We have a fleet of mac and we're trying to prevent users from automatically upgrading their macs to macOS Ventura or any other new macOS that Apple releases. This prevents us from users accidentally breaking their software which do not work with the latest macOS.
Is there a way to do this in Jamf?
Thanks,
Hi! Yes you can do this easily via "Restricted Software" and entering Install macOS Ventura.app as the Process Name to restrict. Then just scope it to your devices.
We have a signed profile we uploaded that just blocks access to Software Update so users can't access it that way, and we have a Static Computer Group excluded so we can allow upgrades as needed.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>DisabledPreferencePanes</key>
<array>
<string>com.apple.preferences.softwareupdate</string>
</array>
<key>PayloadDescription</key>
<string></string>
<key>PayloadDisplayName</key>
<string>System Preferences</string>
<key>PayloadIdentifier</key>
<string>BBF6CD21-12F6-4EEB-B6F6-8B2F13A1AC0D</string>
<key>PayloadType</key>
<string>com.apple.systempreferences</string>
<key>PayloadUUID</key>
<string>BBF6CD21-12F6-4EEB-B6F6-8B2F13A1AC0D</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDescription</key>
<string></string>
<key>PayloadDisplayName</key>
<string>Restrictions - Software Update - Disabled</string>
<key>PayloadIdentifier</key>
<string>A481F3CB-4DA5-4013-8200-BA107C007152</string>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>434F331B-9E4E-4233-A894-77BAF8D71263</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
We have a signed profile we uploaded that just blocks access to Software Update so users can't access it that way, and we have a Static Computer Group excluded so we can allow upgrades as needed.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>DisabledPreferencePanes</key>
<array>
<string>com.apple.preferences.softwareupdate</string>
</array>
<key>PayloadDescription</key>
<string></string>
<key>PayloadDisplayName</key>
<string>System Preferences</string>
<key>PayloadIdentifier</key>
<string>BBF6CD21-12F6-4EEB-B6F6-8B2F13A1AC0D</string>
<key>PayloadType</key>
<string>com.apple.systempreferences</string>
<key>PayloadUUID</key>
<string>BBF6CD21-12F6-4EEB-B6F6-8B2F13A1AC0D</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDescription</key>
<string></string>
<key>PayloadDisplayName</key>
<string>Restrictions - Software Update - Disabled</string>
<key>PayloadIdentifier</key>
<string>A481F3CB-4DA5-4013-8200-BA107C007152</string>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>434F331B-9E4E-4233-A894-77BAF8D71263</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
Wouldn't this block all the software updates? How do you update the security patches updates?
We have a signed profile we uploaded that just blocks access to Software Update so users can't access it that way, and we have a Static Computer Group excluded so we can allow upgrades as needed.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>DisabledPreferencePanes</key>
<array>
<string>com.apple.preferences.softwareupdate</string>
</array>
<key>PayloadDescription</key>
<string></string>
<key>PayloadDisplayName</key>
<string>System Preferences</string>
<key>PayloadIdentifier</key>
<string>BBF6CD21-12F6-4EEB-B6F6-8B2F13A1AC0D</string>
<key>PayloadType</key>
<string>com.apple.systempreferences</string>
<key>PayloadUUID</key>
<string>BBF6CD21-12F6-4EEB-B6F6-8B2F13A1AC0D</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDescription</key>
<string></string>
<key>PayloadDisplayName</key>
<string>Restrictions - Software Update - Disabled</string>
<key>PayloadIdentifier</key>
<string>A481F3CB-4DA5-4013-8200-BA107C007152</string>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>434F331B-9E4E-4233-A894-77BAF8D71263</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
This will not work anymore. Apple is pushing the macOS Ventura Upgrade to macOS 12.x Clients. Once the 90 days delays are gone there is no way to hide the Ventura Upgrade in Software Update.
Wouldn't this block all the software updates? How do you update the security patches updates?
Yes, we have another config profile that enforces automatic updates (users just need to reboot when prompted), and we also have a policy that runs the MDM software update command in a script.
This will not work anymore. Apple is pushing the macOS Ventura Upgrade to macOS 12.x Clients. Once the 90 days delays are gone there is no way to hide the Ventura Upgrade in Software Update.
This disables Software Update in System Preferences.
Just commenting because the accepted answer is wrong.
With macOS 12.3+ OS upgrades (MacOS 13+) install as a delta, there is no install macOS Ventura.app downloaded to block with a software restriction. You can defer OS upgrades for 90 days, after that users can do whatever they want. MacOS 13's deferral ran up in January, if you search JAMF nation you will see tons of posts on this.
If you dont give users admin access they cannot install OS Upgrades, but the mac will keep barking about it to the user.
Hi! Yes you can do this easily via "Restricted Software" and entering Install macOS Ventura.app as the Process Name to restrict. Then just scope it to your devices.
If a Mac is running 12.3 or greater, OS upgrades are downloaded as deltas. There will be no install macOS ventura.app to block.
Just commenting because the accepted answer is wrong.
With macOS 12.3+ OS upgrades (MacOS 13+) install as a delta, there is no install macOS Ventura.app downloaded to block with a software restriction. You can defer OS upgrades for 90 days, after that users can do whatever they want. MacOS 13's deferral ran up in January, if you search JAMF nation you will see tons of posts on this.
If you dont give users admin access they cannot install OS Upgrades, but the mac will keep barking about it to the user.
Just wondering if this is also the case on Apple Silicon Macs. After the macOS Ventura Download the Mac is only asking to confirm the installation with the logged in User Credentials, there is no note that a Admin is required ...?
Just wondering if this is also the case on Apple Silicon Macs. After the macOS Ventura Download the Mac is only asking to confirm the installation with the logged in User Credentials, there is no note that a Admin is required ...?
I believe the popup still says enter administrative credentials. However, all macOS is looking for is a secure token to install OS updates (13.1 > 13.2 > 13.3 > ...) which is not tied to admin access. OS upgrades (11 > 12 > 13) still require Admin Access, at least for now.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.