Santa Overslept Mac OS

broken image


In the past, I'd used the fake installer approach to stop users from upgrading to the newest macOS version.

  1. Santa Overslept Mac Os X
  2. Santa Overslept Mac Os Download
  3. Santa Overslept Mac Os 11
  4. Mac Os Versions
  5. Santa Overslept Mac Os Catalina

Enterprise Mac Security is a definitive, expert-driven update of the popular, slash-dotted first edition which was written in part as a companion to the SANS Institute course for Mac OS X. Anka is a virtualization engine for continuous integration on macOS. Combined with MacStadium's hosted Mac infrastructure you can set up and maintain your CI pipeline. COVID update: MacBlowouts has updated their hours and services. 64 reviews of MacBlowouts 'We bought a Beats pill from this site. The owner Ed was unbelievably accommodating and expedited our order beyond expectations. Open that app from your Applications folder to begin installing the operating system. MacOS Sierra 10.12 can upgrade El Capitan, Yosemite, Mavericks, Mountain Lion, or Lion; OS X El Capitan 10.11 can upgrade Yosemite, Mavericks, Mountain Lion, Lion, or Snow Leopard; OS X Yosemite 10.10 can upgrade Mavericks, Mountain Lion, Lion, or Snow Leopard. Get more done with the new Google Chrome. A more simple, secure, and faster web browser than ever, with Google's smarts built-in.

But with macOS 10.14 (Mojave), I started blocking using Santa (see Using Santa to block an .app for more details on general Santa use). It's likely this Santa-blocking approach also works for High Sierra and Sierra as well—I just haven't tested it on those.

Overslept

Santa Overslept Mac Os X

Just download Mojave to your Mac, and then run

santactl fileinfo /Applications/Install macOS Mojave.app --key SHA-256
to get the hash to block.

Then run a modified version of this command (substituting in the actual SHA-256 hash for the placeholder) to add it to the Santa blacklist:

/usr/local/bin/santactl rule --blacklist --sha256 'actuallonghashyougotfromthepreviouscommand'

We were able to test this on two Mojave installers downloaded using two separate Apple IDs, so the binary seems to be the same regardless of which Apple ID is used to download it.

If a user then tries to run the Mojave installer, she or he will see a message like this:

Again, since it's based on the binary (and since you don't want to block by Apple certificate—which you may not be able to do anyway with Santa?—so you have to block by binary), you would have to create a new rule for every new macOS installer that comes out (10.14, 10.14.1, 10.14.2, 10.14.3.. 10.15, 10.15.1.. 10.16.. and so on).

Special Note

Thanks to @elios (on Mac Admins Slack) for pointing out that this probably would not block the startosinstall binary from running. I was able to test and verify blocking the .app binary does not, in fact, block the startosinstall binary from running.

Also, by default, Santa will get the binary for InstallAssistant_springboard. If you want to be super aggressive, you might also want to block the InstallAssistant and InstallAssistant_plain binaries. Otherwise, the user can still run those two to get the GUI assistant to launch up.

Lego game with 1 lvl and its kinda trash (first project) mac os. So you really have to ask yourself how aggressively you want to block Mojave. Are you preventing users from just accidentally upgrading? Or do you want to prevent from upgrading even the most determined users who have admin privileges?

If you want to block startosinstall as well, you can do that. Just find (and subsequently block) the SHA-256 hash it:

santactl fileinfo /Applications/Install macOS Mojave.app/Contents/Resources/startosinstall --key SHA-256
santactl rule --blacklist --sha256 'actuallonghashyougotfromthepreviouscommand'

Santa Overslept Mac Os Download

One advantage you get from

Santa Overslept Mac Os 11

not blocking startosinstall

Mac Os Versions

Mac os mojave

Santa Overslept Mac Os X

Just download Mojave to your Mac, and then run

santactl fileinfo /Applications/Install macOS Mojave.app --key SHA-256
to get the hash to block.

Then run a modified version of this command (substituting in the actual SHA-256 hash for the placeholder) to add it to the Santa blacklist:

/usr/local/bin/santactl rule --blacklist --sha256 'actuallonghashyougotfromthepreviouscommand'

We were able to test this on two Mojave installers downloaded using two separate Apple IDs, so the binary seems to be the same regardless of which Apple ID is used to download it.

If a user then tries to run the Mojave installer, she or he will see a message like this:

Again, since it's based on the binary (and since you don't want to block by Apple certificate—which you may not be able to do anyway with Santa?—so you have to block by binary), you would have to create a new rule for every new macOS installer that comes out (10.14, 10.14.1, 10.14.2, 10.14.3.. 10.15, 10.15.1.. 10.16.. and so on).

Special Note

Thanks to @elios (on Mac Admins Slack) for pointing out that this probably would not block the startosinstall binary from running. I was able to test and verify blocking the .app binary does not, in fact, block the startosinstall binary from running.

Also, by default, Santa will get the binary for InstallAssistant_springboard. If you want to be super aggressive, you might also want to block the InstallAssistant and InstallAssistant_plain binaries. Otherwise, the user can still run those two to get the GUI assistant to launch up.

Lego game with 1 lvl and its kinda trash (first project) mac os. So you really have to ask yourself how aggressively you want to block Mojave. Are you preventing users from just accidentally upgrading? Or do you want to prevent from upgrading even the most determined users who have admin privileges?

If you want to block startosinstall as well, you can do that. Just find (and subsequently block) the SHA-256 hash it:

santactl fileinfo /Applications/Install macOS Mojave.app/Contents/Resources/startosinstall --key SHA-256
santactl rule --blacklist --sha256 'actuallonghashyougotfromthepreviouscommand'

Santa Overslept Mac Os Download

One advantage you get from

Santa Overslept Mac Os 11

not blocking startosinstall

Mac Os Versions

is that you can still block users from double-clicking to install Mojave but not have Santa try to block Munki from installing Mojave, even if you have the InstallAssistant_springboard

Santa Overslept Mac Os Catalina

blocked.

If you block startosinstall, then try to install the upgrade with Munki, you'll see it mount the .dmg, then stop. The log entries will look something like this:

### Beginning os installer session ###
Starting macOS upgrade..
Mounting disk image Install macOS Mojave-10.14.2.dmg
[Errno 1] Operation not permitted
Starting macOS install failed with return code 1
ERROR: ------------------------------------------------------------------------------
ERROR: [Errno 1] Operation not permitted
ERROR: ------------------------------------------------------------------------------
ERROR: Error starting macOS install: startosinstall failed with return code 1
### Ending os installer session ###




broken image