Hello all
I am blocking Macos Sonoma beta with two different restricted software setups, one is Install macOS Sonoma beta.app and the other is "Install macOS 14 beta.app" Im using both just to be safe and make sure I catch the installer .
With the production relase of MacOS Sonoma around the corner I was wondering if anyone has setup their environment to block macos sonoma already. Im looking for the process name
Thank you again
So there's effectively no way to prevent a user from self-initiating an upgrade to a new version of macOS after 90 days of a new release, is there? That's the problem though, when macOS announces a new version, we have 90 days to test and validate our security settings otherwise we risk being non-compliant with our own cybersecurity polices.
I think there is still an Admin Access check for OS upgrades (12>13).
With the release of macOS 12.3 OS upgrades (12>13) are processed as deltas like OS updates (13.1>13.2). Apple stance for OS updates has been a 90 day deferral for 4-5 years now. For the past 1.5 years OS upgrades fall under the same process. This is nothing new at this point.
As far as security policies go. It should be safe to assume, if you are not running the most current release of Apple software you are non-compliant.
https://support.apple.com/guide/deployment/about-software-updates-depc4c80847a/web
Note: Because of dependency on architecture and system changes to any current version of Apple operating systems (for example, macOS 13, iOS 16, and so on), not all known security issues are addressed in previous versions (for example, macOS 12, iOS 15, and so on).
I'm sure it will follow the same naming convention but there is no way to tell until its released.
I've got mine set to block "Install macOS Sonoma.app"
its not the same naming convention. its "install macOS 14.app" for Sonoma.
Well, this is undoubtedly distressing news. Our company works within a regulated environment and has put in a lot of work in managing macOS and applying additional security controls in conjunction with the macOS compliance project on GitHub. This includes a non-insignificant amount of time and money spent with JAMF professional services in implementing controls for specific cybersecurity frameworks and the Defense Industrial base that necessitates baselining against a specific version of macOS. Needing to this on a yearly cadence is going to represent a non-insignificant amount of time and effort on our end and to be frank, the response from Apple has been a joke.
Our local Apple business rep implied that we weren't using JAMF correctly to control these updates. They were, however, useful in obtaining a phone number to talk with Apple's Enterprise Support Team engineering team. I spoke with 2 agents that were a delight to work with, however at the end of the day the Apple Engineering team basically told them to pound sand and that the update process is working as intended.
I realize we're pretty small fries when compared to other organizations out there since we're only managing about 80 macOS devices, but the way that Apple is pushing these updates in conjunction with an ever decreasing support life cycle, will probably necessitate us moving away from macOS in the medium term if this is the approach that they're going take.
I suggest everyone here call the Apple Enterprise Support phone number (866) 752-7753 and start making noise.
This is a pain in the a** for us. We've resulted in just sending email comms to Mac users. I can guarantee 9/10 of those users ignore those comms. Fortunately the design team are notorious for never restarting their devices so they will probably ignore the update prompt.
I'd be surprised if Apple listen to us. We only have 40 endpoints.
Just found out that when you hit "Learn More" under Automatic Update, that they can restore the default settings and install macOS Sonoma even after deferring the updates.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.