New admin looking for some advice. What is your typical stance on major upgrades such as Ventura? Do you guys have a normal workflow that blocks these updates for a certain amount of time or do you run with it on day 1? I am curious to see how other admins handle these updates.
@auser For any Mac running macOS Monterey 12.3 or higher the macOS Ventura upgrade won't require downloading a full installer, and instead will use a much smaller "delta" updater similar to how the "minor" .1 -> .2 updates are installed. Currently the only way to block the "delta" update mechanism is to deploy a Configuration Profile to defer Minor OS updates (Apple has acknowledged this should be a deferral for a Major OS update but as of macOS 12.6 the logic in softwreupdate treats it as a Minor update)
Always defer, especially if you do not actively test the beta seed. Even if your device management is ready for Ventura day 1, odds are your security tools wont be. In my experience it usually takes about 3 months for most vendors to be ready for the new OS, and another 3-6 months for your internal application owners to be ready. I cut the new OS lose after 90 days and don't play the horse and pony show of internal departments prioritize down supporting the new OS.
In years past you can use a software restriction targeting the installer (install macOS Ventura.app) and kill it whenever it is run. Rumor mill is this wont work for Ventura, but I have not found proof of that yet. In the very least I recommend setting up OS update Deferrals in the restrictions payload of a configuration profile.
Confirmed Restricted Software still works to block Ventura. I did a software update from a Monterey tester. We have both Restricted Software and Configuration Profile Deferrals setup, for 90 days.
Since macOS 13 and 12.6.1 are released now I am figuring the NDA is over so it should be safe to say this. If not, mods remove away.
MacOS 13 will absolutely install to macOS 12.3-12.6 as a minor update. Apple has put a server side patch in place differing macOS 13 for 30 days to MDM enrolled devices. If you do not update to 12.6.1 before 11.24.22 users can upgrade to macOS 13 even if its restricted under major OS update deferrals. Happy Thanksgiving I suppose.
You are not doing the wrong thing. Apple screwed up, and did not tell anyone. Once you get up to 12.6.1 things will work as you expect. However you must do it by Thanksgiving or users can upgrade to Ventura on their own.
Hi, struggling here as well with this.
Anyway, the info published by Apple here is not precise in the least: https://support.apple.com/en-lamr/HT213471
Continue to use the major update delay setting to prevent Mac computers in your organization from offering macOS Ventura for up to 90 days." - tested several times and it's not working (edited)
Use both the major and minor update delay settings to prevent Mac computers in your organization from offering macOS Ventura for up to 90 days. If you currently have a longer delay period for major update than minor updates, increase your minor update delay to match the desired major delay period." - That's the first thing we tried and it's not working
Additionally, when my profiles actually take effect, they lose it after a restart for example.
Currently they don't seem to take effect not even temporarily....
Apple is blocking macOS 13 on MDM devices via the software update work flow until 11.24.22 (thanksgiving day for those in the US). MacOS 12.6.1 is not blocked in the same manner. This is Apples idea of a work around. If you dont update to 12.6.1 BEFORE 11.24.22 users can update to macOS 13 on their own and the only way to stop it is to block ALL updates.
How is apple blocking macOS 13 on MDM devices and it appears on our devices anyway?
We are delaying major updates (60 days) on all devices and it appears as available?
Either on Big Sur (11.6.8), Monterey or even specifically on 12.6.1.
Apple has put some workflow on their OS distribution servers that will not broadcast macOS 13 to MDM enabled devices. If I am not mistaken the devices must have been enrolled with DEP for this to work, but dont hold me to that. I know there is something specific it is looking for. May want to open a ticket with JAMF or Apple to confirm the details.
According to Apple, the bug covers macOS 12.3-12.6 I would assume 11.6.8 should be fine, but I would absolutely test that to make sure. We are off of Big Sur and have been since 2nd quarter.
macOS Monterey 12.3 through 12.6:
Use both the major and minor update delay settings to prevent Mac computers in your organization from offering macOS Ventura for up to 90 days. If you currently have a longer delay period for major update than minor updates, increase your minor update delay to match the desired major delay period.
I found our issue, we had a Restrictions payload included on a very old profile.
After removing that payload it was solved and we are now able to defer Major Updates as we like.
Note that the old Restrictions payload had no Update deferral option configured, but it seems it is enough to cause conflicts with other Restrictions config (even custom ones in my case).
I think it depends on what macOS version you'r on. If 12.3 or newer, I don't think so as Ventura shows as minor update from my understanding. 12.0-2, you could allow minor and block major to have those updated to 12.6.1. We have taken the stance of denying minor and major updates for the 90 days out of caution really.
So in my instance I have the restriction in place as well as the deferral. Somehow a user on 12.6 was able to upgrade yesterday to Ventura. Said he was notified that the update was available. I dont know if thats the case but the fact that he was able to upgrade concerns me and has me scratching my head. Any thoughts?
Yeah, it was still offered to our Macs too even though they are supervised. After some trial and error, this is how I managed to hide Ventura and only offer 12.6.1.
MajorProduct: 012-92138>(Title:macOS Ventura Version:13.0, Identifier:com.apple.InstallAssistant.macOSVentura, IconSize:0, Deferred:1, Deferred Until:2023-01-22
If apple is to be trusted with anything they have said, which I usually don't assume to be the case myself. The device either was not on 12.6.1. Or its not managed correctly and apples update servers did not see it as a MDM managed device.
Just as a precaution in my environment, I have blocked the softwareupdate preference pane. Just incase someone does get the notification, its a bit harder for them to actually install Ventura.
Others are saying the same on another post too. I'm not sure why that seems to work for me and not anyone else. There is definitely some weird behaviour going on with Ventura. It's still being advertised to some that have updated to 12.6.1 and excluded major updates even though Apple have stated that they have automatically deferred it for supervised computers. Sorry that I can't help further.
Here is how our Admin set up our deferments. We have 220 devices, but it only installed on 175, so not all devices have it blocked. When you check the logs, they say cancelled. For one of them that said cancelled, I removed their device and added it back and it switched to complete, but he still sees the Ventura notification.
@R_C Be very sure that you do not have multiple Configuration Profiles that include different update deferral settings. If you do the results will be "undefined".
Here's a post from @RobertHammen on the MacAdmins Slack channel (hopefully the same RobertHammen on Jamf Nation) that should help determine that:
For those seeing inconsistent results with your Deferral profiles... here's a way to check if the key is being set more than once, with conflicting values. This will happen if you utilize a Jamf Restrictions profile, and create a separate OS deferral profile.Run the following command, and search for the key: forceDelayedMajorSoftwareUpdates (or forceDelayedSoftwareUpdates if you're looking to restrict minor updates) - if it's set in more than one profile, that's your issue.sudo profiles show -output stdout-xml
Nope, just 1 profile scoped to a machine at any given time, and all of them block major os updates by 90days. (Although I wish apple made it so that I could block the **bleep** thing forever until I am ready to let them upgrade. Not the users machine, not the users call.)
This is the problem with the Restrictions payload that has 50 different options that could be different across configurations throughout a company. You should be able to select which specific restriction you want to enable without having to have to duplicate settings to account for everything. So for example, you want to defer major OS updates, but you have profiles for some people to use external media and others not to. Now you could have 4 profiles, 2 without any deferral options but the different USB drive access, and 2 more with deferral options and different USB drive access. This is also an issue in Configurator.
Got a couple that slipped through the cracks as well. I have a 90-day deferral and Ventura Restriction in place. 12.6.2. Notified users not to upgrade, but not everyone reads emails.
13.1 is appearing as a Software Update (Delta?).
I'm late to the party, but am seeing similar behavior. Restricting Ventura, Have Major Software Updates deferred for 90 days. macOS 12.6.2 clients upgrading to Ventura through Software Update. This is extremely frustrating as we haven't even begun testing Ventura yet. I also have a ton of machines on 12.1 - 12.6.1 that are showing on Qualys Vulnerability reports that I need to upgrade(another frustrating topic altogether). Has anyone found a method to completely block Ventura while still allowing minor updates?
Unfortunately my friend, you are out of options. MacOS 13 has been out for 90 days, there is no way to differ any any longer. Apple was very clear in this, I am sorry to hear you have not even started testing Ventura yet. Thankfully I have found the update to not be very bad.
Just for my own understanding: Apple is essentially forcing a major upgrade after 90 days deferral. Is that a fair statement? Essentially there is no way for a mac admin to prevent a major OS update now, like we used to be able to. This is baffling to me if true. I understand there are early adopters, but 90 days IMO is not enough time for certain organizations with older and even newer(security toolsets) to test and validate no issues prior to turning it loose on their end users.
Apple is not forcing the update, they are simply preventing us from blocking it. Its on to users as to what they do at this point.
Generally speaking 3 months is 25% the way though the life cycle of any macOS release. Considering Apple only patches all security findings in the current release of macOS, it should be all of our goals to get to current as soon as possible. The biggest sin I find in this is apples insistence in releasing the new OS going in to 4th quarter with many people out on holiday during the testing period. I feel Apple does release new versions of macOS too frequently. They should release new OSs every other year like it used to be in the past rather than a new OS for the sake of releasing a new OS every year.
As for 3rd party vendors, we have had the same issue. We got rid of the vendors that took their sweet time to validate macOS. Its an investment thing, not all vendors are really invested in macOS as a platform. Personally I think Apple should be working harder to encourage participation, and Apples AppleSeed Program is total crap but it what we must deal with to use Apple Products.
I am sure we would both agree on how horribly Apple is handling all of this. My main point is Apple has been very obvious about this shift. We had access to Ventura in June. We had from June to October for testing along with all of our security vendors. People who did not test in that time ignored the writing on the wall. I cannot stress enough, submit feedback.
As far as older organizations. I work in a very old company in the finance sector that is very much stuck in its ways. There are 7 security clients on our devices, as well as a full testing and validation parity to our windows environment which is 99% of our devices. We had Ventura fully validated by Mid November less one security tool. That Security tool is now in the process of being replaced. I simply explained what was going on with our security partners in October, and made plans. Some stuff needed to be updated, we had to deploy some nonLTS releases but we got it done. At this point we are about 25% Ventura, but there are no concerns about any user updating.