I would take a look at this project:

grahampugh/erase-install: A script that automates downloading macOS installers, and optionally erasing or upgrading macOS in a single process. (github.com)

It would allow you set a specific version of the O/S you want your user to update to and download the specific version. Even if you are deferring updates via Software Deferrals. 

(P.S. Don't forget you have approximately one month to be ready for Ventura. Once the 90 day mark has passed for 13.2, you won't be able to block users on at least 13.2 from downloading and installing the delta update.)

You can still try to block with "restricted software" and block "Install macOS Ventura.app"... better than nothing.

We’re in the same boat. The restricted software no longer works, but we’ve sent out a communication to Mac users about not updating to Ventura. The erase-install works well, but it does download the full installer. It has a bunch of different options you can set. It does always work for us, but we use the package and set the options in files and processes.

If you are installing the OS updates from install macOS Monterey.app probably wont install the Safari update which you will also need. 

You are in a really bad place though. There is literally no way to stop anyone form updating to Ventura at this point. For macOS 14, I recommend getting in Apples Beta Seed as soon as macOS 14 is available and start testing day 1. In the past it took us 3-6 months to be ready for the new OS, for macOS 13 we were ready within 15 days, all security tools and everything ready.

That wont work. MacOS 12.3+ installs macOS 13 as a delta. There is no install macOS Ventura.app to block.

For macOS 11 and older releases of MacOS 12 it will work. However you will need to update past macOS 12.3 to patch this 0-day which will stop blocking the install app from working. Never mind the 0-day from august and the one from July that are not patched in 12.3.

Thanks for this! I'll definitely be looking into it. 

My immediate questions, which you may be able to expedite my research on, are:

• Can a user run erase-install without admin? 
• Will this fully wipe the computers so we'll need to backup/restore their data to finalize the upgrade?
• Will this allow me to install 12.5.1 (for a testing machine) which does not appear to still be available from Apple? 

• Can a user run erase-install without admin? On Intel, yes if its run from JAMF the bootstrap token will handle things. On Apple Silicon, no as you need a Secure Token which cannot be passed via CLI.
• Will this fully wipe the computers so we'll need to backup/restore their data to finalize the upgrade? It depends on how you configure it to work.
• Will this allow me to install 12.5.1 (for a testing machine) which does not appear to still be available from Apple? Use the --fetch-full-installer argument to the softwareupdate command.

In terms of whether you can install 12.5.1 on a device, unless you already happen to have an InstallAssistant.pkg for that version or a full "Install macOS Monterey.app" that installs 12.5.1, then the answer is no.

You can use softwareupdate --list-full-installers to see which versions Apple still hosts. 12.5.1 is no longer one of them.

A whole bunch of old Big Sur installers show up, but only a few Monterey ones as you can see. Don't ask me why, though I'm sure there's some security related reason.

Yeah, I realized this today as I was researching. It also doesn't seem like the installer for 12.5.1 I have (from a machine that had previously downloaded, but never installed) is working. When I run it, it just goes unresponsive. 

My guess is they removed the Monterey versions that auto update to Ventura for that reason or there's a massive security patch in 12.6.1. But it's equally likely I'm giving Apple way too much credit.

Thankfully, I've found a few computers in our inventory with 12.6.0 that I can use as test cases for an erase-install policy solution!