Question

Can't block Sonoma

Forum|Forum|2 years ago
September 26, 2023
78 replies
513 views

+21

AVmcclint
Esteemed Contributor

I have deployed a Config Profile with the following code to block Software Update from seeing the major OS releases (Sonoma) for 90 days with com.apple.applicationaccess for the domain:

<plist>
	<dict>	
		<key>enforcedSoftwareUpdateMajorOSDeferredInstallDelay</key>
			<integer>90</integer>
			<key>forceDelayedMajorSoftwareUpdates</key>
			<true/>
	</dict>
</plist>

Sonoma was released by Apple 25 minutes ago and already I see Macs that are displaying Sonoma as an available update!

I have verified that the Config Profile has been installed on these Macs for many weeks. Every single time there's a new Major OS release, it's like trying to hit a moving target. How on earth are we supposed to block Major OS releases?

Show first post

1
2
3
4

Forum|pagination.label 4 / 4

+23

howie_isaacks
Esteemed Contributor
Forum|Forum|2 years ago
October 16, 2023

@howie_isaacks If you use Jamf Pro's standard interface for creating a Configuration Profile Restrictions payload, or upload an externally created profile that's not signed for that payload, it's going to include a _lot_ of cruft you might not expect/want (download your profile and un-sign it with a tool like Hancock then examine the profile contents to see what I mean). A common way to avoid that problem is to use the iMazing Profile Editor (iPE) to craft a profile with _only_ the keys you want, but as @talkingmoose recently posted you can use the custom schemas created for the Jamf Pro Applications & Custom Settings editor from the manifests that iPE uses to create the profiles in Jamf Pro: https://www.jamf.com/blog/profilecreator-manifests-now-available-for-jamf/

The advantage of doing it this way is you can edit and re-deploy the profile without having to upload a whole new signed profile if you had to make an edit in an iPE created profile.

Thanks for the blog post link. The JSON in the profile manifests will be extremely useful. This whole problem with not being able to defer Sonoma reliably has made me want to write my own profiles more instead of relying on the built-in payloads in Jamf Pro. I believe I may have solved my issue with Sonoma deferrals by replacing the profile I had that was enforcing automatic macOS update checks and downloads with one that was created from my own custom JSON. The original Software Update settings profile was pushing settings that I did not specify in the profile. Removing it seems to have fixed the issue, and then installing my new profile for Software Update settings did not introduce any conflicts.

Like

+5

cucaracha
Contributor
Forum|Forum|2 years ago
October 18, 2023

At least restricted software for Sonoma still works.

Like

+23

howie_isaacks
Esteemed Contributor
Forum|Forum|2 years ago
October 19, 2023

I reached out to AppleCare Enterprise. They showed us that there was a conflict. Another profile that I had created to enforce automatic update checks, and automatic macOS update downloads was also sending deferral settings to our Macs. I DID NOT turn on those payloads in the profile so I was very annoyed to find out that the profile was doing this. The way I solved this was to create a custom JSON just for these specific settings. I then used the new JSON to create a new software update settings profile that does not send the conflicting settings. My users are now no longer seeing macOS Sonoma being presented in Software Update. Oddly, when I ran a command that should have identified any conflicts, I did not see that there were conflicts. When some of my users sent their data to AppleCare, they were able to identify the cause of the issue really fast.

Like

1
2
3
4

Forum|pagination.label 4 / 4

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded