Defer Updates on macOS without deploying the full Restrictions Config Profile

fernando_gonzal
Contributor

Does someone have a custom configuration profile to just Defer Updates on macOS?

 

I rather not have to deploy the full Restrictions Config Profile to Defer Updates since that seems to end up controlling too many other things that we don't need controlled (or grayed out).

 

1 ACCEPTED SOLUTION

takayuki
New Contributor III

Hello @fernando_gonzal 

Configuration Profiles > 'Application & Custom Settings' Payload > Upload

Preference Domain: com.apple.applicationaccess

Upload File:

<plist>

    <dict>

        <key>enforcedSoftwareUpdateDelay</key>

        <integer>7</integer>

        <key>forceDelayedSoftwareUpdates</key>

        <true/>

    </dict>

</plist>

 

View solution in original post

9 REPLIES 9

takayuki
New Contributor III

Hello @fernando_gonzal 

Configuration Profiles > 'Application & Custom Settings' Payload > Upload

Preference Domain: com.apple.applicationaccess

Upload File:

<plist>

    <dict>

        <key>enforcedSoftwareUpdateDelay</key>

        <integer>7</integer>

        <key>forceDelayedSoftwareUpdates</key>

        <true/>

    </dict>

</plist>

 

@takayuki I was looking at the domain com.apple.applicationaccess and the key enforcedSoftwareUpdateDelay and I realized that maybe these are older legacy values?

 

When I implement it seems the OS just translates these into putting them into the domain com.apple.SoftwareUpdate and converts enforcedSoftwareUpdateDelay to the key ManagedDeferredInstallDelay

 

From what I can tell in my prelim testing you can simply have:

 

Configuration Profiles > 'Application & Custom Settings' Payload > Upload

Preference Domain: com.apple.SoftwareUpdate

Upload File:

<plist>

    <dict>

        <key>ManagedDeferredInstallDelay</key>

        <integer>7</integer>

        <key>forceDelayedSoftwareUpdates</key>

        <true/>

    </dict>

</plist>

 

 

What do you think?

fernando_gonzal
Contributor

Thanks @takayuki . I had just found the following and was testing out. 

https://gist.github.com/haircut/9507aed65ee42dcc848d345b923bae97

I will try yours though since it's cleaner.

fernando_gonzal
Contributor

Okay, so in the end I ended up sticking with the com.apple.applicationaccess domain and going with the following which is supported starting with macOS 11.3 and allows separate deferral values between Major OS updates, Minor OS updates and App updates. In this case I went with 90 days for Major OS updates (such as the upcoming macOS 12 Monterey) and 21 Days for Minor OS Updates (such as going from macOS 11.5.2 to 11.6, etc)

 

Configuration Profiles > 'Application & Custom Settings' Payload > Upload

Preference Domain: com.apple.applicationaccess

Upload File:

<plist>

	<dict>

		<key>enforcedSoftwareUpdateDelay</key>
		
		<integer>21</integer>
		
		<key>enforcedSoftwareUpdateMajorOSDeferredInstallDelay</key>
		
		<integer>90</integer>
		
		<key>enforcedSoftwareUpdateMinorOSDeferredInstallDelay</key>
		
		<integer>21</integer>
		
		<key>enforcedSoftwareUpdateNonOSDeferredInstallDelay</key>
		
		<integer>21</integer>
		
		<key>forceDelayedAppSoftwareUpdates</key>
		
		<true/>
		
		<key>forceDelayedMajorSoftwareUpdates</key>
		
		<true/>
		
		<key>forceDelayedSoftwareUpdates</key>
		
		<true/>
		
	</dict>

</plist>

 

fernando_gonzal, I'm getting this setup myself. I'm curious why you have forceDelayedSoftwareUpdates, forceDelayedMajorSoftwareUpdates, and forceDelayedAppSoftwareUpdates options set in there? what do those do?

It seems like the keys below are all you need are enforcedSoftwareUpdateMajorOSDeferredInstallDelay, enforcedSoftwareUpdateMinorOSDeferredInstallDelay and enforcedSoftwareUpdateNonOSDeferredInstallDelay.

So this exactly seems to be working well for me. I'm only going BigSur + and we are all past 11.3 now. 

Great idea - I am doing the same now. 1 question:

Do you still have a (non deferment payload) restrictions profile on your Mac fleet along with the software update deferment-specific profile? If so, do you simply uncheck all the SU-related settings in the regular Restrictions profile? Or does it conflict with your granular custom SU profile?

 

I'm asking because I have (2) discreet SU profiles in testing now: (1) profile for production (90-day major updates and 30-day minor updates) and (1) profile for IT only (30-day major and 7-day minor). They work great. Sort of...

BUT as soon as I introduce my main Restrictions profile back on the Macs it breaks the discrete deferment profiles - Macs can see all available updates again as if software update deferments aren't managed at all.  As soon as I remove the main Restrictions profile the discreet SU profiles work again as expected.

My main Restrictions profile is simply ALL the common payloads associated with restrictions EXCEPT for the software updates are all unchecked.

You basically can't do deferrals using Jamf's interface because it sets everything as you see it on-screen. Need to hand-craft and sign it before upload. Jamf gonna Jamf after all.

Scotty
Contributor

ohh here is all the deets 😄 

 

https://developer.apple.com/documentation/devicemanagement/restrictions

 

 
enforcedSoftwareUpdateDelay
Sets how many days to delay a software update on the device. With this restriction in place, the user doesn't see a software update until the specified number of days after the software update release date. This value is used by forceDelayedAppSoftwareUpdates and forceDelayedSoftwareUpdates.
Requires a supervised device in iOS and tvOS.
Available in iOS 11.3 and later, macOS 10.13.4 and later, and tvOS 12.2 and later.
Default: 30
Minimum Value: 1
Maximum Value: 90
 
 
 
enforcedSoftwareUpdateMajorOSDeferredInstallDelay
This restriction allows the admin to set how many days to delay a major software update on the device. When this restriction is in place the user sees a software update only after the specified delay after the release of the software update. This value controls the delay for forceDelayedMajorSoftwareUpdates.
Available in macOS 11.3 and later.
Default: 30
Minimum Value: 1
Maximum Value: 90
<integer>60</integer>
 
 
 
enforcedSoftwareUpdateMinorOSDeferredInstallDelay
This restriction allows the admin to set how many days to delay a minor OS software update on the device. When this restriction is in place the user see a software update only after the specified delay after the release of the software update. This value controls the delay for forceDelayedSoftwareUpdates.
Available in macOS 11.3 and later.
Default: 30
Minimum Value: 1
Maximum Value: 90
 
 
enforcedSoftwareUpdateNonOSDeferredInstallDelay
This restriction allows the admin to set how many days to delay an app software update on the device. When this restriction is in place the user sees a non-OS software update only after the specified delay after the release of the software. This value controls the delay for forceDelayedAppSoftwareUpdates.
Available in macOS 11.3 and later.
Default: 30
Minimum Value: 1
Maximum Value: 90
 
 
forceDelayedAppSoftwareUpdates
If true, delays user visibility of non-OS Software Updates. Requires a supervised device.
Visibility of Operating System updates is controlled through forceDelayedSoftwareUpdates.
The delay is 30 days unless enforcedSoftwareUpdateDelay is set to another value.
Available in macOS 11 and later.
Default: false
 
 
 
forceDelayedMajorSoftwareUpdates
If set to true, delays user visibility of major OS Software Updates.
Available in macOS 11.3 and later.
Default: false
 
 
forceDelayedSoftwareUpdates
If true, delays user visibility of software updates. In macOS, seed build updates are allowed, without delay. Requires a supervised device in iOS and tvOS.
The delay is 30 days unless enforcedSoftwareUpdateDelay is set to another value.
Available in iOS 11.3 and later, macOS 10.13 and later, and tvOS 12.2 and later.
Default: false