Can't block Sonoma

AVmcclint
Honored Contributor

I have deployed a Config Profile with the following code to block Software Update from seeing the major OS releases (Sonoma) for 90 days with com.apple.applicationaccess for the domain:

 

<plist>
	<dict>	
		<key>enforcedSoftwareUpdateMajorOSDeferredInstallDelay</key>
			<integer>90</integer>
			<key>forceDelayedMajorSoftwareUpdates</key>
			<true/>
	</dict>
</plist>

 

 

Sonoma was released by Apple 25 minutes ago and already I see Macs that are displaying Sonoma as an available update!

Screenshot 2023-09-26 at 1.25.05 PM.png

 I have verified that the Config Profile has been installed on these Macs for many weeks. Every single time there's a new Major OS release, it's like trying to hit a moving target. How on earth are we supposed to block Major OS releases? 

 

78 REPLIES 78

jtrant
Valued Contributor

The same configuration is working fine for me. Is Sonoma actually appearing in Software Update for the Macs reporting it as an available update?

AVmcclint
Honored Contributor

Right now,I can only confirm what Jamf reports and what the softwareupdate -l command reports. 

jamf-42
Valued Contributor II

if software update bin is reporting available then the config profile is wrong or not deployed? I use the full legacy restrictions profile (yes I know) but.. it works.. just tested.. (for my own sanity.. considering recent events) 😎

jamf-42
Valued Contributor II

block the pref pane in System Settings, block softwareupdate binary.. and cross fingers.. (its a major update so correct restrictions config profile should do it)

AJPinto
Honored Contributor III

Software Update is under System Settings > General > Software Update as of Ventura. You cant block anything under General. The descriptions on the Preference Pane Configuration Profiles have not been updated by JAMF, many of those payloads only apply to Monterey and below.

hugoquinte
New Contributor II

@AVmcclint Excuse my ignorance, how are you building that Configuration Profile? Is it a specific tool you are using? or directly in Jamf?

sdagley
Esteemed Contributor II

@AVmcclint Make sure you don't have another Configuration Profile that sets the delay key. If you have more than one such profile Apple says the results is ¯\_(ツ)_/¯ 

Also note that if you do set a deferral that only means the user can't initiate the update. If you send an MDM command to update to latest available version you will now get macOS Sonoma 14 on hardware that supports it.

sharif_khan
Contributor II

Is restriction not working?

bcrockett
Contributor III

Also, note if you use erase install to install or update it will now pull macOS Sonoma as well unless a different OS is specified with options. 

AJPinto
Honored Contributor III

Have you tried to install the OS update and see what the install.log reports? If the deferral is working correctly, you will see comments saying the OS updates are deferred until XYZ date if the device tries to initiate an update. Id also check for duplicate configuration profiles trying to manage OS updates, as that makes things a mess.

JustDeWon
Contributor III

Starting to see this as well, the config profile was deployed to an M2 prior to release for deferring the major OS update for 90 days..

They still were able to update to Sonoma from System Settings without admin rights.
Previous OS: 13.5.2
Hardware: M2
Account Type: Standard

This is for multiple users, however, it's not consistent. I see the block on my Mac(M1) and test Mac(Intel).. 

So it's something weird going on, that I'm just now having to look into

bmack99
Contributor III

It's this kind of stuff that makes me want to pull my hair out. We are restricting the `Install macOS Sonoma.app` and are deferring major updates, so far no one has updated, but if standard users are able to via softwareupdate prior to the 90 day major restriction we have in place then....what in the world Apple?

mm2270
Legendary Contributor III

I completely agree. This kind of nonsense makes me hate Apple sometimes. I just don't know what in the world is going on over there some days. This should not only be something very standard, but simple, easy. Instead, trying to block a new OS on company owned and managed hardware becomes a freaking nightmare with them.

I sometimes believe Apple intentionally keeps it semi broken or very hard to get working, just so machines get upgraded to their latest OS, and then Tim Cook can tout upgrade numbers for their OS release at the next big event. Apple drives me crazy with this.

JustDeWon
Contributor III

So after doing some testing/research.. It seems that the deferral for Major Updates does not prevent the Sonoma upgrade from being seen, if there is a Minor Update for the current OS. 

Once you apply the latest minor updates, the config profile for the Major Update is now working in regards to preventing OS Sonoma as an available upgrade option.

I'm not sure if this a Jamf issue or Apple bug.. However, this is my findings from testing. And I'm sure we can replicate it. At this point, we would have to set the deferral for both minor/major versions for devices that's not on the latest of their current OS

obi-k
Valued Contributor III

We're seeing Sonoma in System Settings as well. I deferred it using the 90-day Major Update configuration profile. It's hit or miss. Sometimes shows up, and sometimes it doesn't.

Do you have a minor OS update available? If so, apply the minor update, and see if it defers the major update afterwards

jamf-42
Valued Contributor II

as mentioned.. we have this setting, along with a block for access to Software Update in system settings.. and nobody can update.. if you look at the logs for /var/log/install.log you can see the deferral and dates..  

if you run softwareupdate -l  it returns 'no updates available' 

Our devices are on macOS 13.4.1 to 13.5.2

Capture 2023-09-27 at 18.59.40.png

DTMac
New Contributor

Yes, but it appears that if you have the "Set different delay for minor software updates" checked to keep up with security updates that it is allowing Sonoma to show up. Just discovered this with a computer running 13.3. Testing JustDeWon's theory now by updating to 13.6.

obi-k
Valued Contributor III

Yes, on 13.6 on different Macs. Checking conflicting config profiles. 

jamf-42
Valued Contributor II

hindsight on this means when there is a major update, we lock it all off.. mixing point updates and major always goes wonky with the current framework. 

due to Apples user centric update process, we always have a few stragglers.. but less than 10% of the global estate... 

macOS 14 will fix all this.. 🤔 maybe. hopefully.. 

 

sharif_khan
Contributor II

If you use "Restricted Software" tab and configure as process name:  Install macOS Sonoma.app

And check the box; Restrict exact process name, Delete application and kill process

That should take care to avoid download or install sonoma app untill you exclude the endpoint the scope.

obi-k
Valued Contributor III

Customers can still see it in System Settings/General/Software Update. Unless you use a configuration profile to defer.

@obi-k user can see that but that will not install. If they download that will cancel and remove .app from /Application folder. So, it is safe to use that Restriction. I used to use that till Ventura. Don't know anything changed for Sonoma or not. But pretty sure that works. It is already implemented in our environment.

Screenshot 2023-09-28 at 9.50.13 AM.png

 I have it set up as well, as of Tuesday it worked, yesterday it does not work anymore. 

When I pull a device out of our restricted config profile, Sonoma appears as available

On tuesday it blocked the install and showed my custom message

Yesterday it steamrolled past the restriction and installed, 2 times in a row

obi-k
Valued Contributor III

If the Mac sees it as a delta update (a 4-6 GB update), users can install it. 

lbehannesy
New Contributor II

it appears to be about 6GB, I have beta and delta as restricted software but that doesnt seem to work either, I can still install Sonoma 

AJPinto
Honored Contributor III

Upgrading from 13.5.2 > 14.0 is the exact same under the hood process as upgrading from 13.5.2 > 13.6. There is no app, service, or daemon downloaded for you to block, it is an update delta.

lbehannesy
New Contributor II

we are using a config profile to defer major updates for 90 days, we just had two users, including myself, where Sonoma installed automatically on it's own. 

There is definitely something amiss here 

obi-k
Valued Contributor III

Same here. Do you happen to have 2 or more Restriction configuration profiles set up?

lbehannesy
New Contributor II

we have two older Restriction config profiles that were setup incorrectly by a previous admin quite some time ago. 

We excluded all of our devices and new devices from these two config profiles and now have just the one. 

It didnt give us any issues during ventura, but i'm wondering if this could somehow be causing issues  

in our main config profile, we had everything here checked except Allow installation of macOS beta Releases until this morning. I'm also wondering if that could have caused any issues 

Screenshot 2023-09-28 at 9.37.49 AM.png




obi-k
Valued Contributor III

Is it working better now that you consolidated the Restrictions Configuration Profiles into 1?

lbehannesy
New Contributor II

We did that in the spring of 2022 and it worked great until these recent issues with Sonoma 

bmack99
Contributor III

I just want to try and sum up what's been discussed here to make sure I have a clear understanding. It sounds like if your fleet is NOT on 13.6 then Sonoma will show in SoftwareUpdate as a Delta and users will be allowed to install(regardless of whether you have a deferral set for major OS updates)? Also, the only way to prevent this(for machines not on 13.6) is to completely lock down SoftwareUpdate? In other words, my non 13.6 machines are vulnerable until critical 3rd party software vendors release updates that are compatible with Sonoma, or until I update those machines to 13.6 I guess, but still in 90(87 as of this writing now I guess) days I'm screwed again unless Apple properly flags these major updates as major?

obi-k
Valued Contributor III

We're on 13.6 and some see Sonoma in System Settings. Some don't. Sometimes it vanishes and shows up later.

 

What do you see?

bmack99
Contributor III

oh geeze, that makes it even worse then :( So, at least according to the latest inventory updates on my fleet, in Jamf the 13.6.0 machines are only showing 1 update, which is the latest Safari update. A lot of my sub 13.6.0 machines are showing Sonoma.

pueo
Contributor II

This is how I understand what is going on too.
I have confirmed my Restriction profile is the only profile containing software update deferrals. So there is no conflict.
I have a 45 day block for Major Upgrades.
Changed Minor to 0 (due to the Zero day release last and previous week) and we needed to upgrade to 13.5.2 then 13.6 right away. 
I am now seeing random people upgrading to 14. One user reported Sonoma upgraded automatically over night with out her interaction (all our users are admins).
We use Nudge to encourage people to upgrade, however if Sonoma is seen as a Delta on anything less than 13.6 then more people will upgrade to 14 as Sonoma is the first update shown.  13.6 is way down at the bottom.
It has become a challenging issue to manage/resolve as it appears admins (Slack, Jamf Nation) each have reported varied experiences. 

I have tried to use Software Updates - beta in Jamf Pro to push Sonoma to some 13.6 devices as a test.
It has been 36 hours and still waiting for Sonoma to appear.  The Software Update command is supposed to over ride any Software Update restrictions.

I also have Software Restrictions set up blocking the InstallAssistant and Install macOS Sonoma.app however this only blocks App Store downloads, USB-C installs or pkg installs etc.

I've spent about 6hrs trying work out a solution. Think its time to let it go.

I have two tickets with Jamf Support open and call with with them today. 

bmack99
Contributor III

@pueo Please update when you have something from Jamf Support. I'm in this weird state now too where I feel somewhat ok, (as most of my fleet is on 13.6.0), but some are not, and they are seeing Sonoma - thankfully our patch enforcement for September was the week prior to the Sonoma release, but i'll be dealing with this mess in two weeks, and would like to find a solution (other than reaching out to these users and begging them not to upgrade to Sonoma). 

pueo
Contributor II

@bmack99 Not much to report really.  I went over what I think is happening, stated Jamf Nation and Slack has blown up with admins different/consistent experiences of Sonoma. The Jamf Support fella agreed and understood everything I said.  They are doing some further digging for me. Will update.
As much as it is frustrating there is not much we can do. I have all the correct profiles which work for some but then do not.   This is a very poor experience.

To avoid INTEL machines from auto upgrading to Sonoma I would turn off 'Automatically Install macOS updates'. This key is in Software Update Profile. I discovered this is what (potentially) is causing my INTEL clients to auto upgrade to Sonoma (on top of the Deferral not working correctly).  
Apple and Jamf or other MDMs need to work together to make this a better experience.
I wonder how Walmart, Cisco, Target, SAP deal with this situation?

Yep.. and my support case with Jamf is very repetitive about the issue at hand.. Even when I proved we only have 1 profile, there aren't any duplicates. I also stated it's a topic here... 

I spoke with our Engineer from Apple, he advise to create a ticket with Apple as well.. Honestly, this seems similar to the issue with the whole macOS 12.6.0 and below vs  macOS 12.6.1 and above mdm profiles.