Incase anyone else is looking to do the same I put a restriction into place today that will block "All Managed" computers from allowing "macOS Monterey 12.x" from running. You just need to restriction "Install macOS Monterey.app" This is the restriction I have in place.
If they select to upgrade they will get the following message popup.
The only potential work around for someone to bypass this is if they have admin rights to change the name of the application.
I am using the following 3 methods...
On macOS Catalina or earlier - "software update --ignore" command.
On macOS Big Sur - "com.apple.applicationaccess" preference keys to delay major OS updates for 90 days: set "forceDelayedMajorSoftwareUpdates" to true, set "enforcedSoftwareUpdateMajorOSDeferredInstallDelay" to 90.
On all versions of macOS - create a Restricted Software entry in Jamf for "InstallAssistant". This prevents any user from running the Install macOS xxx application. However you can still call the startOSinstall command via Terminal.
I have this configured just like the OP screen shot - yet on my Mac, I can launch "Install macOS Monterey.app" with no problem. I can see the process running in Activity monitor matches the name in the Restriction in JAMF. I have done a recon and made sure the machine is in scope. I also see that it lists the Monterey Block restriction as being applied to my Mac - yet it still launches the installer and I can get through to the point of selecting the drive and about to start the install - which is where I quit out of it since I don't want to install it just yet.
What am I missing?
You will also need to restrict the Install Assistant. You can choose which options you want to have, but you will want to make sure you select the Kill process option.
You can also defer the update for a max of 90 days by creating a config policy, and restricting functionality by deferring major upgrades. If you do this way, the upgrade won't even show up in Software Updates until Day 91.
Thank you. The restricted software method is now working. I had followed the example in the training module and they included the app name in quotes, once the quotes were removed it was restricted.
I have the defer for 90 days set already for major os updates but I also wanted to make sure they app wouldn't run if someone got their hands on the installer.
If InstallAssistant is also being restricted will it also restrict units from updating to a different version, ie. Catalina - BigSur?
From my experience recently, yes it will block any version. I had a few machines still on Catalina that i was going to upgrade to Big Sur and couldn't figure it out until i realized i had the InstallAssistant applied. So once i excluded the computers, the upgrade worked from Catalina to Big Sur.