file-blocked-apps
    6. Insert “Install macOS High Sierra.app” or whatever the final name of the OS installer is. Currently, the developer beta is “Install macOS High Sierra Beta.app”
    7. Check the box at the bottom that says Mac and uncheck the Windows box.
    8. If you don’t want to block the installer globally, click on the Block Status tab at the tab and select which Scopes the restriction should be applied to.block-status-tab
    9. Click OK.

Now that you have the blocked app definition created, you need to make sure the Ivanti agent security scanner has been enabled for blocked app scanning.  To validate this or to set this, go through the steps below:

  1. Go to Tools > Security and Compliance > Agent Settings
  2. From the All Agent Settings menu tree, click on Distribution and Patchdist-and-patch-settings
  3. Open the Distribution and Patch setting assigned to your Macs. If you have more than one, edit each one respectively.
  4. Go to the Scan Options section under Patch-only settings and make sure the Blocked applications checkbox is checked.blocked-apps-settings-copy
  5. Click Save

At this point, your machines will automatically receive the change and begin blocking the macOS installer the next time a security scan is initiated. If you created an entirely new Distribution and Patch setting, different from the one currently applied to the Mac, you’ll need to create a Change Agent Settings task.

  1. While still in the Agent Settings window, click on the Calendar/Clock icon, it’s the second one in the menu bar and then select Change Settings.change-settings
  2. Give your task an appropriate name, I named mine “Blocked Apps Agent Settings”
  3. Find Distribution and Patch from the list on the right hand side of the panel and click on the corresponding Keep agent’s current settings.
  4. Find your newly created Distribution and Patch setting and select it.change-settings-drop-down
  5. Now set your desired Task Settings (policy, push, policy supported push) and desired portal settings (required, recommended,optional). I used a policy-supported push and required.
  6. Add in your Targets.
  7. Schedule your Change Settings task.

That’s it.  Now, whenever someone attempts to launch the macOS Installer they’re going to get a nice Application Denied prompt like the one below.

No Comments

Post A Comment

ARE YOU READY TO GET STARTED?
Please fill out your information, and a specialist will reach out to discuss our services in more details.
Your Information will never be shared with any third party.
        
Free Training Videos
Register to gain access to all of our free content.
YOUR PHONE
YOUR NAME
YOUR EMAIL
        
Get Started
Provide us your contact information and we will reach out as quickly as possible.
YOUR PHONE
YOUR NAME
YOUR EMAIL
        
Additional Questions?
Provide us your contact information and we will reach out as quickly as possible.
YOUR PHONE
YOUR NAME
YOUR EMAIL
        
Pay by PO?
Provide us your contact information and we will reach out to help you sign up by PO.
YOUR PHONE
YOUR NAME
YOUR EMAIL
Subscribe Now
Subscribing to our site gives you access to our Apple Admin 101 training videos as well as allowing us to notify you of each new blog post we release.
YOUR PHONE
YOUR NAME
YOUR EMAIL
Pay by PO
Send us your contact information and we will reach out to help you sign up by PO.
YOUR PHONE
YOUR NAME
YOUR EMAIL
Additional Questions?
Send us your contact information and your questions and we will reach out as quickly as possible.
YOUR PHONE
YOUR NAME
YOUR EMAIL
YOUR QUESTIONS
Get Started
Provide us your contact information and we will reach out as quickly as possible.
YOUR PHONE
YOUR NAME
YOUR EMAIL
Free Training Videos
Subscribing to our site gives you access to our Apple Admin 101 training videos as well as allowing us to notify you of each new blog post we release.
FIRST NAME
LAST NAME
PHONE
EMAIL
Subscribe Now
Subscribing to our site gives you access to our Apple Admin 101 training videos as well as allowing us to notify you of each new blog post we release.
FIRST NAME
LAST NAME
PHONE
EMAIL