That would be more of a DLP concern instead of a MDM concern. If someone went that far to try to get around our policies, I would have their device wiped, reprovisioned and turn them in to HR. 

Though, the average Joe would not know how to move the installer like that. You cannot simply move an .app from one computer to the next. To go one step further MacOS installers are cryptographically signed. So the way you move most apps wont work for MacOS installers.

Is there any way to block Ventura from showing in software update but allow 12.6.1 since they're both minor updates?

So I'm fairly new to Jamf and haven't used any MDM in nearly three years. I want to update all of our computers running Monterey to 12.6.1 but it sounds like it's going to be a challenge...

• The Mass Action command won't work on everything because only a fraction of the computers were enrolled via DEP and went through PreStage. (They're all supervised, but the way it reads sounds like that isn't sufficient.)
• Doing it via policy doesn't allow you to specify the version to install. Plus some of the the devices have Apple silicon. (Most, but not all, of the M1 computers were enrolled via DEP.)

Is my only real option for this to make a package of the full installer with a post-install script and distribute it via Patch Management? Would the erase-install or S.U.P.E.R.M.A.N. be better options? Any suggestions are appreciated.

You probably really want to get your Apple and JAMF success managers on the phone. You have a lot to hash over. The long term solution, is yes to reprovision your entire fleet and enroll the devices "correctly" for the level of management you want.

• For Intel Macs you can run sudo softwareupdate -aiR and it will grab 12.6.1, not macOS 13. I am not sure what it will do after 11.24 though, but you have 3.5 weeks before that is a concern. 
• Deploying the full OS installer is possisble, you need to use a DMG to do it. Keep in mind on Apple Silicon it still needs user interaction to use the OS installer to run updates.
• Just like with Nag, superman is really just a tool to get the users to update themselves. If they see macOS 13, it is up to user education to tech them to not click it until they are on 12.6.1. 

My friend, it unfortunately sounds like you are in the nightmare situation. 

And who doesn't love a good nightmare?

Unfortunately, none of the computers were enrolled in DEP/ADE when purchased before I started here. No We switched to Jamf about 2-3 months ago; prior to that, everything was in AirWatch or SimpleMDM. Even if all of the computers were in Apple Business Manager, they wouldn't have gone through PreStage in Jamf since they were moved from another MDM (unless I'm missing something here).

I don't necessarily have a problem with requiring a bit of user interaction to do this. I'll setup a test policy to give that Intel command a shot.

This is how I managed to hide Ventura and only offer 12.6.1, but as always, please test this yourself. 

Where might one enter this code?

It’s a configuration profile, and is under the Restrictions Payload > Functionality tab.

At a guess the “code” he is referring to is coming from the install.log and is the response when OS updates are doing their thing.

Got it. I figured that was the case but worth checking.

Yeah, I've seen that bit in the Console logs. I didn't realize he was just using it to confirm it was working.

Thanks.

Just for anyone else who might see this: it does not work on the system I tested. It does see it as a major update, but that there's no deferral. Interesting that it works for you.

Apple is very specific in how they are delivering this "exemption". If your devices are not supervised they will not receive the MDM deferral. Whether or not a device is Supervised is down to how it was enrolled. This is where I suggest focusing your attention.

Be sure to submit feedback to Apple with your experiences and findings. If you have ACE, open a case with Apple. If you don't have Ace email your Apple rep to see if there is any dialog they can start for you.

Manage upgrading to macOS Ventura in your organization - Apple Support

Intro to Apple device enrollment types - Apple Support

Jamf Pro shows all but four of our computers are supervised, all of which are running Catalina, so it doesn't seem like that's the issue here. (Yes, updating those is definitely on the list but it hasn't been a priority.)

Others are saying the same on another post too. I'm not sure why that seems to work for me and not anyone else. There is definitely some weird behaviour going on with Ventura. It's still being advertised to some that have updated to 12.6.1 and excluded major updates even though Apple have stated that they have automatically deferred it for supervised computers. Sorry that I can't help further. Also, I run a script to check for updates daily and the output you see above is returned after running...

I have Macs on 12.6.1 that are still showing Ventura in Software Update, sometimes it is deferred properly and after a reboot Ventura appears again. With the defer config, the user is no longer prompted or alerted about Ventura, so that's good at least; they have to manually go looking for it.

My organization is testing Ventura now and will deploy soon.

I have Macs on 12.6.1 that are still showing Ventura in Software Update, sometimes it is deferred properly and after a reboot Ventura appears again. With the defer config, the user is no longer prompted or alerted about Ventura, so that's good at least; they have to manually go looking for it.

My organization is testing Ventura now and will deploy soon.

I ended up setting up a relatively nice flow using erase-install. Haven't decided whether to push it via Self Service and send an e-mail to the users who need to do it, or to push the policy with a notification and option to defer. Either way, it's pretty clean and I'm satisfied with it.

Well, we're closed for Christmas (University) but I thought I'd just have a glance at the ol' JAMF dashboard like a good sysadmin on holiday does to check if anything looked like it was broken.

I wondered why my MacOS patch report widget was showing hundreds of up to date computers when we haven't rolled out Ventura yet...

Oh dear, it looks as though my Sunday software update picked up 13.1 as a normal update so has merrily OS updates all the online kit when there wasn't anybody there :/

Finding available software Software Update found the following new or updated software: * Label: Safari16.2MontereyAuto-16.2 Title: Safari, Version: 16.2, Size: 130909KiB, Recommended: YES, * Label: macOS Ventura 13.1-22C65 Title: macOS Ventura 13.1, Version: 13.1, Size: 3878233K, Recommended: YES, Action: restart,

We currently do the actual updates using the MDM command ScheduleOSUpdate/action/install (since everything else broke) and I wasn't aware of this issue so hadn't disabled any of that.

An affected machine was on 12.6.2 so above when this was apparently 'fixed'