I have deployed a Config Profile with the following code to block Software Update from seeing the major OS releases (Sonoma) for 90 days with com.apple.applicationaccess for the domain:
<plist> <dict> <key>enforcedSoftwareUpdateMajorOSDeferredInstallDelay</key> <integer>90</integer> <key>forceDelayedMajorSoftwareUpdates</key> <true/> </dict> </plist>
Sonoma was released by Apple 25 minutes ago and already I see Macs that are displaying Sonoma as an available update!
I have verified that the Config Profile has been installed on these Macs for many weeks. Every single time there's a new Major OS release, it's like trying to hit a moving target. How on earth are we supposed to block Major OS releases?
if software update bin is reporting available then the config profile is wrong or not deployed? I use the full legacy restrictions profile (yes I know) but.. it works.. just tested.. (for my own sanity.. considering recent events) 😎
Software Update is under System Settings > General > Software Update as of Ventura. You cant block anything under General. The descriptions on the Preference Pane Configuration Profiles have not been updated by JAMF, many of those payloads only apply to Monterey and below.
@AVmcclint Make sure you don't have another Configuration Profile that sets the delay key. If you have more than one such profile Apple says the results is ¯\_(ツ)_/¯
Also note that if you do set a deferral that only means the user can't initiate the update. If you send an MDM command to update to latest available version you will now get macOS Sonoma 14 on hardware that supports it.
Have you tried to install the OS update and see what the install.log reports? If the deferral is working correctly, you will see comments saying the OS updates are deferred until XYZ date if the device tries to initiate an update. Id also check for duplicate configuration profiles trying to manage OS updates, as that makes things a mess.
Starting to see this as well, the config profile was deployed to an M2 prior to release for deferring the major OS update for 90 days..
They still were able to update to Sonoma from System Settings without admin rights.
Previous OS: 13.5.2
Account Type: Standard
This is for multiple users, however, it's not consistent. I see the block on my Mac(M1) and test Mac(Intel)..
So it's something weird going on, that I'm just now having to look into
It's this kind of stuff that makes me want to pull my hair out. We are restricting the `Install macOS Sonoma.app` and are deferring major updates, so far no one has updated, but if standard users are able to via softwareupdate prior to the 90 day major restriction we have in place then....what in the world Apple?
I completely agree. This kind of nonsense makes me hate Apple sometimes. I just don't know what in the world is going on over there some days. This should not only be something very standard, but simple, easy. Instead, trying to block a new OS on company owned and managed hardware becomes a freaking nightmare with them.
I sometimes believe Apple intentionally keeps it semi broken or very hard to get working, just so machines get upgraded to their latest OS, and then Tim Cook can tout upgrade numbers for their OS release at the next big event. Apple drives me crazy with this.
So after doing some testing/research.. It seems that the deferral for Major Updates does not prevent the Sonoma upgrade from being seen, if there is a Minor Update for the current OS.
Once you apply the latest minor updates, the config profile for the Major Update is now working in regards to preventing OS Sonoma as an available upgrade option.
I'm not sure if this a Jamf issue or Apple bug.. However, this is my findings from testing. And I'm sure we can replicate it. At this point, we would have to set the deferral for both minor/major versions for devices that's not on the latest of their current OS
as mentioned.. we have this setting, along with a block for access to Software Update in system settings.. and nobody can update.. if you look at the logs for /var/log/install.log you can see the deferral and dates..
if you run softwareupdate -l it returns 'no updates available'
Our devices are on macOS 13.4.1 to 13.5.2
hindsight on this means when there is a major update, we lock it all off.. mixing point updates and major always goes wonky with the current framework.
due to Apples user centric update process, we always have a few stragglers.. but less than 10% of the global estate...
macOS 14 will fix all this.. 🤔 maybe. hopefully..
If you use "Restricted Software" tab and configure as process name: Install macOS Sonoma.app
And check the box; Restrict exact process name, Delete application and kill process
That should take care to avoid download or install sonoma app untill you exclude the endpoint the scope.
@obi-k user can see that but that will not install. If they download that will cancel and remove .app from /Application folder. So, it is safe to use that Restriction. I used to use that till Ventura. Don't know anything changed for Sonoma or not. But pretty sure that works. It is already implemented in our environment.
I have it set up as well, as of Tuesday it worked, yesterday it does not work anymore.
When I pull a device out of our restricted config profile, Sonoma appears as available
On tuesday it blocked the install and showed my custom message
Yesterday it steamrolled past the restriction and installed, 2 times in a row
we are using a config profile to defer major updates for 90 days, we just had two users, including myself, where Sonoma installed automatically on it's own.
There is definitely something amiss here
we have two older Restriction config profiles that were setup incorrectly by a previous admin quite some time ago.
We excluded all of our devices and new devices from these two config profiles and now have just the one.
It didnt give us any issues during ventura, but i'm wondering if this could somehow be causing issues
in our main config profile, we had everything here checked except Allow installation of macOS beta Releases until this morning. I'm also wondering if that could have caused any issues
I just want to try and sum up what's been discussed here to make sure I have a clear understanding. It sounds like if your fleet is NOT on 13.6 then Sonoma will show in SoftwareUpdate as a Delta and users will be allowed to install(regardless of whether you have a deferral set for major OS updates)? Also, the only way to prevent this(for machines not on 13.6) is to completely lock down SoftwareUpdate? In other words, my non 13.6 machines are vulnerable until critical 3rd party software vendors release updates that are compatible with Sonoma, or until I update those machines to 13.6 I guess, but still in 90(87 as of this writing now I guess) days I'm screwed again unless Apple properly flags these major updates as major?
oh geeze, that makes it even worse then :( So, at least according to the latest inventory updates on my fleet, in Jamf the 13.6.0 machines are only showing 1 update, which is the latest Safari update. A lot of my sub 13.6.0 machines are showing Sonoma.
This is how I understand what is going on too.
I have confirmed my Restriction profile is the only profile containing software update deferrals. So there is no conflict.
I have a 45 day block for Major Upgrades.
Changed Minor to 0 (due to the Zero day release last and previous week) and we needed to upgrade to 13.5.2 then 13.6 right away.
I am now seeing random people upgrading to 14. One user reported Sonoma upgraded automatically over night with out her interaction (all our users are admins).
We use Nudge to encourage people to upgrade, however if Sonoma is seen as a Delta on anything less than 13.6 then more people will upgrade to 14 as Sonoma is the first update shown. 13.6 is way down at the bottom.
It has become a challenging issue to manage/resolve as it appears admins (Slack, Jamf Nation) each have reported varied experiences.
I have tried to use Software Updates - beta in Jamf Pro to push Sonoma to some 13.6 devices as a test.
It has been 36 hours and still waiting for Sonoma to appear. The Software Update command is supposed to over ride any Software Update restrictions.
I also have Software Restrictions set up blocking the InstallAssistant and Install macOS Sonoma.app however this only blocks App Store downloads, USB-C installs or pkg installs etc.
I've spent about 6hrs trying work out a solution. Think its time to let it go.
I have two tickets with Jamf Support open and call with with them today.
@pueo Please update when you have something from Jamf Support. I'm in this weird state now too where I feel somewhat ok, (as most of my fleet is on 13.6.0), but some are not, and they are seeing Sonoma - thankfully our patch enforcement for September was the week prior to the Sonoma release, but i'll be dealing with this mess in two weeks, and would like to find a solution (other than reaching out to these users and begging them not to upgrade to Sonoma).
@bmack99 Not much to report really. I went over what I think is happening, stated Jamf Nation and Slack has blown up with admins different/consistent experiences of Sonoma. The Jamf Support fella agreed and understood everything I said. They are doing some further digging for me. Will update.
As much as it is frustrating there is not much we can do. I have all the correct profiles which work for some but then do not. This is a very poor experience.
To avoid INTEL machines from auto upgrading to Sonoma I would turn off 'Automatically Install macOS updates'. This key is in Software Update Profile. I discovered this is what (potentially) is causing my INTEL clients to auto upgrade to Sonoma (on top of the Deferral not working correctly).
Apple and Jamf or other MDMs need to work together to make this a better experience.
I wonder how Walmart, Cisco, Target, SAP deal with this situation?
Yep.. and my support case with Jamf is very repetitive about the issue at hand.. Even when I proved we only have 1 profile, there aren't any duplicates. I also stated it's a topic here...
I spoke with our Engineer from Apple, he advise to create a ticket with Apple as well.. Honestly, this seems similar to the issue with the whole macOS 12.6.0 and below vs macOS 12.6.1 and above mdm profiles.