Our school district would like to defer the upcoming macOS 26 upgrade (scheduled for release on September 15) but still allow security updates for macOS Sequoia.
What is the best way to configure this in Jamf Pro so that the major OS upgrade is blocked, while security updates and minor patches for Sequoia remain available? Thanks
You can defer only major updates … this will defer all the major upgrades…
thanks
In theory OSX 26 is a Major update, so using Restrictions and delaying Major updates for 90 days should do the trick.
However, Apple have sometimes in the past released new OSX versions and marked them as Minor updates, and then after an outcry, they remarked them as Major. So you will need to watch out for this anomoly. If you bump your settings to 30 days for Minor updates, and have a small test group with a shorter deferral time, you will be able to see if this is the case.
We will use a 90 day deferral, then apply DDM software updates to enforce minor updates.
Also, don’t forget to check your Prestage Enrollment settings.
Does your organization enforce a minium required OS version for iOS or macOS?
Thanks for the reminder there - had completely forgotten.
Also, don’t forget to check your Prestage Enrollment settings.
… Apple have sometimes in the past released new OSX versions and marked them as Minor updates, and then after an outcry, they remarked them as Major. So you will need to watch out for this anomoly…
This is excellent to note as I have not seen it before, thank you!
We were bitten by that oddity in the past with major/minor differentiation. However, it seems that no matter what we do, a few endpoints always slip the leash and get the update announcement. We generally do a 30 day restriction for review against campus enterprise systems, because we have a bunch of eager beavers.
This is a great use for blueprints!
We use the deferral for major set to 90 days in the Restrictions payload. We also add the title for the branded installer app and install assistant to the restricted software list with a kill message displayed to the user. The install assistant kill message is slightly reworded so we can immediately tell that is what ran as opposed to a branded installer. Historically install assistant is what will get kicked off when the major update is accidentally presented to the user in the System Settings, Software Update UI. Eventually, when the vendors start supporting the new release we will let folks opt-in and start shipping Tahoe on all new builds.
So, I’m going to need to put this in for Tahoe tonight. Does anybody use the app restriction on the installer in addition to the deferral setting? Any other settings that people use for this? We always have a few that manage to sneak through somehow...
We use both. And we also have a few that get through no matter what.
Along this line, does anybody use SUPERMAN for OS updates? Our migration consultants (Rocketman Tech) implemented that earlier this year and I don’t actually know if there is anything we need to adjust there so that SUPERMAN and the deferral configuration profile don’t go to war with each other...
However, Apple have sometimes in the past released new OSX versions and marked them as Minor updates, and then after an outcry, they remarked them as Major. So you will need to watch out for this anomoly.
I like how you called this an “anomaly”. I’ve always considered this to be by design on Apple’s part. It seems they want the fastest and widest adoption of any of their new OSes so they can tout how fast the adoption was later in some presentation. But maybe that’s just me.
Either way, good advice to look out for that, since it tends to bite us all at some point or another.
I'm using a .mobileconfig configuration profile through iMazing to postpone the installation for 90 days.
https://github.com/chrisbasse/Ignore-Tahoe-for-90-days.mobileconfig
Regards
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDisplayName</key>
<string>Restrictions</string>
<key>PayloadIdentifier</key>
<string>com.apple.applicationaccess.F225F9E8-B275-4830-A376-FA2205E71FD6</string>
<key>PayloadType</key>
<string>com.apple.applicationaccess</string>
<key>PayloadUUID</key>
<string>F225F9E8-B275-4830-A376-FA2205E71FD6</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>enforcedSoftwareUpdateMajorOSDeferredInstallDelay</key>
<integer>90</integer>
<key>forceDelayedMajorSoftwareUpdates</key>
<true/>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>Ignore Tahoe for 90 days</string>
<key>PayloadIdentifier</key>
<string>iMazing-Profile-Editor.71379A17-22C8-4C9B-889D-22ABDF22D121</string>
<key>PayloadOrganization</key>
<string>Fixage</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>71379A17-22C8-4C9B-889D-22ABDF22D121</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
Goal: Hide macOS major upgrades (e.g., Tahoe 26), and—if you choose—all updates (major/minor/non-OS) from System Settings for up to 90 days, so IT can stage and install centrally without users seeing prompts.
100% Apple-supported (no hacks)
Works great with Jamf when applied as a stand-alone Custom Settings payload (avoids overlap with other Restrictions toggles)
Lets you choose between major-only deferral or hide everything for a fixed window
Jamf Pro → Configuration Profiles → Application & Custom Settings → Custom (Upload)
Preference Domain: com.apple.applicationaccess
Paste this plist:
-------------------------------------------------------------------------------------------------------------
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<!-- Hide major upgrades (e.g., Sequoia -> Tahoe/26) for 90 days -->
<key>forceDelayedMajorSoftwareUpdates</key>
<true/>
<key>enforcedSoftwareUpdateMajorOSDeferredInstallDelay</key>
<integer>90</integer>
</dict>
</plist>
-------------------------------------------------------------------------------------------------------------
Result: Users won’t see the macOS 26 upgrade banner in Software Update during the deferral window. Minor and non-OS updates remain visible (normal behavior).
Same payload & domain (com.apple.applicationaccess), different keys:
-------------------------------------------------------------------------------------------------------------
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<!-- Major OS upgrades -->
<key>forceDelayedMajorSoftwareUpdates</key>
<true/>
<key>enforcedSoftwareUpdateMajorOSDeferredInstallDelay</key>
<integer>90</integer>
<!-- Minor OS updates -->
<key>forceDelayedSoftwareUpdates</key>
<true/>
<key>enforcedSoftwareUpdateMinorOSDeferredInstallDelay</key>
<integer>90</integer>
<!-- Non-OS updates (Safari, drivers, XProtect, etc.) -->
<key>enforcedSoftwareUpdateNonOSDeferredInstallDelay</key>
<integer>90</integer>
</dict>
</plist>
-------------------------------------------------------------------------------------------------------------
Result: No major/minor/non-OS updates appear in Software Update for 90 days while you push installs via policy (e.g., cached installers, startosinstall, or targeted softwareupdate).
Keep this payload isolated. Use Application & Custom Settings → Custom (Upload) so you only set these keys and avoid side-effects from the Restrictions UI.
Pilot first. Exclude IT/pilot devices so you can validate behavior before broad rollout.
Roll the window. Apple caps deferrals at 90 days. If you need longer, keep the profile in place and advance the window (or add your own backstop like a Restricted Software rule for Install macOS 26*.app).
Hello,
Tested with a mobileconfig file in JAMF 'Configuration Profiles,' 1 machine in Scope, but unfortunately, it doesn’t block anything, it still offers Tahoe.
Does this work for any of you? Thanks for your help!
Hello,
Tested with a mobileconfig file in JAMF 'Configuration Profiles,' 1 machine in Scope, but unfortunately, it doesn’t block anything, it still offers Tahoe.
Does this work for any of you? Thanks for your help!
I just set up Option A on my test machine and I’m also still seeing the Tahoe upgrade option.
Holding well here so far. Do you have other Configuration profiles that might interfere? Like a second configuration profile with a similar setting, say a Restrictions payload?
Did your organization send out a DDM software update?
Thanks mvu
Yes I double check any possible double configuration but no.
I found why, upload the script via uplodaing a .mobileconfig file as explain by cricri_mac.
The best way is to createa configuration profiles, and Applications$custom settings, Upload,
and
Preference Domain : type : com.apple.applicationaccess
and paste you .xml code Option A or B, and save and apply to your scope
I put the B xml script
Update in general propoe only now MasOS Sequoia 15.5
I have not the same screen as you “Your Mac……. by your organisation” but it work fine now
Merci!
Rectification, asap you did all possible allowed updates (MacOS and Safari) I got the same message you…
Thanks
I believe the best approach is to use Apple Declarative Device Management along with Blueprints in Jamf Pro. However, please ensure that the computer scope is created under the assumption that the Bootstrap Token is escrowed with Jamf. This setup will allow you not only to defer macOS 26 Tahoe updates but also to keep macOS Sequoia laptops up to date.
Goal: Hide macOS major upgrades (e.g., Tahoe 26), and—if you choose—all updates (major/minor/non-OS) from System Settings for up to 90 days, so IT can stage and install centrally without users seeing prompts.
100% Apple-supported (no hacks)
Works great with Jamf when applied as a stand-alone Custom Settings payload (avoids overlap with other Restrictions toggles)
Lets you choose between major-only deferral or hide everything for a fixed window
Jamf Pro → Configuration Profiles → Application & Custom Settings → Custom (Upload)
Preference Domain: com.apple.applicationaccess
Paste this plist:
-------------------------------------------------------------------------------------------------------------
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<!-- Hide major upgrades (e.g., Sequoia -> Tahoe/26) for 90 days -->
<key>forceDelayedMajorSoftwareUpdates</key>
<true/>
<key>enforcedSoftwareUpdateMajorOSDeferredInstallDelay</key>
<integer>90</integer>
</dict>
</plist>
-------------------------------------------------------------------------------------------------------------
Result: Users won’t see the macOS 26 upgrade banner in Software Update during the deferral window. Minor and non-OS updates remain visible (normal behavior).
Same payload & domain (com.apple.applicationaccess), different keys:
-------------------------------------------------------------------------------------------------------------
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<!-- Major OS upgrades -->
<key>forceDelayedMajorSoftwareUpdates</key>
<true/>
<key>enforcedSoftwareUpdateMajorOSDeferredInstallDelay</key>
<integer>90</integer>
<!-- Minor OS updates -->
<key>forceDelayedSoftwareUpdates</key>
<true/>
<key>enforcedSoftwareUpdateMinorOSDeferredInstallDelay</key>
<integer>90</integer>
<!-- Non-OS updates (Safari, drivers, XProtect, etc.) -->
<key>enforcedSoftwareUpdateNonOSDeferredInstallDelay</key>
<integer>90</integer>
</dict>
</plist>
-------------------------------------------------------------------------------------------------------------
Result: No major/minor/non-OS updates appear in Software Update for 90 days while you push installs via policy (e.g., cached installers, startosinstall, or targeted softwareupdate).
Keep this payload isolated. Use Application & Custom Settings → Custom (Upload) so you only set these keys and avoid side-effects from the Restrictions UI.
Pilot first. Exclude IT/pilot devices so you can validate behavior before broad rollout.
Roll the window. Apple caps deferrals at 90 days. If you need longer, keep the profile in place and advance the window (or add your own backstop like a Restricted Software rule for Install macOS 26*.app).
A minor issue with option B. The XML would look like this:
-------------------------------------------------------------------------------------------------------------
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<!-- Major OS upgrades -->
<key>forceDelayedMajorSoftwareUpdates</key>
<true/>
<key>enforcedSoftwareUpdateMajorOSDeferredInstallDelay</key>
<integer>90</integer>
<!-- Minor OS updates -->
<key>forceDelayedSoftwareUpdates</key>
<true/>
<key>enforcedSoftwareUpdateMinorOSDeferredInstallDelay</key>
<integer>90</integer>
<!-- Non-OS updates (Safari, drivers, XProtect, etc.) -->
<key>forceDelayedAppSoftwareUpdates</key>
<true/>
<key>enforcedSoftwareUpdateNonOSDeferredInstallDelay</key>
<integer>90</integer>
</dict>
</plist>
-------------------------------------------------------------------------------------------------------------
You just forgot <key>forceDelayedAppSoftwareUpdates</key>
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.