Our school district would like to defer the upcoming macOS 26 upgrade (scheduled for release on September 15) but still allow security updates for macOS Sequoia.
What is the best way to configure this in Jamf Pro so that the major OS upgrade is blocked, while security updates and minor patches for Sequoia remain available? Thanks
You can defer only major updates … this will defer all the major upgrades…
thanks
In theory OSX 26 is a Major update, so using Restrictions and delaying Major updates for 90 days should do the trick.
However, Apple have sometimes in the past released new OSX versions and marked them as Minor updates, and then after an outcry, they remarked them as Major. So you will need to watch out for this anomoly. If you bump your settings to 30 days for Minor updates, and have a small test group with a shorter deferral time, you will be able to see if this is the case.
We will use a 90 day deferral, then apply DDM software updates to enforce minor updates.
Also, don’t forget to check your Prestage Enrollment settings.
Does your organization enforce a minium required OS version for iOS or macOS?
Thanks for the reminder there - had completely forgotten.
Also, don’t forget to check your Prestage Enrollment settings.
… Apple have sometimes in the past released new OSX versions and marked them as Minor updates, and then after an outcry, they remarked them as Major. So you will need to watch out for this anomoly…
This is excellent to note as I have not seen it before, thank you!
We were bitten by that oddity in the past with major/minor differentiation. However, it seems that no matter what we do, a few endpoints always slip the leash and get the update announcement. We generally do a 30 day restriction for review against campus enterprise systems, because we have a bunch of eager beavers.
This is a great use for blueprints!
We use the deferral for major set to 90 days in the Restrictions payload. We also add the title for the branded installer app and install assistant to the restricted software list with a kill message displayed to the user. The install assistant kill message is slightly reworded so we can immediately tell that is what ran as opposed to a branded installer. Historically install assistant is what will get kicked off when the major update is accidentally presented to the user in the System Settings, Software Update UI. Eventually, when the vendors start supporting the new release we will let folks opt-in and start shipping Tahoe on all new builds.
So, I’m going to need to put this in for Tahoe tonight. Does anybody use the app restriction on the installer in addition to the deferral setting? Any other settings that people use for this? We always have a few that manage to sneak through somehow...
We use both. And we also have a few that get through no matter what.
Along this line, does anybody use SUPERMAN for OS updates? Our migration consultants (Rocketman Tech) implemented that earlier this year and I don’t actually know if there is anything we need to adjust there so that SUPERMAN and the deferral configuration profile don’t go to war with each other...
However, Apple have sometimes in the past released new OSX versions and marked them as Minor updates, and then after an outcry, they remarked them as Major. So you will need to watch out for this anomoly.
I like how you called this an “anomaly”. I’ve always considered this to be by design on Apple’s part. It seems they want the fastest and widest adoption of any of their new OSes so they can tout how fast the adoption was later in some presentation. But maybe that’s just me.
Either way, good advice to look out for that, since it tends to bite us all at some point or another.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.