We help top organizations stay competitive, by implementing the latest disruptive technologies.

Latest Posts

Prevent Users from Installing macOS High Sierra using Ivanti Endpoint Security Suite 2017

Prevent Users from Installing macOS High Sierra using Ivanti Endpoint Security Suite 2017

Apple will release its next generation operating system macOS High Sierra, today, September 25, 2017.  If as an organization you’re not quite ready to introduce macOS High Sierra into your environments, i.e. you’re still trying to figure out if your AV, VPN, and your other critical business applications are fully functioning with macOS High Sierra, you can use Ivanti Security Suite to temporarily block the installer from running.  Going this route will give you the extra days/weeks you need to finish validating the OS without having to worry about who is going to install the update and be calling you tomorrow wondering why their VPN won’t work.

The process to block an application in Ivanti Security Suite is quite easy and should only take you a couple of minutes to setup your policy and get it deployed.

    1. Launch the Ivanti Console
    2. Go to Tools > Security and Compliance > Patch and complianceblocked-apps-menu
    3. From the menu bar, select the first button that may be titled All Types, but could be Antivirus, Blocked applications, Custom definition, Driver, LANDESK update, Security threat, Software update, Spyware or Vulnerability. Select Blocked applications if not already selected.
    4. Expand out the Blocked applications (all items) menu tree
    5. Right click on the Block folder and Add Fileadd-file-blocked-apps
    6. Insert “Install macOS High Sierra.app” or whatever the final name of the OS installer is. Currently, the developer beta is “Install macOS High Sierra Beta.app”
    7. Check the box at the bottom that says Mac and uncheck the Windows box.
    8. If you don’t want to block the installer globally, click on the Block Status tab at the tab and select which Scopes the restriction should be applied to.block-status-tab
    9. Click OK.

Now that you have the blocked app definition created, you need to make sure the Ivanti agent security scanner has been enabled for blocked app scanning.  To validate this or to set this, go through the steps below:

  1. Go to Tools > Security and Compliance > Agent Settings
  2. From the All Agent Settings menu tree, click on Distribution and Patchdist-and-patch-settings
  3. Open the Distribution and Patch setting assigned to your Macs. If you have more than one, edit each one respectively.
  4. Go to the Scan Options section under Patch-only settings and make sure the Blocked applications checkbox is checked.blocked-apps-settings-copy
  5. Click Save

At this point, your machines will automatically receive the change and begin blocking the macOS installer the next time a security scan is initiated. If you created an entirely new Distribution and Patch setting, different from the one currently applied to the Mac, you’ll need to create a Change Agent Settings task.

  1. While still in the Agent Settings window, click on the Calendar/Clock icon, it’s the second one in the menu bar and then select Change Settings.change-settings
  2. Give your task an appropriate name, I named mine “Blocked Apps Agent Settings”
  3. Find Distribution and Patch from the list on the right hand side of the panel and click on the corresponding Keep agent’s current settings.
  4. Find your newly created Distribution and Patch setting and select it.change-settings-drop-down
  5. Now set your desired Task Settings (policy, push, policy supported push) and desired portal settings (required, recommended,optional). I used a policy-supported push and required.
  6. Add in your Targets.
  7. Schedule your Change Settings task.

That’s it.  Now, whenever someone attempts to launch the macOS Installer they’re going to get a nice Application Denied prompt like the one below.

No Comments

Post A Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.