Hi @jleomcdo, jamf runSoftwareUpdate -fromApple is simply using the jamf binary to facilitate the macOS built-in softwareupdate command with whatever options you specify (for example: -fromApple). So, your policy that is running that command to have your clients check Apple for software updates is doing just that, not version upgrades. The upgrade process, as run from a client manually is handled through the App Store and then the .app upgrader being run.

If you're concerned about crafty users trying to bypass your Restricted Software entry by running the installer from Terminal via the startosinstall command which is inside the macOS installer app then I suppose you could add a Restricted Software entry for startosinstall as well, but that would affect your potential use of that command for a policy-based upgrade.

Thank you for the clarification on the jamf command. This is what I wasn't sure about, how that actually worked. So if I'm understanding you correctly, when you use command line "jamf runSoftwareUpdate" or the Softwareupdate command, it's only checking for and installing "updates" NOT any new OS upgrades. Is that right?

Yeah, that's it. It's not much different than you opening up System Preferences > Software Update and installing any updates that show up there. It will never install a full operating system upgrade from there. Only updates to specific software titles, security patches and incremental OS updates. (like 10.14.2 > 10.14.4)