Hi everyone, I am hoping someone might be able to help me out with an issue I just started running into. Also wondering if anyone else is having this problem.
We have been using the built in "Software Updates" policy in Jamf for years now, and it has been working great for installing macOS updates for our end users. However, the last couple of months, something has changed where the policy no longer only installs security updates and feature updates for the current OS, but will force the device to upgrade to the latest macOS without any warning or prompts. This is problematic for us, as some of our users have software that has not been made compatible with macOS Ventura yet. The only way to downgrade from Ventura is to wipe the computer, so that becomes extremely time consuming and annoying for our users.
Is this a bug with the Software Updates policy or is this now the intended design? If it is the latter, does anyone have a better way to run updates for the current OS the user is on, instead of automatically installing ALL updates available (avoiding the macOS upgrade).
Any help is appreciated!
Solved! Go to Solution.
I had a computer that was already on 12.6.3 and it still automatically upgraded to macOS 13 Ventura as part of the software update. However, I did not have deferral turned on via a configuration profile. If I had turned that on, am I correct in assuming that it still would have only deferred the macOS 13 update for up to 90 days and that after that 90 days, it would then force the macOS 13 Ventura upgrade as part of the software update? If the latter is true, is there a way for Jamf to update the configuration profile so that the maximum deferral period for major upgrades is "indefinite" or over "1 year"? I know Apple wants and is kind of forcing people to upgrade to the latest macOS, but like the original poster said, we need to be careful about upgrades as some important software isn't yet always compatible with the latest and greatest.
Since updating to 12.6.3 our devices no longer show up as having Apple Software Updates available in Jamf, so the auto update to Ventura is resolved. I also have a software restriction in place for macOS Ventura, so that may be the other part of the solution. The restriction was being bypassed in previous versions of Monterey but seems to be working again in 12.6.3. You can check to see if your devices are still picking up updates in 12.6.3 by creating a smart computer group with the following settings:
Criteria: Number of available updates
Operator: more than
Hope this helps!
I still don't think this issue is resolved. MDM deferral doesn't work past 90 days. After the 90 days have expired, the computers with 12.6.3 DO show the Ventura update again. Is this by Apple's design? I was hoping that we would have more control over major upgrades. Forcing upgrades via breaking of software compatibility and enforcement is not good business practice.
We don't use the deferral feature in our environment, so I'm not sure about this one. The computers will still show Ventura as an available update in System Preferences, but Jamf does not show it as an available update when you update using the built-in policy. To prevent users from installing Ventura via System Preferences, I just use a software restriction. They can still click the download button but the install won't go through.
So what is perplexing to me in this is that everything I read, to be able to do any sort of OS update silently on an M1 Mac, someone has to sit there and provide user credentials for it to run. Several of our M1 Monterey Machines just updated of their own accord, but Apple is saying it's not possible to silently install updates with the exception of MDM commands (which is terribly unreliable).
WTF am I missing here. Apple is just locking us out of the ability to force silent updates for... reasons?
We don't have a lot of M1 devices in our environment, mostly still running Intel, so I haven't had this specific issue. Are you using the Software Updates policy that is baked in to Jamf, or the Download Updates command in the device management page?
We used a software policy to execute sudo /usr/sbin/softwareupdate --install -recommended --restart; not MDM. Every machine that can take Ventura was upgraded but the policy log said 'no updates available' on every machine that got Ventura.