Block Ventura

Hi there - we use the Restricted software feature.  We then have a static group where we will allow users to be added for UAT / Pilot until we allow all others to upgrade. 

Thanks @duff2481-1  I read that for certain versions that of Monterey the .app block won't be enough. Do you have something there to account for that? Also, can you elaborate on how the static group is set up? I assume you could add an exclusion to the configuration profile? 

@auser For any Mac running macOS Monterey 12.3 or higher the macOS Ventura upgrade won't require downloading a full installer, and instead will use a much smaller "delta" updater similar to how the "minor" .1 -> .2 updates are installed. Currently the only way to block the "delta" update mechanism is to deploy a Configuration Profile to defer Minor OS updates (Apple has acknowledged this should be a deferral for a Major OS update but as of macOS 12.6 the logic in softwreupdate treats it as a Minor update)

I have heard rumors that this wont work with Ventura. That apple has moved Ventura upgrades to the software update workflow so blocking the binary (app) wont work. I have yet to find any documentation on this from Apple, but it is Apple so lord only knows.

Always defer, especially if you do not actively test the beta seed. Even if your device management is ready for Ventura day 1, odds are your security tools wont be. In my experience it usually takes about 3 months for most vendors to be ready for the new OS, and another 3-6 months for your internal application owners to be ready.  I cut the new OS lose after 90 days and don't play the horse and pony show of internal departments prioritize down supporting the new OS. 

In years past you can use a software restriction targeting the installer (install macOS Ventura.app) and kill it whenever it is run. Rumor mill is this wont work for Ventura, but I have not found proof of that yet. In the very least I recommend setting up OS update Deferrals in the restrictions payload of a configuration profile.

Confirmed Restricted Software still works to block Ventura. I did a software update from a Monterey tester. We have both Restricted Software and Configuration Profile Deferrals setup, for 90 days.

(deleted)

Since macOS 13 and 12.6.1 are released now I am figuring the NDA is over so it should be safe to say this. If not, mods remove away.

MacOS 13 will absolutely install to macOS 12.3-12.6 as a minor update. Apple has put a server side patch in place differing macOS 13 for 30 days to MDM enrolled devices. If you do not update to 12.6.1 before 11.24.22 users can upgrade to macOS 13 even if its restricted under major OS update deferrals. Happy Thanksgiving I suppose.

@AJPinto I thought I have the right deferrals in place, but so far it's letting me see and download the full installer (12.15 GB) on an MDM Mac. Seems like I'm copying you correctly? 

Trying to block Ventura, but allow 12.6.1 (minor update?).

You are not doing the wrong thing. Apple screwed up, and did not tell anyone. Once you get up to 12.6.1 things will work as you expect. However you must do it by Thanksgiving or users can upgrade to Ventura on their own.

@AJPinto Got it, thanks. Just wrapping my head around it. Will need to send notification to users not to upgrade.

You are very welcome. 

In typical fashion, documentation from Apple came a day late and a dollar short. I suggest emailing your Apple rep and complaining and submitting feedback.

https://support.apple.com/en-us/HT213471

Hi, struggling here as well with this.

Anyway, the info published by Apple here is not precise in the least: https://support.apple.com/en-lamr/HT213471

• "macOS Monterey 12.6.1 and later:

Continue to use the major update delay setting to prevent Mac computers in your organization from offering macOS Ventura for up to 90 days." - tested several times and it's not working (edited)

• "macOS Monterey 12.3 through 12.6:

Use both the major and minor update delay settings to prevent Mac computers in your organization from offering macOS Ventura for up to 90 days. If you currently have a longer delay period for major update than minor updates, increase your minor update delay to match the desired major delay period." - That's the first thing we tried and it's not working

• Even on macOS Big Sur, Ventura is appearing as available.. (Either delaying major and minor updates)
  
  

Additionally, when my profiles actually take effect, they lose it after a restart for example.
Currently they don't seem to take effect not even temporarily....

Best regards!

Is there any way to block Ventura from showing in software update but allow 12.6.1?

I think it depends on what macOS version you'r on.  If 12.3 or newer, I don't think so as Ventura shows as minor update from my understanding. 12.0-2, you could allow minor and block major to have those updated to 12.6.1. We have taken the stance of denying minor and major updates for the 90 days out of caution really. 

Apple is blocking macOS 13 on MDM devices via the software update work flow until 11.24.22 (thanksgiving day for those in the US). MacOS 12.6.1 is not blocked in the same manner. This is Apples idea of a work around. If you dont update to 12.6.1 BEFORE 11.24.22 users can update to macOS 13 on their own and the only way to stop it is to block ALL updates.

Hi,

How is apple blocking macOS 13 on MDM devices and it appears on our devices anyway?
We are delaying major updates (60 days) on all devices and it appears as available?
Either on Big Sur (11.6.8), Monterey or even specifically on 12.6.1.

Apple has put some workflow on their OS distribution servers that will not broadcast macOS 13 to MDM enabled devices. If I am not mistaken the devices must have been enrolled with DEP for this to work, but dont hold me to that. I know there is something specific it is looking for. May want to open a ticket with JAMF or Apple to confirm the details.

According to Apple, the bug covers macOS 12.3-12.6 I would assume 11.6.8 should be fine, but I would absolutely test that to make sure. We are off of Big Sur and have been since 2nd quarter. 

macOS Monterey 12.3 through 12.6:
Use both the major and minor update delay settings to prevent Mac computers in your organization from offering macOS Ventura for up to 90 days. If you currently have a longer delay period for major update than minor updates, increase your minor update delay to match the desired major delay period.

---

So in my instance I have the restriction in place as well as the deferral. Somehow a user on 12.6 was able to upgrade yesterday to Ventura. Said he was notified that the update was available. I dont know if thats the case but the fact that he was able to upgrade concerns me and has me scratching my head. Any thoughts?

If apple is to be trusted with anything they have said, which I usually don't assume to be the case myself. The device either was not on 12.6.1. Or its not managed correctly and apples update servers did not see it as a MDM managed device.

Just as a precaution in my environment, I have blocked the softwareupdate preference pane. Just incase someone does get the notification, its a bit harder for them to actually install Ventura.

Yeah, it was still offered to our Macs too even though they are supervised. After some trial and error, this is how I managed to hide Ventura and only offer 12.6.1. 

I am following your steps Jay and it is still advertising ventura

Others are saying the same on another post too. I'm not sure why that seems to work for me and not anyone else. There is definitely some weird behaviour going on with Ventura. It's still being advertised to some that have updated to 12.6.1 and excluded major updates even though Apple have stated that they have automatically deferred it for supervised computers. Sorry that I can't help further. 

We also setup the deferral under functionality, but it doesn't deploy to all the devices. When you go in to the logs, a bunch of computers say cancelled.