The Catalina 10.15.5 Update & 2020-003 Security Updates remove the software update –ignore ability for Major Updates. The –ignore flag for Minor Updates is now deprecated.
UPDATE 7/16/20 – Apple just released Catalina 10.15.6 and Security Updates 2020-004. Apple listened to us and reverted the changes made in 10.15.5 and 2020-003 (with a caveat). After installing 10.15.6 or the 2020-004 updates, you can once again use softwareupdate --ignore to block minor and major updates. As long as the Mac is enrolled in Apple School Manager, Apple Business Manager or a User Approved MDM.
Catalina 10.15.6 Update – mrmacintosh.com/whats-new-in-the-macos-catalina-10-15-6-update-19g73/
Security Update 2020-004 for 10.13 & 10.14 – mrmacintosh.com/security-update-2020-004-for-mojave-10-14-high-sierra-10-13-released/
Managing macOS in Enterprise or Education is a tough job no matter how you look at it. One of the toughest things that we have to deal with is 3rd party software. On top of that macOS updates & upgrades can cause additional problems. If you are a regular reader of this blog, you know what I’m talking about. 3rd party software is mission critical, and needs to run without issues. We need the ability to test new macOS Software Updates and Upgrades. Any of which could break that critical software, and cause major problems. A few points >
- If we find a problem with 3rd party after installing an update, we would need to reach out the vendor. The fix might take longer than 90 days.
- A macOS Update causes a big problem, so bad that we immediately need to block it. Sometimes it takes 2-5 months for Apple implement the fix to the next point release update.
- Your Mac needs to be Supervised / Enrolled in an MDM, or you won’t be able to hide the Major Update (10.15.4+) update.
- MacOS does NOT have an Update Recovery Ability. If something goes wrong after an update, we do NOT have any way to revert back to a previous update!!!
Table of Contents
- 1. UPDATES!
- 2. 10.15.5 & 2020-003 Update Changes.
- 3. Right now, this only affects macOS Mojave
- 4. What about High Sierra 10.13?
- 5. Blocking the 2020-003 Security Update
- 6. Catalina 10.15.5 Changes
- 7. How can we ignore Updates and Upgrades in the future? (10.15.4+)
- 8. System Preferences Icon Red Dot Notification (How To get rid of it)
- 9. Don’t like this change? What can you do?
1. UPDATES!
UPDATE 6/9/20 – 10.15.6 Beta 2 (19G46c) was released today. The softwareupdate --ignore flag was changed to include some changes that we asked for! Be sure to check the AppleSeed Beta notes for all the details. I am still checking to see if the change will make it to Mojave 10.14.
UPDATE 5/28/20 – I ran a quick test on a 10.14.6 (2020-002) Mojave Mac. First I used the command softwareupdate --ignore "macOS Catalina" to ignore the macOS Catalina Upgrade. The Upgrade disappeared from System Preferences > Software Update. I then installed a configuration profile that used the restrictions payload that deferred updates for 90 days. I installed the 2020-003 security update. Catalina showed up in System Preferences > Software Update. This can only mean one of two things…
- 1. A Mojave Mac with 2020-003 installed can now understand the new MDM Profile “Major Update” deferral. The Upgrade shows up because we are more than 90 days away from when Catalina was released.
- 2. We are taking this sentence literally “Starting with macOS 10.15.4, major releases of macOS can be deferred for up to 90 days using MDM.” Meaning the change was not backported to 10.14 and we will be unable to ignore 10.16 on Mojave.
- I have reached out to Apple for clarification on this.
2. 10.15.5 & 2020-003 Update Changes.
Lets jump right in and look at the new changes.
Before I do, I need to do a quick shout out to @bp Balmes Pavlov
Balmes first called this out on April 16th, and really took a deep dive into this upcoming change.
The changes are here now, so let’s take a look at the 10.15.5 patch notes.
“Major Releases of macOS are no longer hidden when using the softwareupdate command with the –ignore flag”.
- Updates are considered 10.15.4 > 10.15.5.
- Major Releases or Upgrades are considered 10.14 > 10.15.
Notice how at the bottom of the note it says, “This change also affects macOS Mojave and macOS High Sierra after installing Security Update 2020-003”.
3. Right now, this only affects macOS Mojave
The direct impact of this update is to macOS Mojave. If you are running 10.14.6 and have the 2020-002 Security update installed, you can block macOS Catalina with softwareupdate --ignore "macOS Catalina"
After running the above command, macOS Catalina will not show up in System Preferences > Software Update.
This is what the Software Update Pane will look like in 10.14.6 before installing 2020-003.
After installing 2020-003, this is what the Software Update pane will look like.
This leaves macOS 10.14.6 with very few options if you want to block users from upgrading to macOS Catalina.
- Turn Off Automatic Updates (manually deploy updates)
- Hide/Block the Software Update Preference Pane
- Software Restrictions on “Install macOS Catalina.app”
4. What about High Sierra 10.13?
The 10.15.5 patch notes specifically mention High Sierra. For Software Updates, 10.13 still uses the App Store Preference Pane. When you click on it, you go right to the App store updates tab. macOS Catalina is NOT listed anywhere in the “updates” Section.
High Sierra and Sierra used notification banners.
If you wanted to block the banners on High Sierra and Sierra, you would run the following command.
sudo softwareupdate --ignore "macOSInstallerNotification_GM"
You will now run into another problem after installing the 2020-003 Update.
Ignoring software updates is deprecated.
The ability to ignore individual updates will be removed in a future release of macOS
Reading that deprecation note, it looks like we will not only lose the ability to use the --ignore for Major updates (Right Now on 10.15.5 & 10.14) but also point updates in the future (10.16).
5. Blocking the 2020-003 Security Update
If you would like to block the 2020-003 Security update, run the following command below.
softwareupdate --ignore "Security Update 2020-003"- The Mac App Store (10.13) & System Preferences > Software Update (10.14) will respect the
--ignoreoption.
6. Catalina 10.15.5 Changes
This change does not really affect Catalina right now. The problem will come when 10.16 is released.
You will not be able to use
softwareupdate --ignore "macOS 10.16"
7. How can we ignore Updates and Upgrades in the future? (10.15.4+)
Apple is providing something for 10.15.4+ users.
Starting with macOS 10.15.4, major releases of macOS can be deferred for up to 90 days using MDM.
Apple Patch Notes
The forceDelayedSoftwareUpdates key in the Restrictions payload will now apply to major OS versions in addition to software updates.
Apple Patch Notes
We already have the MDM Key forceDelayedSoftwareUpdates but after installing 10.15.4 you can now defer Major Upgrades for up to 90 Days.
Once macOS 10.16 is live, you will be able to hide the Major (Upgrade) and Minor (Point Release) Updates for 90 Days.
8. System Preferences Icon Red Dot Notification
HT goes out to Jeff Johnson who first investigated this earlier today.
lapcatsoftware.com/articles/software-update.html
He called out that even though we can’t block the Catalina Update in System Preferences, we might still want to remove the Red Dot Notification.
Check out his article to find out how disable the notification.
HT also goes out to this guy who first documented the fix.
tinyapps.org/blog/202005070700_remove_catalina_notification_badge.html
UPDATE 5/28/20 – A MacRumors forum user found a new way to block the notification.
I did by editing com.apple.dock.plist
changed “dock-extra” from YES to NO for system preferences and no more red annoyance.
MacRumors Forum User VTRN
9. Don’t like this change? What can you do?
Please let Apple know NOW, not later (10.16 is coming in one month!).
- Apple Enterprise Ticket
- Apple FeedBack Assistant
- If you have an Apple SE assigned to your company, talk to them.
- AppleSeed for IT: macOS Deployment & Management Survey (this survey is available for AppleSeed for IT participants and can only be taken in the FeedBack Assistant.app)
10.15.5 2020-003 softwareupdate –ignore
None of the latest option to ignore or block the red macOS Installer Notification are working. You either have to use MDM or the ‘Big Sur Blocker’ https://github.com/hjuutilainen/bigsurblocker.
Another quick workaround is to create and add an Alias from ‘System Preferences’ the Dock. Open Applications → Select System Preferences and create and Alias. Move the Alias to the Dock. The Alias does not show the Badge Icon. It is not an ideal option, though The recurring macOS System Updates still shows up. Apple really tries to push users with annoying notification to the latest version.
is there any option ignore the Catalina specifick security new patch
not working in catalin
softwareupdate –ignore “macOS Catalina”
‘sudo /usr/sbin/softwareupdate –set-catalog’ does not longer work in Big Sur Beta 8.
You’ll see: ‘Catalog management is no longer supported’
The following command no longer works in 10.15.5
“softwareupdate –fetch-full-installer –full-installer-version 10.14.6”
It gives the following error.
SUPreferenceManager: Failed to set object of class: __NSCFConstantString for key: LastRecommendedMajorOSBundleIdentifier with error: Error Domain=SUPreferenceManagerErrorDomain Code=1 “(null)”
Any ideas?
Sorry, the actual command I’m using is…
“softwareupdate -d –fetch-full-installer –full-installer-version 10.15.5”
Same issue here
Security Update 2020-003 High Sierra seems to have disabled my Mac’s access to Airplay 1 devices (Airplay 2 still ok). And iOS can still connect to the Airplay 1 devices. Anyone else?
Dear Apple Management,
Somehow you have adopted a wrong-minded policy wrt macOS updates/upgrades. Perhaps you have fallen under the spell of a charlatan, or perhaps you think “you know what’s best” – or perhaps you just aren’t thinking at all right now. Whatever the case, let me share something with you: As a customer, I will not tolerate a computer manufacturer who seeks to deny me the right to make my own decisions regarding my computing environment. Whoever, or whatever, led you to believe that your customers want YOU to make all the decisions has badly deceived you. The path you are currently on leads to ruin my friend. Please consider your options carefully from this point forward.
Sincerely,
~S
Simple question — if I install 003, and have automatic updates turned off, will there be a Notifications popup for Catalina liked pictured above in Section 4 for High Sierra?
I’ve learned to subconsciously ignore red badges and don’t have the System Preferences in my Dock, so they don’t bother me.
What would be annoying would be notifications that appear daily, and must be dismissed, like those from the Notifications Center.
As an Apple user who started with a ][+, it’s ironic to see that the company has morphed into the old IBM and Microsoft in many ways, users are not allowed to “Think Different,” and must conform to the prescribed path that Apple dictates, with with poorly QAed software as the cherry on top. We users are now represented by the audience in the 1984 commercial, not the hammer thrower.
YES! After installing the 2020-003 Security update the Catalina upgrade will still show up in Software Update even if you have “Check for Updates” off. Keep in mind, just opening up the Software Update Preference Pane does a check so that is probably the reason why. It’s kind of like running softwareupdate -l.
Is there a command to ignore Security Update 2020-003 from the App Store when you are on High Sierra?
Steve,
Great question. If you run “softwareupdate –ignore “Security Update 2020-003”
High Sierra’s version of the App Store will also ignore the update!
Thank you!! Took me a few tries, but it worked – only after I opened the App Store again.
Thank you for bringing this to our attention. When did Apple decide Apple users are not power users? Mission critical 3rd party software does not seem to be essential to Apple.
Well, this basically leaves me with the Restricted Software feature to block running major updates. Users can still download it, but I’ll kill the install.
I updated to this version and was a bad mistake. I’m still in High Sierra because of my Nvidia CUDA driver and this update made it stop working. I hope Nvidia comes out with a new Web Driver update soon.
What about blocking all URLs for Softwareupdates on my own Gateway/Localnetwork? Like these: swcdn.apple.com
updates.cdn-apple.com