Jamf Nation Community

fgonzale · ‎08-01-2021

Does someone have a custom configuration profile to just Defer Updates on macOS?

I rather not have to deploy the full Restrictions Config Profile to Defer Updates since that seems to end up controlling too many other things that we don't need controlled (or grayed out).

takayuki · ‎08-01-2021

Hello @fgonzale

Configuration Profiles > 'Application & Custom Settings' Payload > Upload

Preference Domain: com.apple.applicationaccess

Upload File:

<plist>

<dict>

<key>enforcedSoftwareUpdateDelay</key>

<key>forceDelayedSoftwareUpdates</key>

<true/>

</dict>

</plist>

View solution in original post

takayuki · ‎08-01-2021

Hello @fgonzale

Configuration Profiles > 'Application & Custom Settings' Payload > Upload

Preference Domain: com.apple.applicationaccess

Upload File:

<plist>

<dict>

<key>enforcedSoftwareUpdateDelay</key>

<key>forceDelayedSoftwareUpdates</key>

<true/>

</dict>

</plist>

fgonzale · ‎09-20-2021

@takayuki I was looking at the domain com.apple.applicationaccess and the key enforcedSoftwareUpdateDelay and I realized that maybe these are older legacy values?

When I implement it seems the OS just translates these into putting them into the domain com.apple.SoftwareUpdate and converts enforcedSoftwareUpdateDelay to the key ManagedDeferredInstallDelay

From what I can tell in my prelim testing you can simply have:

Configuration Profiles > 'Application & Custom Settings' Payload > Upload

Preference Domain: com.apple.SoftwareUpdate

Upload File:

<plist>

<dict>

<key>ManagedDeferredInstallDelay</key>

<key>forceDelayedSoftwareUpdates</key>

<true/>

</dict>

</plist>

What do you think?

fgonzale · ‎08-01-2021

Thanks @takayuki . I had just found the following and was testing out.

https://gist.github.com/haircut/9507aed65ee42dcc848d345b923bae97

I will try yours though since it's cleaner.

fgonzale · ‎10-14-2021

Okay, so in the end I ended up sticking with the com.apple.applicationaccess domain and going with the following which is supported starting with macOS 11.3 and allows separate deferral values between Major OS updates, Minor OS updates and App updates. In this case I went with 90 days for Major OS updates (such as the upcoming macOS 12 Monterey) and 21 Days for Minor OS Updates (such as going from macOS 11.5.2 to 11.6, etc)

Configuration Profiles > 'Application & Custom Settings' Payload > Upload

Preference Domain: com.apple.applicationaccess

Upload File:

<plist>

	<dict>

		<key>enforcedSoftwareUpdateDelay</key>
		
		<integer>21</integer>
		
		<key>enforcedSoftwareUpdateMajorOSDeferredInstallDelay</key>
		
		<integer>90</integer>
		
		<key>enforcedSoftwareUpdateMinorOSDeferredInstallDelay</key>
		
		<integer>21</integer>
		
		<key>enforcedSoftwareUpdateNonOSDeferredInstallDelay</key>
		
		<integer>21</integer>
		
		<key>forceDelayedAppSoftwareUpdates</key>
		
		<true/>
		
		<key>forceDelayedMajorSoftwareUpdates</key>
		
		<true/>
		
		<key>forceDelayedSoftwareUpdates</key>
		
		<true/>
		
	</dict>

</plist>

Scotty · ‎12-30-2021

fernando_gonzal, I'm getting this setup myself. I'm curious why you have forceDelayedSoftwareUpdates, forceDelayedMajorSoftwareUpdates, and forceDelayedAppSoftwareUpdates options set in there? what do those do?

It seems like the keys below are all you need are enforcedSoftwareUpdateMajorOSDeferredInstallDelay, enforcedSoftwareUpdateMinorOSDeferredInstallDelay and enforcedSoftwareUpdateNonOSDeferredInstallDelay.

Scotty · ‎01-24-2022

So this exactly seems to be working well for me. I'm only going BigSur + and we are all past 11.3 now.

dstranathan · ‎07-26-2022

Great idea - I am doing the same now. 1 question:

Do you still have a (non deferment payload) restrictions profile on your Mac fleet along with the software update deferment-specific profile? If so, do you simply uncheck all the SU-related settings in the regular Restrictions profile? Or does it conflict with your granular custom SU profile?

I'm asking because I have (2) discreet SU profiles in testing now: (1) profile for production (90-day major updates and 30-day minor updates) and (1) profile for IT only (30-day major and 7-day minor). They work great. Sort of...

BUT as soon as I introduce my main Restrictions profile back on the Macs it breaks the discrete deferment profiles - Macs can see all available updates again as if software update deferments aren't managed at all. As soon as I remove the main Restrictions profile the discreet SU profiles work again as expected.

My main Restrictions profile is simply ALL the common payloads associated with restrictions EXCEPT for the software updates are all unchecked.

barnesaw · ‎10-23-2022

You basically can't do deferrals using Jamf's interface because it sets everything as you see it on-screen. Need to hand-craft and sign it before upload. Jamf gonna Jamf after all.

Scotty · ‎12-30-2021

ohh here is all the deets 😄

https://developer.apple.com/documentation/devicemanagement/restrictions

enforcedSoftwareUpdateDelay

Sets how many days to delay a software update on the device. With this restriction in place, the user doesn't see a software update until the specified number of days after the software update release date. This value is used by forceDelayedAppSoftwareUpdates and forceDelayedSoftwareUpdates.

Requires a supervised device in iOS and tvOS.

Available in iOS 11.3 and later, macOS 10.13.4 and later, and tvOS 12.2 and later.

Default: 30

Minimum Value: 1

Maximum Value: 90

enforcedSoftwareUpdateMajorOSDeferredInstallDelay

This restriction allows the admin to set how many days to delay a major software update on the device. When this restriction is in place the user sees a software update only after the specified delay after the release of the software update. This value controls the delay for forceDelayedMajorSoftwareUpdates.

Available in macOS 11.3 and later.

Default: 30

Minimum Value: 1

Maximum Value: 90

enforcedSoftwareUpdateMinorOSDeferredInstallDelay

This restriction allows the admin to set how many days to delay a minor OS software update on the device. When this restriction is in place the user see a software update only after the specified delay after the release of the software update. This value controls the delay for forceDelayedSoftwareUpdates.

Available in macOS 11.3 and later.

Default: 30

Minimum Value: 1

Maximum Value: 90

enforcedSoftwareUpdateNonOSDeferredInstallDelay

This restriction allows the admin to set how many days to delay an app software update on the device. When this restriction is in place the user sees a non-OS software update only after the specified delay after the release of the software. This value controls the delay for forceDelayedAppSoftwareUpdates.

Available in macOS 11.3 and later.

Default: 30

Minimum Value: 1

Maximum Value: 90

forceDelayedAppSoftwareUpdates

If true, delays user visibility of non-OS Software Updates. Requires a supervised device.

Visibility of Operating System updates is controlled through forceDelayedSoftwareUpdates.

The delay is 30 days unless enforcedSoftwareUpdateDelay is set to another value.

Available in macOS 11 and later.

Default: false

forceDelayedMajorSoftwareUpdates

If set to true, delays user visibility of major OS Software Updates.

Available in macOS 11.3 and later.

Default: false

forceDelayedSoftwareUpdates

If true, delays user visibility of software updates. In macOS, seed build updates are allowed, without delay. Requires a supervised device in iOS and tvOS.

The delay is 30 days unless enforcedSoftwareUpdateDelay is set to another value.

Available in iOS 11.3 and later, macOS 10.13 and later, and tvOS 12.2 and later.

Default: false

Jamf Nation Community

Defer Updates on macOS without deploying the full Restrictions Config Profile