Using Santa to block Mojave upgrades

In the past, I'd used the fake installer approach to stop users from upgrading to the newest macOS version.

But with macOS 10.14 (Mojave), you can block using Santa (see Using Santa to block an .app for more details on general Santa use). It's possible this Santa-blocking approach may have worked for High Sierra and Sierra as well—I haven't tested it on those.

Just download Mojave to your Mac, and then run

santactl fileinfo /Applications/Install\ macOS\ --key SHA-256
to get the hash to block.

For 10.14 (this will change for 10.14.1 and later versions), this command should add it to the Santa blacklist:

/usr/local/bin/santactl rule --blacklist --sha256 "590a8fda56798b456ccc4225ef62aea010c945d17bb4a452bf3f544fdba241d6"

We were able to test this on two Mojave installers downloaded using two separate Apple IDs, so the binary seems to be the same regardless of which Apple ID is used to download it.

If a user then tries to run the Mojave installer, she or he will see a message like this:

Again, since it's based on binary (and since all Apple certificates are whitelisted, so you have to block by binary), you would have to create a new rule for every new Mojave installer that comes out (10.14.1, 10.14.2, 10.14.3, etc.).

5 thoughts on “Using Santa to block Mojave upgrades”

  1. Just tried doing this as I found it rather amusing.

    You’ll need to block the stub installer as well. I think you can force that to download by attempting to upgrade in the App Store without being signed in to an Apple ID.

    1. Nope. When I downloaded it without being signed in with an Apple ID, I still got the full installer instead of the stub. Any other ways to get the stub?

      1. not sure – maybe someone on slack knows.

        Here is the SHA256 for what I just pulled down though.


        # Mojave 10.14.0
        # Installer v. 14.0.22
        /usr/local/bin/santactl rule –blacklist –sha256 “590a8fda56798b456ccc4225ef62aea010c945d17bb4a452bf3f544fdba241d6”

        # Block Stub installer 14.0.21
        /usr/local/bin/santactl rule –blacklist –sha256 “f8268081ab7dcee0f7af9b3c63aa9635ddb3e8697e29d5eaf167d0073f92364e”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.