├── .gitignore ├── CONTRIBUTING.md ├── LICENSE ├── Management profiles ├── dk.envo-it.sonomablocker.plist └── sonomablocker profile.mobileconfig ├── README.md ├── screenshot.png ├── sonomablocker-pkg ├── build-blockerPkg.sh ├── payload │ ├── Library │ │ └── LaunchAgents │ │ │ └── dk.envo-it.sonomablocker.plist │ └── usr │ │ └── local │ │ └── bin │ │ └── sonomablocker └── scripts │ └── postinstall ├── sonomablocker-remove.sh ├── sonomablocker.xcodeproj ├── project.pbxproj ├── project.xcworkspace │ ├── contents.xcworkspacedata │ ├── xcshareddata │ │ └── IDEWorkspaceChecks.plist │ └── xcuserdata │ │ └── st.xcuserdatad │ │ └── UserInterfaceState.xcuserstate ├── xcshareddata │ └── xcschemes │ │ └── sonomablocker.xcscheme └── xcuserdata │ └── st.xcuserdatad │ └── xcschemes │ └── xcschememanagement.plist └── sonomablocker ├── main.m └── sonomablocker.entitlements /.gitignore: -------------------------------------------------------------------------------- 1 | 2 | .DS_Store 3 | *.pkg 4 | 5 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing to venturablocker 2 | 3 | ## Pull Requests (PRs) 4 | 5 | If you know of improvements to this app, please post a PR. 6 | 7 | ## Issues 8 | 9 | If you encounter an issue please document it and write an issue. 10 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2020 Hannes Juutilainen 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /Management profiles/dk.envo-it.sonomablocker.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | AlertTitle 6 | macOS 14 Sonoma installation prohibited 7 | AlertText 8 | We do not currently support macOS 14 Sonoma in our configurations, so it has been blocked for installation until further notice. 9 | 10 | 11 | -------------------------------------------------------------------------------- /Management profiles/sonomablocker profile.mobileconfig: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | PayloadContent 6 | 7 | 8 | PayloadDisplayName 9 | Service Management - Managed Login Items 10 | PayloadIdentifier 11 | com.apple.servicemanagement.B653ECAA-68F3-4A6C-BF95-9CD9C33F7B29 12 | PayloadType 13 | com.apple.servicemanagement 14 | PayloadUUID 15 | B653ECAA-68F3-4A6C-BF95-9CD9C33F7B29 16 | PayloadVersion 17 | 1 18 | Rules 19 | 20 | 21 | RuleType 22 | Label 23 | RuleValue 24 | dk.envo-it.sonomablocker 25 | 26 | 27 | 28 | 29 | PayloadDisplayName 30 | sonomablocker profile 31 | PayloadIdentifier 32 | dk.envo-it.sonomablocker 33 | PayloadScope 34 | System 35 | PayloadType 36 | Configuration 37 | PayloadUUID 38 | D5B272D2-E4BE-400E-8E9D-82D9486C5853 39 | PayloadVersion 40 | 1 41 | 42 | 43 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Sonoma Blocker 2 | 3 | Blocking macOS 14 Sonoma installer 4 | 5 | Detect when `Install macOS Sonoma.app` installer application has launched, terminate the process and display an alert. 6 | 7 | _This project is totally copied from the original `bigsurblocker` from which I made `montereyblocker`, then `venturablocker`, and now also `sonomablocker`._ 8 | 9 | _See [hjuutilainen/bigsurblocker](https://github.com/hjuutilainen/bigsurblocker) for the original software for blocking Big Sur and README there._ 10 | 11 | ## Guide available 12 | 13 | [HCS Technology Group](https://hcsonline.com) has made a guide available on how to set this up. [Read it here](https://docs.hcsonline.com/SonomaBlocker). 14 | 15 | ## Why 16 | 17 | Apple wants end users to upgrade to the latest macOS as soon as it becomes available. Depending on the software and policies your organization uses, this might be unacceptable. Apple is limiting the options, and now we basically only have this solution left, if users are admins on their computer: 18 | 19 | - Use an MDM to push a profile to delay updates for maximum of 90 days. This will however postpone _all_ updates, not just the macOS upgrade. 20 | 21 | But this option does not prevent users from downloading the full installer, and run that to upgrade their system, and this is where Sonoma Blocker fits in. 22 | 23 | ## How 24 | 25 | The `sonomablocker` binary is installed in `/usr/local/bin` and is launched for each user through a launch agent. This means that the binary is running in the user session and therefore has the privileges of the current user. It runs silently in the background and listens for app launch notifications. As soon as the user launches the macOS installer application, the binary (forcefully) terminates it and displays a warning message. 26 | 27 | By design, it will _not_ block the `startosinstall` command line tool. 28 | 29 | __This app only block the app installer, so in order to prevent the users from upgrading through the Software Update mechanisms, a management profile to delay major upgrades has to be deployed to the machines. Remember that is limited to 90 days__ 30 | 31 | ## Requirements 32 | 33 | The binary requires at least macOS 11. 34 | 35 | ## Management profiles 36 | 37 | All configuration is optional. 38 | 39 | Management profile for making sure [Blocker is not disabled by the user](Management%20profiles/sonomablocker%20profile.mobileconfig) (for MDM systems.) 40 | 41 | Profile for [custom Blocker alert settings](Management%20profiles/dk.envo-it.sonomablocker.plist) (deployed as custom settings in a MDM system.) 42 | 43 | ## Installation 44 | 45 | On macOS 11 and later, download a prebuilt package from the [Releases page](releases) and deploy with your favorite method. The package is signed and notarized. 46 | 47 | ## Uninstall 48 | 49 | To fully uninstall `sonomablocker`, run the script `[sonomablocker-remove.sh](sonomablocker-remove.sh)` (as root or with `sudo`) or deploy through MDM. 50 | 51 | ## License 52 | 53 | Sonoma Blocker is licensed under [the MIT License](LICENSE), just as the original software. 54 | 55 | 56 | 57 | 58 | The rest of this README is from that original project: 59 | 60 | # Original README 61 | 62 | This project is heavily inspired by Erik Berglund's [AppBlocker](https://github.com/erikberglund/AppBlocker). It uses the same underlying idea of registering and listening for NSWorkspace notifications when app has started up and then checking the CFBundleIdentifier of the launched app to identify a Big Sur installer launch. 63 | 64 | # Why 65 | 66 | Apple wants end users to upgrade to the latest macOS as soon as it becomes available. Depending on the software and policies your organization uses, this might be unacceptable. As an administrator, you currently have some options: 67 | - Use an MDM to push a profile to delay updates for maximum of 90 days. This will however postpone _all_ updates, not just the macOS upgrade. 68 | - If your fleet is enrolled in an MDM, you can use `softwareupdate --ignore` to hide certain updates. This will result in a highly broken user experience where the system thinks it has an update pending but it is unable to download and install it. Apple has also decided that only MDM enrolled systems can use the `--ignore` flag. 69 | - If you are already using a binary authorization system such as Googles [Santa](https://github.com/google/santa), you should use it but deploying a system like Santa only for blocking Big Sur might be unfeasible. 70 | 71 | # How 72 | 73 | The `bigsurblocker` binary is installed in `/usr/local/bin` and is launched for each user through a launch agent. This means that the binary is running in the user session and therefore has the privileges of the current user. It runs silently in the background and listens for app launch notifications. As soon as the user launches the macOS installer application, the binary (forcefully) terminates it and displays a warning message. 74 | 75 | By design, it will _not_ block the `startosinstall` command line tool. 76 | 77 | # Requirements 78 | 79 | The binary requires at least macOS 10.9, however it has been tested only on macOS 10.10, 10.11, 10.12, 10.13, 10.14 and 10.15. 80 | 81 | Note. It seems that macOS 10.10 and 10.11 have trouble installing a signed and notarized package. Use the unsigned package available from the releases page if deploying on those. The signed and notarized package can be used on macOS 10.12 and later. 82 | 83 | # Configuration 84 | 85 | All configuration is optional. If needed, the alert title and text can be set through a configuration profile. Use `com.hjuutilainen.bigsurblocker` as the domain and `AlertTitle` and `AlertText` as the keys. 86 | 87 | # Installation 88 | 89 | On macOS 10.12 and later, download a prebuilt package from the [Releases page](https://github.com/hjuutilainen/bigsurblocker/releases) and deploy with your favorite method. The package is signed and notarized. 90 | 91 | On OS X 10.11 and earlier, download and deploy an unsigned package from the [Releases page](https://github.com/hjuutilainen/bigsurblocker/releases) and deploy with your favorite method 92 | 93 | # Uninstall 94 | 95 | To fully uninstall `bigsurblocker`, run the following (as root or with sudo): 96 | 97 | ``` 98 | current_user_uid=$( echo "show State:/Users/ConsoleUser" | scutil | awk '/UID :/ && ! /loginwindow/ { print $3 }' ) 99 | 100 | launchd_item_path="/Library/LaunchAgents/com.hjuutilainen.bigsurblocker.plist" 101 | launchctl bootout gui/${current_user_uid} "${launchd_item_path}" 102 | 103 | rm -f /Library/LaunchAgents/com.hjuutilainen.bigsurblocker.plist 104 | rm -f /usr/local/bin/bigsurblocker 105 | 106 | pkgutil --forget com.hjuutilainen.bigsurblocker 107 | ``` 108 | 109 | # License 110 | 111 | Big Sur Blocker is licensed under [the MIT License](https://github.com/hjuutilainen/bigsurblocker/blob/main/LICENSE). 112 | -------------------------------------------------------------------------------- /screenshot.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Theile/sonomablocker/e183294805017abf30a0e7ca5497da99cbda220b/screenshot.png -------------------------------------------------------------------------------- /sonomablocker-pkg/build-blockerPkg.sh: -------------------------------------------------------------------------------- 1 | #!/bin/zsh 2 | 3 | # MARK: Constants 4 | 5 | # package 6 | pkgname="sonomablocker" 7 | version="20230921" 8 | identifier="dk.envo-it.${pkgname}" 9 | install_location="/" 10 | signature="Developer ID Installer: ENVO IT AS (FXW6QXBFW5)" 11 | 12 | # notarization 13 | dev_keychain_label="notary-envoit" 14 | 15 | #setup some folders 16 | dir=$(dirname ${0:A}) 17 | 18 | # MARK: build a pkg 19 | echo "# building installer package" 20 | 21 | payloadfolder="$dir/payload" 22 | scriptsfolder="$dir/scripts" 23 | 24 | # build the component package 25 | pkgpath="${dir}/${pkgname}.pkg" 26 | 27 | pkgbuild --root "${payloadfolder}" \ 28 | --scripts "${scriptsfolder}" \ 29 | --identifier "${identifier}" \ 30 | --version "${version}" \ 31 | --install-location "${install_location}" \ 32 | "${pkgpath}" 33 | 34 | # NOTE: build the product archive 35 | 36 | productpath="${dir}/${pkgname}-${version}.pkg" 37 | echo "# Generating ${productpath}" 38 | 39 | productbuild --package "${pkgpath}" \ 40 | --version "${version}" \ 41 | --identifier "${identifier}" \ 42 | --sign "${signature}" \ 43 | "${productpath}" 44 | 45 | # clean the component pkgname 46 | rm "$pkgpath" 47 | 48 | 49 | # MARK: notarize 50 | 51 | # upload for notarization 52 | notaryResult=$(xcrun notarytool submit "$productpath" --keychain-profile "$dev_keychain_label" --wait) 53 | 54 | echo $notaryResult 55 | 56 | if [[ "$(echo "$notaryResult" | tail -1 | grep "status:" | cut -d ":" -f2)" == " Invalid" ]]; then 57 | notaryId=$(echo "$notaryResult" | tail -2 | grep "id:" | cut -d ":" -f2 | tr -d '[:space:]') 58 | xcrun notarytool log $notaryId --keychain-profile "$dev_keychain_label" 59 | fi 60 | 61 | # NOTE: staple result 62 | echo "# Stapling $productpath" 63 | xcrun stapler staple "$productpath" 64 | 65 | exit $exit_code 66 | -------------------------------------------------------------------------------- /sonomablocker-pkg/payload/Library/LaunchAgents/dk.envo-it.sonomablocker.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Label 6 | dk.envo-it.sonomablocker 7 | ProgramArguments 8 | 9 | /usr/local/bin/sonomablocker 10 | 11 | RunAtLoad 12 | 13 | KeepAlive 14 | 15 | LimitLoadToSessionType 16 | Aqua 17 | 18 | 19 | -------------------------------------------------------------------------------- /sonomablocker-pkg/payload/usr/local/bin/sonomablocker: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Theile/sonomablocker/e183294805017abf30a0e7ca5497da99cbda220b/sonomablocker-pkg/payload/usr/local/bin/sonomablocker -------------------------------------------------------------------------------- /sonomablocker-pkg/scripts/postinstall: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | if [[ $3 != "/" ]]; then 4 | exit 0 5 | fi 6 | 7 | launchd_item_path="/Library/LaunchAgents/dk.envo-it.sonomablocker.plist" 8 | 9 | current_user_uid=$( echo "show State:/Users/ConsoleUser" | scutil | awk '/UID :/ && ! /loginwindow/ { print $3 }' ) 10 | 11 | chmod 644 "${launchd_item_path}" 12 | launchctl bootout gui/${current_user_uid} "${launchd_item_path}" > /dev/null 2>&1 13 | launchctl bootstrap gui/${current_user_uid} "${launchd_item_path}" 14 | #launchctl load gui/${current_user_uid} "${launchd_item_path}" 15 | 16 | exit 0 17 | -------------------------------------------------------------------------------- /sonomablocker-remove.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | current_user_uid=$( echo "show State:/Users/ConsoleUser" | scutil | awk '/UID :/ && ! /loginwindow/ { print $3 }' ) 4 | 5 | launchd_item_path="/Library/LaunchAgents/dk.envo-it.sonomablocker.plist" 6 | launchctl bootout gui/${current_user_uid} "${launchd_item_path}" 7 | 8 | rm -f "$launchd_item_path" 9 | rm -f /usr/local/bin/sonomablocker 10 | 11 | pkgutil --forget dk.envo-it.sonomablocker 12 | -------------------------------------------------------------------------------- /sonomablocker.xcodeproj/project.pbxproj: -------------------------------------------------------------------------------- 1 | // !$*UTF8*$! 2 | { 3 | archiveVersion = 1; 4 | classes = { 5 | }; 6 | objectVersion = 50; 7 | objects = { 8 | 9 | /* Begin PBXBuildFile section */ 10 | 265C5173253C6D6700D868C4 /* main.m in Sources */ = {isa = PBXBuildFile; fileRef = 265C5172253C6D6700D868C4 /* main.m */; }; 11 | /* End PBXBuildFile section */ 12 | 13 | /* Begin PBXCopyFilesBuildPhase section */ 14 | 265C516D253C6D6700D868C4 /* CopyFiles */ = { 15 | isa = PBXCopyFilesBuildPhase; 16 | buildActionMask = 2147483647; 17 | dstPath = /usr/share/man/man1/; 18 | dstSubfolderSpec = 0; 19 | files = ( 20 | ); 21 | runOnlyForDeploymentPostprocessing = 1; 22 | }; 23 | /* End PBXCopyFilesBuildPhase section */ 24 | 25 | /* Begin PBXFileReference section */ 26 | 265C516F253C6D6700D868C4 /* sonomablocker */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = sonomablocker; sourceTree = BUILT_PRODUCTS_DIR; }; 27 | 265C5172253C6D6700D868C4 /* main.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = main.m; sourceTree = ""; }; 28 | 70848CD226738155008A3EE0 /* sonomablocker.entitlements */ = {isa = PBXFileReference; lastKnownFileType = text.plist.entitlements; path = sonomablocker.entitlements; sourceTree = ""; }; 29 | /* End PBXFileReference section */ 30 | 31 | /* Begin PBXFrameworksBuildPhase section */ 32 | 265C516C253C6D6700D868C4 /* Frameworks */ = { 33 | isa = PBXFrameworksBuildPhase; 34 | buildActionMask = 2147483647; 35 | files = ( 36 | ); 37 | runOnlyForDeploymentPostprocessing = 0; 38 | }; 39 | /* End PBXFrameworksBuildPhase section */ 40 | 41 | /* Begin PBXGroup section */ 42 | 265C5166253C6D6700D868C4 = { 43 | isa = PBXGroup; 44 | children = ( 45 | 265C5171253C6D6700D868C4 /* sonomablocker */, 46 | 265C5170253C6D6700D868C4 /* Products */, 47 | ); 48 | sourceTree = ""; 49 | }; 50 | 265C5170253C6D6700D868C4 /* Products */ = { 51 | isa = PBXGroup; 52 | children = ( 53 | 265C516F253C6D6700D868C4 /* sonomablocker */, 54 | ); 55 | name = Products; 56 | sourceTree = ""; 57 | }; 58 | 265C5171253C6D6700D868C4 /* sonomablocker */ = { 59 | isa = PBXGroup; 60 | children = ( 61 | 70848CD226738155008A3EE0 /* sonomablocker.entitlements */, 62 | 265C5172253C6D6700D868C4 /* main.m */, 63 | ); 64 | path = sonomablocker; 65 | sourceTree = ""; 66 | }; 67 | /* End PBXGroup section */ 68 | 69 | /* Begin PBXNativeTarget section */ 70 | 265C516E253C6D6700D868C4 /* sonomablocker */ = { 71 | isa = PBXNativeTarget; 72 | buildConfigurationList = 265C5176253C6D6700D868C4 /* Build configuration list for PBXNativeTarget "sonomablocker" */; 73 | buildPhases = ( 74 | 265C516B253C6D6700D868C4 /* Sources */, 75 | 265C516C253C6D6700D868C4 /* Frameworks */, 76 | 265C516D253C6D6700D868C4 /* CopyFiles */, 77 | ); 78 | buildRules = ( 79 | ); 80 | dependencies = ( 81 | ); 82 | name = sonomablocker; 83 | productName = bigsurblocker; 84 | productReference = 265C516F253C6D6700D868C4 /* sonomablocker */; 85 | productType = "com.apple.product-type.tool"; 86 | }; 87 | /* End PBXNativeTarget section */ 88 | 89 | /* Begin PBXProject section */ 90 | 265C5167253C6D6700D868C4 /* Project object */ = { 91 | isa = PBXProject; 92 | attributes = { 93 | LastUpgradeCheck = 1250; 94 | TargetAttributes = { 95 | 265C516E253C6D6700D868C4 = { 96 | CreatedOnToolsVersion = 12.2; 97 | }; 98 | }; 99 | }; 100 | buildConfigurationList = 265C516A253C6D6700D868C4 /* Build configuration list for PBXProject "sonomablocker" */; 101 | compatibilityVersion = "Xcode 9.3"; 102 | developmentRegion = en; 103 | hasScannedForEncodings = 0; 104 | knownRegions = ( 105 | en, 106 | Base, 107 | ); 108 | mainGroup = 265C5166253C6D6700D868C4; 109 | productRefGroup = 265C5170253C6D6700D868C4 /* Products */; 110 | projectDirPath = ""; 111 | projectRoot = ""; 112 | targets = ( 113 | 265C516E253C6D6700D868C4 /* sonomablocker */, 114 | ); 115 | }; 116 | /* End PBXProject section */ 117 | 118 | /* Begin PBXSourcesBuildPhase section */ 119 | 265C516B253C6D6700D868C4 /* Sources */ = { 120 | isa = PBXSourcesBuildPhase; 121 | buildActionMask = 2147483647; 122 | files = ( 123 | 265C5173253C6D6700D868C4 /* main.m in Sources */, 124 | ); 125 | runOnlyForDeploymentPostprocessing = 0; 126 | }; 127 | /* End PBXSourcesBuildPhase section */ 128 | 129 | /* Begin XCBuildConfiguration section */ 130 | 265C5174253C6D6700D868C4 /* Debug */ = { 131 | isa = XCBuildConfiguration; 132 | buildSettings = { 133 | ALWAYS_SEARCH_USER_PATHS = NO; 134 | CLANG_ANALYZER_NONNULL = YES; 135 | CLANG_ANALYZER_NUMBER_OBJECT_CONVERSION = YES_AGGRESSIVE; 136 | CLANG_CXX_LANGUAGE_STANDARD = "gnu++14"; 137 | CLANG_CXX_LIBRARY = "libc++"; 138 | CLANG_ENABLE_MODULES = YES; 139 | CLANG_ENABLE_OBJC_ARC = YES; 140 | CLANG_ENABLE_OBJC_WEAK = YES; 141 | CLANG_WARN_BLOCK_CAPTURE_AUTORELEASING = YES; 142 | CLANG_WARN_BOOL_CONVERSION = YES; 143 | CLANG_WARN_COMMA = YES; 144 | CLANG_WARN_CONSTANT_CONVERSION = YES; 145 | CLANG_WARN_DEPRECATED_OBJC_IMPLEMENTATIONS = YES; 146 | CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR; 147 | CLANG_WARN_DOCUMENTATION_COMMENTS = YES; 148 | CLANG_WARN_EMPTY_BODY = YES; 149 | CLANG_WARN_ENUM_CONVERSION = YES; 150 | CLANG_WARN_INFINITE_RECURSION = YES; 151 | CLANG_WARN_INT_CONVERSION = YES; 152 | CLANG_WARN_NON_LITERAL_NULL_CONVERSION = YES; 153 | CLANG_WARN_OBJC_IMPLICIT_RETAIN_SELF = YES; 154 | CLANG_WARN_OBJC_LITERAL_CONVERSION = YES; 155 | CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR; 156 | CLANG_WARN_QUOTED_INCLUDE_IN_FRAMEWORK_HEADER = YES; 157 | CLANG_WARN_RANGE_LOOP_ANALYSIS = YES; 158 | CLANG_WARN_STRICT_PROTOTYPES = YES; 159 | CLANG_WARN_SUSPICIOUS_MOVE = YES; 160 | CLANG_WARN_UNGUARDED_AVAILABILITY = YES_AGGRESSIVE; 161 | CLANG_WARN_UNREACHABLE_CODE = YES; 162 | CLANG_WARN__DUPLICATE_METHOD_MATCH = YES; 163 | COPY_PHASE_STRIP = NO; 164 | DEBUG_INFORMATION_FORMAT = dwarf; 165 | ENABLE_STRICT_OBJC_MSGSEND = YES; 166 | ENABLE_TESTABILITY = NO; 167 | GCC_C_LANGUAGE_STANDARD = gnu11; 168 | GCC_DYNAMIC_NO_PIC = NO; 169 | GCC_NO_COMMON_BLOCKS = YES; 170 | GCC_OPTIMIZATION_LEVEL = 0; 171 | GCC_PREPROCESSOR_DEFINITIONS = ( 172 | "DEBUG=1", 173 | "$(inherited)", 174 | ); 175 | GCC_WARN_64_TO_32_BIT_CONVERSION = YES; 176 | GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR; 177 | GCC_WARN_UNDECLARED_SELECTOR = YES; 178 | GCC_WARN_UNINITIALIZED_AUTOS = YES_AGGRESSIVE; 179 | GCC_WARN_UNUSED_FUNCTION = YES; 180 | GCC_WARN_UNUSED_VARIABLE = YES; 181 | MACOSX_DEPLOYMENT_TARGET = 11.0; 182 | MTL_ENABLE_DEBUG_INFO = INCLUDE_SOURCE; 183 | MTL_FAST_MATH = YES; 184 | ONLY_ACTIVE_ARCH = NO; 185 | SDKROOT = macosx; 186 | }; 187 | name = Debug; 188 | }; 189 | 265C5175253C6D6700D868C4 /* Release */ = { 190 | isa = XCBuildConfiguration; 191 | buildSettings = { 192 | ALWAYS_SEARCH_USER_PATHS = NO; 193 | CLANG_ANALYZER_NONNULL = YES; 194 | CLANG_ANALYZER_NUMBER_OBJECT_CONVERSION = YES_AGGRESSIVE; 195 | CLANG_CXX_LANGUAGE_STANDARD = "gnu++14"; 196 | CLANG_CXX_LIBRARY = "libc++"; 197 | CLANG_ENABLE_MODULES = YES; 198 | CLANG_ENABLE_OBJC_ARC = YES; 199 | CLANG_ENABLE_OBJC_WEAK = YES; 200 | CLANG_WARN_BLOCK_CAPTURE_AUTORELEASING = YES; 201 | CLANG_WARN_BOOL_CONVERSION = YES; 202 | CLANG_WARN_COMMA = YES; 203 | CLANG_WARN_CONSTANT_CONVERSION = YES; 204 | CLANG_WARN_DEPRECATED_OBJC_IMPLEMENTATIONS = YES; 205 | CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR; 206 | CLANG_WARN_DOCUMENTATION_COMMENTS = YES; 207 | CLANG_WARN_EMPTY_BODY = YES; 208 | CLANG_WARN_ENUM_CONVERSION = YES; 209 | CLANG_WARN_INFINITE_RECURSION = YES; 210 | CLANG_WARN_INT_CONVERSION = YES; 211 | CLANG_WARN_NON_LITERAL_NULL_CONVERSION = YES; 212 | CLANG_WARN_OBJC_IMPLICIT_RETAIN_SELF = YES; 213 | CLANG_WARN_OBJC_LITERAL_CONVERSION = YES; 214 | CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR; 215 | CLANG_WARN_QUOTED_INCLUDE_IN_FRAMEWORK_HEADER = YES; 216 | CLANG_WARN_RANGE_LOOP_ANALYSIS = YES; 217 | CLANG_WARN_STRICT_PROTOTYPES = YES; 218 | CLANG_WARN_SUSPICIOUS_MOVE = YES; 219 | CLANG_WARN_UNGUARDED_AVAILABILITY = YES_AGGRESSIVE; 220 | CLANG_WARN_UNREACHABLE_CODE = YES; 221 | CLANG_WARN__DUPLICATE_METHOD_MATCH = YES; 222 | COPY_PHASE_STRIP = NO; 223 | DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym"; 224 | ENABLE_NS_ASSERTIONS = NO; 225 | ENABLE_STRICT_OBJC_MSGSEND = YES; 226 | GCC_C_LANGUAGE_STANDARD = gnu11; 227 | GCC_NO_COMMON_BLOCKS = YES; 228 | GCC_WARN_64_TO_32_BIT_CONVERSION = YES; 229 | GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR; 230 | GCC_WARN_UNDECLARED_SELECTOR = YES; 231 | GCC_WARN_UNINITIALIZED_AUTOS = YES_AGGRESSIVE; 232 | GCC_WARN_UNUSED_FUNCTION = YES; 233 | GCC_WARN_UNUSED_VARIABLE = YES; 234 | MACOSX_DEPLOYMENT_TARGET = 11.0; 235 | MTL_ENABLE_DEBUG_INFO = NO; 236 | MTL_FAST_MATH = YES; 237 | ONLY_ACTIVE_ARCH = NO; 238 | SDKROOT = macosx; 239 | }; 240 | name = Release; 241 | }; 242 | 265C5177253C6D6700D868C4 /* Debug */ = { 243 | isa = XCBuildConfiguration; 244 | buildSettings = { 245 | CODE_SIGN_ENTITLEMENTS = "$(PROJECT_NAME)/$(PROJECT_NAME).entitlements"; 246 | CODE_SIGN_IDENTITY = "Developer ID Application: ENVO IT AS (FXW6QXBFW5)"; 247 | "CODE_SIGN_IDENTITY[sdk=macosx*]" = "Developer ID Application"; 248 | CODE_SIGN_INJECT_BASE_ENTITLEMENTS = NO; 249 | CODE_SIGN_STYLE = Manual; 250 | DEBUG_INFORMATION_FORMAT = dwarf; 251 | DEVELOPMENT_TEAM = FXW6QXBFW5; 252 | "DEVELOPMENT_TEAM[sdk=macosx*]" = FXW6QXBFW5; 253 | DSTROOT = $SRCROOT/build/pkgroot; 254 | ENABLE_HARDENED_RUNTIME = YES; 255 | MACOSX_DEPLOYMENT_TARGET = 11.0; 256 | OTHER_CODE_SIGN_FLAGS = "--timestamp"; 257 | PRODUCT_BUNDLE_IDENTIFIER = "dk.envo-it.sonomablocker"; 258 | PRODUCT_NAME = "$(TARGET_NAME)"; 259 | PROVISIONING_PROFILE_SPECIFIER = ""; 260 | }; 261 | name = Debug; 262 | }; 263 | 265C5178253C6D6700D868C4 /* Release */ = { 264 | isa = XCBuildConfiguration; 265 | buildSettings = { 266 | CODE_SIGN_ENTITLEMENTS = ""; 267 | CODE_SIGN_IDENTITY = "Developer ID Application: ENVO IT AS (FXW6QXBFW5)"; 268 | "CODE_SIGN_IDENTITY[sdk=macosx*]" = "Developer ID Application"; 269 | CODE_SIGN_INJECT_BASE_ENTITLEMENTS = NO; 270 | CODE_SIGN_STYLE = Manual; 271 | DEVELOPMENT_TEAM = FXW6QXBFW5; 272 | "DEVELOPMENT_TEAM[sdk=macosx*]" = FXW6QXBFW5; 273 | DSTROOT = $SRCROOT/build/pkgroot; 274 | ENABLE_HARDENED_RUNTIME = YES; 275 | MACOSX_DEPLOYMENT_TARGET = 11.0; 276 | OTHER_CODE_SIGN_FLAGS = "--timestamp"; 277 | PRODUCT_BUNDLE_IDENTIFIER = "dk.envo-it.sonomablocker"; 278 | PRODUCT_NAME = "$(TARGET_NAME)"; 279 | PROVISIONING_PROFILE_SPECIFIER = ""; 280 | }; 281 | name = Release; 282 | }; 283 | /* End XCBuildConfiguration section */ 284 | 285 | /* Begin XCConfigurationList section */ 286 | 265C516A253C6D6700D868C4 /* Build configuration list for PBXProject "sonomablocker" */ = { 287 | isa = XCConfigurationList; 288 | buildConfigurations = ( 289 | 265C5174253C6D6700D868C4 /* Debug */, 290 | 265C5175253C6D6700D868C4 /* Release */, 291 | ); 292 | defaultConfigurationIsVisible = 0; 293 | defaultConfigurationName = Release; 294 | }; 295 | 265C5176253C6D6700D868C4 /* Build configuration list for PBXNativeTarget "sonomablocker" */ = { 296 | isa = XCConfigurationList; 297 | buildConfigurations = ( 298 | 265C5177253C6D6700D868C4 /* Debug */, 299 | 265C5178253C6D6700D868C4 /* Release */, 300 | ); 301 | defaultConfigurationIsVisible = 0; 302 | defaultConfigurationName = Release; 303 | }; 304 | /* End XCConfigurationList section */ 305 | }; 306 | rootObject = 265C5167253C6D6700D868C4 /* Project object */; 307 | } 308 | -------------------------------------------------------------------------------- /sonomablocker.xcodeproj/project.xcworkspace/contents.xcworkspacedata: -------------------------------------------------------------------------------- 1 | 2 | 4 | 6 | 7 | 8 | -------------------------------------------------------------------------------- /sonomablocker.xcodeproj/project.xcworkspace/xcshareddata/IDEWorkspaceChecks.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | IDEDidComputeMac32BitWarning 6 | 7 | 8 | 9 | -------------------------------------------------------------------------------- /sonomablocker.xcodeproj/project.xcworkspace/xcuserdata/st.xcuserdatad/UserInterfaceState.xcuserstate: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Theile/sonomablocker/e183294805017abf30a0e7ca5497da99cbda220b/sonomablocker.xcodeproj/project.xcworkspace/xcuserdata/st.xcuserdatad/UserInterfaceState.xcuserstate -------------------------------------------------------------------------------- /sonomablocker.xcodeproj/xcshareddata/xcschemes/sonomablocker.xcscheme: -------------------------------------------------------------------------------- 1 | 2 | 5 | 8 | 9 | 15 | 21 | 22 | 23 | 24 | 25 | 30 | 31 | 32 | 33 | 44 | 46 | 52 | 53 | 54 | 55 | 61 | 63 | 69 | 70 | 71 | 72 | 74 | 75 | 78 | 79 | 80 | -------------------------------------------------------------------------------- /sonomablocker.xcodeproj/xcuserdata/st.xcuserdatad/xcschemes/xcschememanagement.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | SchemeUserState 6 | 7 | sonomablocker.xcscheme_^#shared#^_ 8 | 9 | orderHint 10 | 1 11 | 12 | 13 | SuppressBuildableAutocreation 14 | 15 | 265C516E253C6D6700D868C4 16 | 17 | primary 18 | 19 | 20 | 21 | 22 | 23 | -------------------------------------------------------------------------------- /sonomablocker/main.m: -------------------------------------------------------------------------------- 1 | // 2 | // main.m 3 | // sonomablocker 4 | // 5 | // bigsurblocker created by Hannes Juutilainen on 18.10.2020. 6 | // Modified for Sonoma by Søren Theilgaard on 2023-09-20 7 | // 8 | 9 | #import 10 | #import 11 | 12 | @interface AppDelegate : NSObject 13 | @property BOOL alertTriggered; 14 | - (BOOL)alertShowHelp:(NSAlert *)alert; 15 | @end 16 | 17 | @implementation AppDelegate 18 | 19 | - (void)applicationDidFinishLaunching:(NSNotification *)notification { 20 | self.alertTriggered = NO; 21 | 22 | NSWorkspace *workspace = [NSWorkspace sharedWorkspace]; 23 | NSNotificationCenter *nc = [workspace notificationCenter]; 24 | 25 | NSOperationQueue *notificationQueue = [NSOperationQueue new]; 26 | 27 | // Subscribe for notifications when apps are launched 28 | [nc addObserverForName:NSWorkspaceDidLaunchApplicationNotification 29 | object:nil 30 | queue:notificationQueue 31 | usingBlock:^(NSNotification * _Nonnull note) { 32 | 33 | // Get information about the launched app 34 | NSDictionary *userInfo = [note userInfo]; 35 | NSRunningApplication *runningApp = [userInfo objectForKey:NSWorkspaceApplicationKey]; 36 | NSString *bundleID = runningApp.bundleIdentifier; 37 | 38 | // Load our user defaults suite. This will allow the alert text 39 | // to be specified with a configuration profile 40 | NSUserDefaults *userDefaults = [[NSUserDefaults alloc] initWithSuiteName:@"dk.envo-it.sonomablocker"]; 41 | 42 | NSArray *bundleIDsToBlock = [userDefaults arrayForKey:@"bundleIDsToBlock"]; 43 | if (!bundleIDsToBlock) { 44 | bundleIDsToBlock = @[ 45 | @"com.apple.InstallAssistant.Sonoma", 46 | @"com.apple.InstallAssistant.macOSSonoma", 47 | @"com.apple.InstallAssistant.Seed.macOS14Seed", 48 | @"com.apple.InstallAssistant.Seed.macOS14Seed1", 49 | ]; 50 | } 51 | if ([bundleIDsToBlock containsObject:bundleID]) { 52 | NSLog(@"Detected macOS installer app launch"); 53 | 54 | // Get the localized app name 55 | NSString *appName = runningApp.localizedName; 56 | 57 | // Terminate the app 58 | NSLog(@"Terminating \"%@\", \"%@\"", appName, bundleID); 59 | 60 | // We could be polite but... 61 | [runningApp forceTerminate]; 62 | 63 | // Check if we are already displaying an alert 64 | if (self.alertTriggered) { 65 | NSLog(@"Skipping alert. Previous alert still running"); 66 | } else { 67 | self.alertTriggered = YES; 68 | 69 | // GUI must be run from main thread 70 | dispatch_async(dispatch_get_main_queue(), ^{ 71 | 72 | 73 | NSString *messageText = [userDefaults stringForKey:@"AlertTitle"]; 74 | if (!messageText) { 75 | messageText = NSLocalizedString(@"The application \"%@\" has been blocked", @""); 76 | } 77 | 78 | NSString *informativeText = [userDefaults stringForKey:@"AlertText"]; 79 | if (!informativeText) { 80 | informativeText = NSLocalizedString(@"Contact your administrator for more information", @""); 81 | } 82 | 83 | // Configure the alert 84 | NSAlert *alert = [[NSAlert alloc] init]; 85 | 86 | [alert setMessageText:[NSString stringWithFormat:messageText, appName]]; 87 | [alert setInformativeText:informativeText]; 88 | 89 | NSString *buttonTitle = [userDefaults stringForKey:@"ButtonTitle"]; 90 | if (!buttonTitle) { 91 | buttonTitle = NSLocalizedString(@"OK", @""); 92 | } 93 | [alert addButtonWithTitle:buttonTitle]; 94 | [alert setAlertStyle:NSAlertStyleWarning]; 95 | [alert setIcon:[NSImage imageNamed:NSImageNameCaution]]; 96 | 97 | // If a custom help URL is defined in defaults, enable the help button 98 | NSString *helpURLString = [userDefaults stringForKey:@"HelpURL"]; 99 | if (helpURLString) { 100 | [alert setDelegate:self]; 101 | [alert setShowsHelp:YES]; 102 | } 103 | 104 | 105 | // Show the alert above all other apps and windows 106 | [[NSApplication sharedApplication] activateIgnoringOtherApps:YES]; 107 | [[alert window] setLevel:NSStatusWindowLevel]; 108 | 109 | // Show the alert 110 | // 111 | // Note that the [alert runModal] will not return until the user dismisses the popup window 112 | [alert runModal]; 113 | 114 | // User dismissed the alert, change status to allow new ones to be displayed 115 | self.alertTriggered = NO; 116 | }); 117 | } 118 | } 119 | }]; 120 | } 121 | 122 | - (BOOL)alertShowHelp:(NSAlert *)alert 123 | { 124 | NSUserDefaults *userDefaults = [[NSUserDefaults alloc] initWithSuiteName:@"dk.envo-it.sonomablocker"]; 125 | NSString *helpURLString = [userDefaults stringForKey:@"HelpURL"]; 126 | if (helpURLString) { 127 | NSURL *helpURL = [NSURL URLWithString:helpURLString]; 128 | [[NSWorkspace sharedWorkspace] openURL:helpURL]; 129 | } 130 | 131 | return YES; 132 | } 133 | 134 | @end 135 | 136 | int main(int argc, const char * argv[]) { 137 | @autoreleasepool { 138 | NSApplication *application = [NSApplication sharedApplication]; 139 | AppDelegate *delegate = [[AppDelegate alloc] init]; 140 | [application setDelegate:delegate]; 141 | [application run]; 142 | } 143 | return 0; 144 | } 145 | -------------------------------------------------------------------------------- /sonomablocker/sonomablocker.entitlements: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | com.apple.security.get-task-allow 6 | 7 | 8 | 9 | --------------------------------------------------------------------------------