Jamf Nation Community

its not the same naming convention. its "install macOS 14.app" for Sonoma.

Do i leave the others checked and just uncheck the beta one?

Do you? That's up to you and your team (or teams depending on who all needs to weigh in to provide an answer). I'm going to say yes, you do. Gone are the days of slow-rolling software updates to see if they break things or leaving things mostly in the hands of the End-User to perform. In today's day and age where Macs are as much a target as any other platform, yes, stay current. Do as much of it as you can via automation.

As far as I am aware there is not an install macOS Sonoma Beta.app. Your restriction on install macOS Sonoma.app should work fine, however I strongly suggest testing this yourself. Keep in mind blocking install macOS Sonoma.app wont do anything on Macs running greater then 12.3.1 as they will never download the app to upgrade.

sorry can you elaborate on that. What do you mean by they will never download the app to upgrade?

I mentioned this in another comment on this thread. Apple changed how macOS Major upgrades are installed with macOS 12.3.1. The install macOS XYZ.app is no longer downloaded. Instead the update comes down as a delta, and there is no way to block it aside of a configuration profile. 

 

I did mistype and put 11.3.1, it was 12.3.1.

 

You can search discussions for blocking Ventura, its the same. 

• Macs running macOS 11.3.1 or newer will not download install macOS Sonoma.app. So, blocking that installer really does not do anything other stopping people who download the app manually, still a good idea to block but wont help much.
• MacOS 11.3.1 and newer will download Major Software updates as a delta, the ONLY way to block this is with a OS update deferral configuration profile. You cannot defer longer then 90 days.

Deferring Availability of macOS Software Upgrades and Updates with a Configuration Profile - Technic...

---

 

so if all macs are on ventura they will not be able to download the sonoma beta? 

No, @AJPinto is just saying it doesn't download a complete installer, just an update containing the necessary files to upgrade to macOS 14.

You don't really need a software restriction to block OS betas anyway, it's a simple checkbox available in a configuration profile:

 

hmmm okay thank you for the info let me ask you is it possible to block the sonoma 14 beta? in the restricted software sections or is it different this year where you are unable to at all?

I am only asking because i asked a lot of people and i am getting mixed answers people are telling me yes where others are telling me no and to create a config profile 

I'm honestly not sure, but my guess is yes since it is possible to download a full installer. This thread seems to support that: https://community.jamf.com/t5/jamf-pro/blocking-sonoma-developer-beta/m-p/292714

even with restricting install assistant did not work for me, does it work on your end? 

Restricting the Install Assistant did not work on a Test Mac in our Jamf environment either. It would appear the only way to block the install of macOS Sonoma is to use a Configuration Profile to Defer major software updates:

Under Restrictions > Functionality.

As this can only be set for a maximum of 90 days I am looking for a way to extend beyond this time period for further testing. If there is a possible way to do this or put a feature request into Jamf for that would be what we require.

It is not possible, there is no point in submitting a feature request to JAMF as this is Apples intended design. You could submit feedback to Apple, but don't expect them to change anything. All you can do is communicate to users, and hope no one goes rouge. 

 

If you need Apples documentation, its linked below.

Test and defer software updates for Apple devices - Apple Support

Restrictions | Apple Developer Documentation

It's not really "new" as mentioned above this was changed early on in Monterey, around 12.3 and has been like that since then. The only way to defer Major Software updates is via a config profile and the maximum length is 90 days.

This. Plus, Restricted Software should still prevent the user from using a full installer they download themselves.

Can the configuration profile be re-applied, thus getting around the 90 day maximum deferral?

It’s 90 days from the date of the public release of the software update/upgrade. Not 90 days from the date the configuration profile was installed. This is the same deal as with macOS 13 Ventura last year, nothing has changed with how macOS differs updates in the last year.

So there's effectively no way to prevent a user from self-initiating an upgrade to a new version of macOS after 90 days of a new release, is there?  That's the problem though, when macOS announces a new version, we have 90 days to test and validate our security settings otherwise we risk being non-compliant with our own cybersecurity polices.

I think there is still an Admin Access check for OS upgrades (12>13).

 

With the release of macOS 12.3 OS upgrades (12>13) are processed as deltas like OS updates (13.1>13.2). Apple stance for OS updates has been a 90 day deferral for 4-5 years now. For the past 1.5 years OS upgrades fall under the same process. This is nothing new at this point.

 

As far as security policies go. It should be safe to assume, if you are not running the most current release of Apple software you are non-compliant. 

https://support.apple.com/guide/deployment/about-software-updates-depc4c80847a/web

Note: Because of dependency on architecture and system changes to any current version of Apple operating systems (for example, macOS 13, iOS 16, and so on), not all known security issues are addressed in previous versions (for example, macOS 12, iOS 15, and so on).

 

This is a pain in the a** for us. We've resulted in just sending email comms to Mac users. I can guarantee 9/10 of those users ignore those comms. Fortunately the design team are notorious for never restarting their devices so they will probably ignore the update prompt.

I'd be surprised if Apple listen to us. We only have 40 endpoints.