Defer Updates on macOS without deploying the full Restrictions Config Profile

fernando_gonzal
Contributor

Does someone have a custom configuration profile to just Defer Updates on macOS?

 

I rather not have to deploy the full Restrictions Config Profile to Defer Updates since that seems to end up controlling too many other things that we don't need controlled (or grayed out).

 

1 ACCEPTED SOLUTION

takayuki
New Contributor III

Hello @fernando_gonzal 

Configuration Profiles > 'Application & Custom Settings' Payload > Upload

Preference Domain: com.apple.applicationaccess

Upload File:

<plist>

    <dict>

        <key>enforcedSoftwareUpdateDelay</key>

        <integer>7</integer>

        <key>forceDelayedSoftwareUpdates</key>

        <true/>

    </dict>

</plist>

 

View solution in original post

6 REPLIES 6

takayuki
New Contributor III

Hello @fernando_gonzal 

Configuration Profiles > 'Application & Custom Settings' Payload > Upload

Preference Domain: com.apple.applicationaccess

Upload File:

<plist>

    <dict>

        <key>enforcedSoftwareUpdateDelay</key>

        <integer>7</integer>

        <key>forceDelayedSoftwareUpdates</key>

        <true/>

    </dict>

</plist>

 

View solution in original post

@takayuki I was looking at the domain com.apple.applicationaccess and the key enforcedSoftwareUpdateDelay and I realized that maybe these are older legacy values?

 

When I implement it seems the OS just translates these into putting them into the domain com.apple.SoftwareUpdate and converts enforcedSoftwareUpdateDelay to the key ManagedDeferredInstallDelay

 

From what I can tell in my prelim testing you can simply have:

 

Configuration Profiles > 'Application & Custom Settings' Payload > Upload

Preference Domain: com.apple.SoftwareUpdate

Upload File:

<plist>

    <dict>

        <key>ManagedDeferredInstallDelay</key>

        <integer>7</integer>

        <key>forceDelayedSoftwareUpdates</key>

        <true/>

    </dict>

</plist>

 

 

What do you think?

fernando_gonzal
Contributor

Thanks @takayuki . I had just found the following and was testing out. 

https://gist.github.com/haircut/9507aed65ee42dcc848d345b923bae97

I will try yours though since it's cleaner.

fernando_gonzal
Contributor

Okay, so in the end I ended up sticking with the com.apple.applicationaccess domain and going with the following which is supported starting with macOS 11.3 and allows separate deferral values between Major OS updates, Minor OS updates and App updates. In this case I went with 90 days for Major OS updates (such as the upcoming macOS 12 Monterey) and 21 Days for Minor OS Updates (such as going from macOS 11.5.2 to 11.6, etc)

 

Configuration Profiles > 'Application & Custom Settings' Payload > Upload

Preference Domain: com.apple.applicationaccess

Upload File:

<plist>

	<dict>

		<key>enforcedSoftwareUpdateDelay</key>
		
		<integer>21</integer>
		
		<key>enforcedSoftwareUpdateMajorOSDeferredInstallDelay</key>
		
		<integer>90</integer>
		
		<key>enforcedSoftwareUpdateMinorOSDeferredInstallDelay</key>
		
		<integer>21</integer>
		
		<key>enforcedSoftwareUpdateNonOSDeferredInstallDelay</key>
		
		<integer>21</integer>
		
		<key>forceDelayedAppSoftwareUpdates</key>
		
		<true/>
		
		<key>forceDelayedMajorSoftwareUpdates</key>
		
		<true/>
		
		<key>forceDelayedSoftwareUpdates</key>
		
		<true/>
		
	</dict>

</plist>

 

fernando_gonzal, I'm getting this setup myself. I'm curious why you have forceDelayedSoftwareUpdates, forceDelayedMajorSoftwareUpdates, and forceDelayedAppSoftwareUpdates options set in there? what do those do?

It seems like the keys below are all you need are enforcedSoftwareUpdateMajorOSDeferredInstallDelay, enforcedSoftwareUpdateMinorOSDeferredInstallDelay and enforcedSoftwareUpdateNonOSDeferredInstallDelay.

Scotty
Contributor

ohh here is all the deets 😄 

 

https://developer.apple.com/documentation/devicemanagement/restrictions

 

 
enforcedSoftwareUpdateDelay
Sets how many days to delay a software update on the device. With this restriction in place, the user doesn't see a software update until the specified number of days after the software update release date. This value is used by forceDelayedAppSoftwareUpdates and forceDelayedSoftwareUpdates.
Requires a supervised device in iOS and tvOS.
Available in iOS 11.3 and later, macOS 10.13.4 and later, and tvOS 12.2 and later.
Default: 30
Minimum Value: 1
Maximum Value: 90
 
 
 
enforcedSoftwareUpdateMajorOSDeferredInstallDelay
This restriction allows the admin to set how many days to delay a major software update on the device. When this restriction is in place the user sees a software update only after the specified delay after the release of the software update. This value controls the delay for forceDelayedMajorSoftwareUpdates.
Available in macOS 11.3 and later.
Default: 30
Minimum Value: 1
Maximum Value: 90
<integer>60</integer>
 
 
 
enforcedSoftwareUpdateMinorOSDeferredInstallDelay
This restriction allows the admin to set how many days to delay a minor OS software update on the device. When this restriction is in place the user see a software update only after the specified delay after the release of the software update. This value controls the delay for forceDelayedSoftwareUpdates.
Available in macOS 11.3 and later.
Default: 30
Minimum Value: 1
Maximum Value: 90
 
 
enforcedSoftwareUpdateNonOSDeferredInstallDelay
This restriction allows the admin to set how many days to delay an app software update on the device. When this restriction is in place the user sees a non-OS software update only after the specified delay after the release of the software. This value controls the delay for forceDelayedAppSoftwareUpdates.
Available in macOS 11.3 and later.
Default: 30
Minimum Value: 1
Maximum Value: 90
 
 
forceDelayedAppSoftwareUpdates
If true, delays user visibility of non-OS Software Updates. Requires a supervised device.
Visibility of Operating System updates is controlled through forceDelayedSoftwareUpdates.
The delay is 30 days unless enforcedSoftwareUpdateDelay is set to another value.
Available in macOS 11 and later.
Default: false
 
 
 
forceDelayedMajorSoftwareUpdates
If set to true, delays user visibility of major OS Software Updates.
Available in macOS 11.3 and later.
Default: false
 
 
forceDelayedSoftwareUpdates
If true, delays user visibility of software updates. In macOS, seed build updates are allowed, without delay. Requires a supervised device in iOS and tvOS.
The delay is 30 days unless enforcedSoftwareUpdateDelay is set to another value.
Available in iOS 11.3 and later, macOS 10.13 and later, and tvOS 12.2 and later.
Default: false