@mvu user can see that but that will not install. If they download that will cancel and remove .app from /Application folder. So, it is safe to use that Restriction. I used to use that till Ventura. Don't know anything changed for Sonoma or not. But pretty sure that works. It is already implemented in our environment.
I have it set up as well, as of Tuesday it worked, yesterday it does not work anymore.
When I pull a device out of our restricted config profile, Sonoma appears as available
On tuesday it blocked the install and showed my custom message
Yesterday it steamrolled past the restriction and installed, 2 times in a row
@mvu user can see that but that will not install. If they download that will cancel and remove .app from /Application folder. So, it is safe to use that Restriction. I used to use that till Ventura. Don't know anything changed for Sonoma or not. But pretty sure that works. It is already implemented in our environment.
If the Mac sees it as a delta update (a 4-6 GB update), users can install it.
we have two older Restriction config profiles that were setup incorrectly by a previous admin quite some time ago.
We excluded all of our devices and new devices from these two config profiles and now have just the one.
It didnt give us any issues during ventura, but i'm wondering if this could somehow be causing issues
in our main config profile, we had everything here checked except Allow installation of macOS beta Releases until this morning. I'm also wondering if that could have caused any issues
Is it working better now that you consolidated the Restrictions Configuration Profiles into 1?
We did that in the spring of 2022 and it worked great until these recent issues with Sonoma
If the Mac sees it as a delta update (a 4-6 GB update), users can install it.
it appears to be about 6GB, I have beta and delta as restricted software but that doesnt seem to work either, I can still install Sonoma
it appears to be about 6GB, I have beta and delta as restricted software but that doesnt seem to work either, I can still install Sonoma
Upgrading from 13.5.2 > 14.0 is the exact same under the hood process as upgrading from 13.5.2 > 13.6. There is no app, service, or daemon downloaded for you to block, it is an update delta.
I just want to try and sum up what's been discussed here to make sure I have a clear understanding. It sounds like if your fleet is NOT on 13.6 then Sonoma will show in SoftwareUpdate as a Delta and users will be allowed to install(regardless of whether you have a deferral set for major OS updates)? Also, the only way to prevent this(for machines not on 13.6) is to completely lock down SoftwareUpdate? In other words, my non 13.6 machines are vulnerable until critical 3rd party software vendors release updates that are compatible with Sonoma, or until I update those machines to 13.6 I guess, but still in 90(87 as of this writing now I guess) days I'm screwed again unless Apple properly flags these major updates as major?
I just want to try and sum up what's been discussed here to make sure I have a clear understanding. It sounds like if your fleet is NOT on 13.6 then Sonoma will show in SoftwareUpdate as a Delta and users will be allowed to install(regardless of whether you have a deferral set for major OS updates)? Also, the only way to prevent this(for machines not on 13.6) is to completely lock down SoftwareUpdate? In other words, my non 13.6 machines are vulnerable until critical 3rd party software vendors release updates that are compatible with Sonoma, or until I update those machines to 13.6 I guess, but still in 90(87 as of this writing now I guess) days I'm screwed again unless Apple properly flags these major updates as major?
We're on 13.6 and some see Sonoma in System Settings. Some don't. Sometimes it vanishes and shows up later.
What do you see?
We're on 13.6 and some see Sonoma in System Settings. Some don't. Sometimes it vanishes and shows up later.
What do you see?
oh geeze, that makes it even worse then 
So, at least according to the latest inventory updates on my fleet, in Jamf the 13.6.0 machines are only showing 1 update, which is the latest Safari update. A lot of my sub 13.6.0 machines are showing Sonoma.
I guess the other question I would have, and am curious if anyone has been able to test: for the 13.6 machines that show Sonoma in SoftwareUpdate - are non admins able to install? I'm assuming so if it's treated like a Delta.
In my testing, one I removed a couple of test devices on 13.6 from our restricted config profile, I was able to update to Sonoma as a non-admin
Also our two devices that updated to sonoma auotmatically were inside of the restricted config profile and were on 13.6
In my testing, one I removed a couple of test devices on 13.6 from our restricted config profile, I was able to update to Sonoma as a non-admin
Also our two devices that updated to sonoma auotmatically were inside of the restricted config profile and were on 13.6
Wow, so basically to prevent this now I would have to get everyone on 13.6 and then in 90 days if our 3rd party stuff is still not ready, completely block SoftwareUpdate on our machines it sounds like. What an absolute cluster.
Another note for folks using jamf connects in damage control mode right now.
Update to version v2.27
My clients on version 2.23 had the jamf connect login window not show up after updating to macOS 14.0 - Sonoma. They could still log in with the local login window. However, some configurations of jamf connect could stop users from logging in until the updated pkg is installed. My workflow to fix this is to create a policy to install version 2.27 targeted at computers affected with a trigger at startup. That way when the computer boots it the updated version is installed.
Alternatively, you could proactively update to v2.27
If you are seeing instance where 90 Day Deferrals aren't enforcing as expected and users are seeing the Update available ins Sys Prefs, it's likely that they have multiple configs deployed with conflicting deferral settings.
Run the following command in the macOS Terminal:
sudo profiles show -output stdout-xml | grep -i delay
If you see the forceDelayedMajorSoftwareUpdates key set twice, you’ll want to re-run the command without the grep, i.e.
sudo profiles show -output stdout-xml
This will give you list of every preference key set by every config profile on your Mac. You’ll want to search for that forceDelayedMajorSoftwareUpdates key and see in which profiles it’s being set, with potentially-conflicting values. Once found, remove the duplicate profile from your devices, and set the desired value in one of your profiles, likely your Restrictions profile.
More here
If you are seeing instance where 90 Day Deferrals aren't enforcing as expected and users are seeing the Update available ins Sys Prefs, it's likely that they have multiple configs deployed with conflicting deferral settings.
Run the following command in the macOS Terminal:
sudo profiles show -output stdout-xml | grep -i delay
If you see the forceDelayedMajorSoftwareUpdates key set twice, you’ll want to re-run the command without the grep, i.e.
sudo profiles show -output stdout-xml
This will give you list of every preference key set by every config profile on your Mac. You’ll want to search for that forceDelayedMajorSoftwareUpdates key and see in which profiles it’s being set, with potentially-conflicting values. Once found, remove the duplicate profile from your devices, and set the desired value in one of your profiles, likely your Restrictions profile.
More here
Looks better now. Thank you.
If you are seeing instance where 90 Day Deferrals aren't enforcing as expected and users are seeing the Update available ins Sys Prefs, it's likely that they have multiple configs deployed with conflicting deferral settings.
Run the following command in the macOS Terminal:
sudo profiles show -output stdout-xml | grep -i delay
If you see the forceDelayedMajorSoftwareUpdates key set twice, you’ll want to re-run the command without the grep, i.e.
sudo profiles show -output stdout-xml
This will give you list of every preference key set by every config profile on your Mac. You’ll want to search for that forceDelayedMajorSoftwareUpdates key and see in which profiles it’s being set, with potentially-conflicting values. Once found, remove the duplicate profile from your devices, and set the desired value in one of your profiles, likely your Restrictions profile.
More here
Thank you,
I ran that command on my device that force updated to Sonoma and I can confirm I only see the forceDelayedMajorSoftwareUpdates key set once
Another note for folks using jamf connects in damage control mode right now.
Update to version v2.27
My clients on version 2.23 had the jamf connect login window not show up after updating to macOS 14.0 - Sonoma. They could still log in with the local login window. However, some configurations of jamf connect could stop users from logging in until the updated pkg is installed. My workflow to fix this is to create a policy to install version 2.27 targeted at computers affected with a trigger at startup. That way when the computer boots it the updated version is installed.
Alternatively, you could proactively update to v2.27
I was informed when a major upgrade happens JC will turn off and will need to be turned on again. It's part of the upgrade process. I think Jamf Support told me that.
I use Mac Apps to keep Jamf Connect always on the latest. We only use it for password creation, sso and password sync. Pretty basic config.
I just want to try and sum up what's been discussed here to make sure I have a clear understanding. It sounds like if your fleet is NOT on 13.6 then Sonoma will show in SoftwareUpdate as a Delta and users will be allowed to install(regardless of whether you have a deferral set for major OS updates)? Also, the only way to prevent this(for machines not on 13.6) is to completely lock down SoftwareUpdate? In other words, my non 13.6 machines are vulnerable until critical 3rd party software vendors release updates that are compatible with Sonoma, or until I update those machines to 13.6 I guess, but still in 90(87 as of this writing now I guess) days I'm screwed again unless Apple properly flags these major updates as major?
This is how I understand what is going on too.
I have confirmed my Restriction profile is the only profile containing software update deferrals. So there is no conflict.
I have a 45 day block for Major Upgrades.
Changed Minor to 0 (due to the Zero day release last and previous week) and we needed to upgrade to 13.5.2 then 13.6 right away.
I am now seeing random people upgrading to 14. One user reported Sonoma upgraded automatically over night with out her interaction (all our users are admins).
We use Nudge to encourage people to upgrade, however if Sonoma is seen as a Delta on anything less than 13.6 then more people will upgrade to 14 as Sonoma is the first update shown. 13.6 is way down at the bottom.
It has become a challenging issue to manage/resolve as it appears admins (Slack, Jamf Nation) each have reported varied experiences.
I have tried to use Software Updates - beta in Jamf Pro to push Sonoma to some 13.6 devices as a test.
It has been 36 hours and still waiting for Sonoma to appear. The Software Update command is supposed to over ride any Software Update restrictions.
I also have Software Restrictions set up blocking the InstallAssistant and Install macOS Sonoma.app however this only blocks App Store downloads, USB-C installs or pkg installs etc.
I've spent about 6hrs trying work out a solution. Think its time to let it go.
I have two tickets with Jamf Support open and call with with them today.
In my testing, one I removed a couple of test devices on 13.6 from our restricted config profile, I was able to update to Sonoma as a non-admin
Also our two devices that updated to sonoma auotmatically were inside of the restricted config profile and were on 13.6
Had one user report that to me. She came to work in the AM and her machine had upgraded over night. Like WTF!
This is how I understand what is going on too.
I have confirmed my Restriction profile is the only profile containing software update deferrals. So there is no conflict.
I have a 45 day block for Major Upgrades.
Changed Minor to 0 (due to the Zero day release last and previous week) and we needed to upgrade to 13.5.2 then 13.6 right away.
I am now seeing random people upgrading to 14. One user reported Sonoma upgraded automatically over night with out her interaction (all our users are admins).
We use Nudge to encourage people to upgrade, however if Sonoma is seen as a Delta on anything less than 13.6 then more people will upgrade to 14 as Sonoma is the first update shown. 13.6 is way down at the bottom.
It has become a challenging issue to manage/resolve as it appears admins (Slack, Jamf Nation) each have reported varied experiences.
I have tried to use Software Updates - beta in Jamf Pro to push Sonoma to some 13.6 devices as a test.
It has been 36 hours and still waiting for Sonoma to appear. The Software Update command is supposed to over ride any Software Update restrictions.
I also have Software Restrictions set up blocking the InstallAssistant and Install macOS Sonoma.app however this only blocks App Store downloads, USB-C installs or pkg installs etc.
I've spent about 6hrs trying work out a solution. Think its time to let it go.
I have two tickets with Jamf Support open and call with with them today.
@pueo Please update when you have something from Jamf Support. I'm in this weird state now too where I feel somewhat ok, (as most of my fleet is on 13.6.0), but some are not, and they are seeing Sonoma - thankfully our patch enforcement for September was the week prior to the Sonoma release, but i'll be dealing with this mess in two weeks, and would like to find a solution (other than reaching out to these users and begging them not to upgrade to Sonoma).
Thank you,
I ran that command on my device that force updated to Sonoma and I can confirm I only see the forceDelayedMajorSoftwareUpdates key set once
I only see the key once too.
I am assuming devices less than 13.6 and you allow Minor Updates, Sonoma will appear.
Devices on 13.6 Sonoma will not appear (assumption you have Major Upgrades block).
But this may or may not work all the time.🤔 🤔
I only see the key once too.
I am assuming devices less than 13.6 and you allow Minor Updates, Sonoma will appear.
Devices on 13.6 Sonoma will not appear (assumption you have Major Upgrades block).
But this may or may not work all the time.🤔 🤔
Correct, but somehow my device still auto-updated to Sonoma on it's own!
Absolute madness
Correct, but somehow my device still auto-updated to Sonoma on it's own!
Absolute madness
We've seen a very small number of Macs that have the major deferral restriction in place (and only one instance of the deferral profile) with automatic updates enabled end up installing 14.0 instead of 13.6 so that approach for preventing updates definitely isn't 100% effective.
I just want to try and sum up what's been discussed here to make sure I have a clear understanding. It sounds like if your fleet is NOT on 13.6 then Sonoma will show in SoftwareUpdate as a Delta and users will be allowed to install(regardless of whether you have a deferral set for major OS updates)? Also, the only way to prevent this(for machines not on 13.6) is to completely lock down SoftwareUpdate? In other words, my non 13.6 machines are vulnerable until critical 3rd party software vendors release updates that are compatible with Sonoma, or until I update those machines to 13.6 I guess, but still in 90(87 as of this writing now I guess) days I'm screwed again unless Apple properly flags these major updates as major?
Yep.. and my support case with Jamf is very repetitive about the issue at hand.. Even when I proved we only have 1 profile, there aren't any duplicates. I also stated it's a topic here...
I spoke with our Engineer from Apple, he advise to create a ticket with Apple as well.. Honestly, this seems similar to the issue with the whole macOS 12.6.0 and below vs macOS 12.6.1 and above mdm profiles.
Yep.. and my support case with Jamf is very repetitive about the issue at hand.. Even when I proved we only have 1 profile, there aren't any duplicates. I also stated it's a topic here...
I spoke with our Engineer from Apple, he advise to create a ticket with Apple as well.. Honestly, this seems similar to the issue with the whole macOS 12.6.0 and below vs macOS 12.6.1 and above mdm profiles.
Yeah I agree. There goes change management.
