Help

Deferring macOS Sonoma for 6 months

Go to solution
tegus232
Contributor

Posted on ‎09-26-2023 07:21 PM

Hi,

 

Is there a plist or config I can manually push to devices that allows me to defer an update for more than 90 days?

 

When Apple releases a new major OS, we typically wait until they are in the 14.3.or 14.4 version since I started working in a company with Apple enviornment as we have see many bugs popup for various apps. Some of the apps we use on company level take couple months as well

0 Kudos
Reply
1 ACCEPTED SOLUTION

Go to solution
PaulHazelden
Valued Contributor

Posted on ‎09-27-2023 04:29 AM

No, not more than 90 days. That is the official answer you will get from Apple or JAMF.

But

I have 3 macs that should have gone on to OSX 13 9 months ago, because our defer was expired, but they are still running OSX 12. So in some way ignoring it will stop the updates from instaling. Not a clue it this is a loophole that is now closed.

View solution in original post

0 Kudos
Reply
21 REPLIES 21

Go to solution
fxnikon
New Contributor II

Posted on ‎09-27-2023 03:29 AM

no 

0 Kudos
Reply

Go to solution
PaulHazelden
Valued Contributor

Posted on ‎09-27-2023 04:29 AM

No, not more than 90 days. That is the official answer you will get from Apple or JAMF.

But

I have 3 macs that should have gone on to OSX 13 9 months ago, because our defer was expired, but they are still running OSX 12. So in some way ignoring it will stop the updates from instaling. Not a clue it this is a loophole that is now closed.

0 Kudos
Reply

Go to solution
AJPinto
Honored Contributor III

Posted on ‎09-27-2023 04:39 AM

Nope, you can only defer MacOS Updates by 90 days. Lucky for us that is December 26th, so its a good Merry Christmas for organizations that are not ready. At least we know Apple is thinking about us over the holidays.

0 Kudos
Reply

Go to solution
jwbeatty
New Contributor III

Posted on ‎09-27-2023 07:39 AM

Apple will only allow you to defer macOS upgrades for 90 days. However, you can use a software restriction payload to keep users from installing macOS 14. After the 90 days run out, users will be able to download the installer, but not launch it to complete the install. Define "Install macOS Sonoma.app" in the Process Name field.

I use both restrictions in my environment in case I need longer than 90 days to test or resolve an issue.

0 Kudos
Reply

Go to solution
WhippsT
Contributor
In response to jwbeatty

Posted on ‎09-27-2023 07:54 AM

That will only work if the upgrade is being installed through the app. A couple years back, they started upgrading through the "Software Update" pane. That method doesn't run an app at all. I think OP is looking for a way to block that method. I know I'm here looking for ideas for the same thing...

Reply

Go to solution
jwbeatty
New Contributor III
In response to WhippsT

Posted on ‎09-27-2023 08:01 AM

Not trying to start a fight or anything, but the only thing that changed when Apple switched to the "Software Update" pane for upgrades is that it does not direct you to the App Store anymore. It just downloads the app and launches it. Restricting the app still works. Give it a shot.

0 Kudos
Reply

Go to solution
tegus232
Contributor
In response to jwbeatty

Posted on ‎09-27-2023 08:09 AM

Sometimes it works and sometimes not. Last time this happened when users were on macos12 and had the option to upgrade to 13. The Config payload works fine upto a point. 

 

Jamf said this was a bug with Apple OS itself where they had seen this issue popup with other orgs as well

0 Kudos
Reply

Go to solution
jwbeatty
New Contributor III
In response to tegus232

Posted on ‎09-27-2023 08:14 AM

That makes sense. I've seen some issues with the relationship between the config profile and how the "Software Update" panel behaves.

0 Kudos
Reply

Go to solution
howie_isaacks
Valued Contributor II
In response to jwbeatty

Posted on ‎09-28-2023 02:59 PM

Several of my users were able to do the install despite having the macOS Sonoma installer being blocked by restricted software. I put the restriction in place just after WWDC. For some reason the profile I created to delay macOS Sonoma wasn't installed on some systems. On my test Mac, I noticed that the installer app did not launch. The Mac simply upgraded to Sonoma in a way similar to if it had updated to 13.6. The profile I created does keep the Sonoma upgrade from appearing in Software Update, so that is how I am keeping people from upgrading along with the software restriction. I was expecting this since this was the way Ventura was released last year.

0 Kudos
Reply

Go to solution
Vincenthesse
New Contributor III
In response to jwbeatty

Posted on ‎10-12-2023 10:41 PM

Hello @jwbeatty , I'm agree with you but Apple change the habits. macOS 14 is not an app. When you click on 'Upgrade now', the system start the download and install it directly. We have a restriction profile in place to restrict major upgrade but Sonoma bypass it.

0 Kudos
Reply

Go to solution
tegus232
Contributor

‎09-27-2023 07:45 AM - edited ‎09-27-2023 07:46 AM

 The issue is sometimes an installer major upgrade acts like an inline minor update in the software update pane which bypasses the restrictions all together. which is why I asked in my original response.

Reply

Go to solution
Doof
New Contributor
In response to tegus232

Posted on ‎12-04-2023 08:58 AM

Starting with Ventura, Apple began offering OS upgrades as a delta update, reducing the size of the download. The problem with this is that these delta updates / upgrades are dynamic and don't make use of the installer app. If the OS you're using is several versions back, it will still get deployed via the full installer app, but for anything fairly recent like going from Ventura to Sonoma, it will most likely be in the form of the smaller and unfortunately, unblockable delta releases.

0 Kudos
Reply

Go to solution
iOllie
New Contributor III

Posted on ‎09-10-2024 05:54 AM

Did anyone find a solution to block the delta upgrade before the macOS Sequoia release?

0 Kudos
Reply

Go to solution
howie_isaacks
Valued Contributor II
In response to iOllie

Posted on ‎09-10-2024 07:21 AM

A configuration profile that will defer the upgrade for up to 90 days is what you will need. You can also block the macOS Sequoia installer using Restricted Software. This upgrade will primarily be delivered by Apple through Software Update. Restricted Software won't block that since it's not launching the macOS install app. What I noticed last year was that the macOS install app was downloading on some Macs and then when users tried to upgrade through Software Update, the install app would launch. Non-admin users could not run the install app, but if the process ran entirely through Software Update without launching the app, they could get upgraded.

0 Kudos
Reply

Go to solution
iOllie
New Contributor III

Posted on ‎09-10-2024 09:02 AM

@howie_isaacks

I’ve already deployed a configuration profile to defer updates for 90 days. However, last year I noticed that a significant number of managed Macs were upgraded unexpectedly, likely due to Delta updates.

Given that most devices are now on version 14.8.1, what would be the best way to resolve the issue of Delta upgrades, especially to ensure stricter control over future updates?

0 Kudos
Reply

Go to solution
howie_isaacks
Valued Contributor II
In response to iOllie

Posted on ‎09-10-2024 10:26 AM

What I found out last year is that some software updates coming from Apple don't advertise themselves as either minor or major updates. As a result, some of my Macs were able to perform updates that we were not yet ready to allow in production. This JSON that I received from Jamf may help you. I used it to create a profile for minor macOS update deferrals and another for major macOS upgrades. The built-in profile payload for delaying updates isn't as granular as I needed. I don't like delaying macOS minor updates for more than 21 days but I don't get to make that decision. I definitely delay major upgrades for the maximum 90 days that Apple allows to ensure we don't have a lot of upgrades being done and then a lot of users with problems we have to fix.

{
    "title": "com.apple.applicationaccess",
    "description": "Preference Domain: com.apple.applicationaccess,  Application: macOS Restrictions",
    "__version": "10.15",
    "__feedback": "mitchelsblake@gmail.com",
    "type": "object",
    "options": {
        "remove_empty_properties": true
    },
    "properties": {
        "forceDelayedSoftwareUpdates": {
            "title": "Defer Apple Software Updates",
            "description": " Supervised only. If set to true, delays user visibility of Software Updates. On macOS, seed build updates will be allowed, without delay",
            "propertyOrder": 10,
            "anyOf": [
                            {
                                "title": "Not Configured",
                                "type": "null"
                            },
                            {
                                "title": "Configured",
                                "type": "boolean",
                                "default": false,
                                "options": {
                                    "infoText": "Key: forceDelayedSoftwareUpdates"
                                }
                            }
            ]
        },
        "enforcedSoftwareUpdateDelay": {
            "title": " Software Update Deferral length (in days)",
            "description": "Supervised only. This restriction allows the admin to set how many days a software update on the device will be delayed. With this restriction in place, the user will not see a software update until the specified number of days after the software update release date.",
            "propertyOrder": 20,
            "anyOf": [
                            {
                                "title": "Not Configured",
                                "type": "null"
                            },
                            {
                                "title": "Configured",
                                "type": "integer",
                                "minimum": 0,
                                "maximum": 90,
                                "default": 30,
                                "options": {
                                    "infoText": "Key: enforcedSoftwareUpdateDelay"
                                }
                            }
            ]
        },
        "forceDelayedAppSoftwareUpdates": {
            "title": "Defer Non-OS Software Updates",
            "description": " Supervised only - macOS 11 or later. If true, delays user visibility of non-OS Software Updates. Visibility of Operating System updates is controlled through forceDelayedSoftwareUpdates. The delay is 30 days unless enforcedSoftwareUpdateDelay is set to another value.",
            "propertyOrder": 30,
            "anyOf": [
                            {
                                "title": "Not Configured",
                                "type": "null"
                            },
                            {
                                "title": "Configured",
                                "type": "boolean",
                                "default": false,
                                "options": {
                                    "infoText": "Key: forceDelayedAppSoftwareUpdates"
                                }
                            }
            ]
        },
        "enforcedSoftwareUpdateNonOSDeferredInstallDelay": {
            "title": "Non OS Update Deferral length (in days)",
            "description": "Supervised only. macOS 11.3 and later. This restriction allows the admin to set how many days to delay an app software update on the device. When this restriction is in place the user sees a non-OS software update only after the specified delay after the release of the software. This value controls the delay for forceDelayedAppSoftwareUpdates.",
            "propertyOrder": 40,
            "anyOf": [
                            {
                                "title": "Not Configured",
                                "type": "null"
                            },
                            {
                                "title": "Configured",
                                "type": "integer",
                                "minimum": 0,
                                "maximum": 90,
                                "default": 30,
                                "options": {
                                    "infoText": "Key: enforcedSoftwareUpdateNonOSDeferredInstallDelay"
                                }
                            }
            ]
        },
        "enforcedSoftwareUpdateMinorOSDeferredInstallDelay": {
            "title": "Minor OS Update Deferral length (in days)",
            "description": "Supervised only. macOS 11.3 and later. This restriction allows the admin to set how many days to delay a minor OS software update on the device. When this restriction is in place the user see a software update only after the specified delay after the release of the software update. This value controls the delay for forceDelayedSoftwareUpdates.",
            "propertyOrder": 50,
            "anyOf": [
                            {
                                "title": "Not Configured",
                                "type": "null"
                            },
                            {
                                "title": "Configured",
                                "type": "integer",
                                "minimum": 0,
                                "maximum": 90,
                                "default": 30,
                                "options": {
                                    "infoText": "Key: enforcedSoftwareUpdateMinorOSDeferredInstallDelay"
                                }
                            }
            ]
        },
        "forceDelayedMajorSoftwareUpdates": {
            "title": "Defer Major Software Updates",
            "description": "If set to true, delays user visibility of major OS Software Updates.",
            "propertyOrder": 60,
            "anyOf": [
                            {
                                "title": "Not Configured",
                                "type": "null"
                            },
                            {
                                "title": "Configured",
                                "type": "boolean",
                                "default": false,
                                "options": {
                                    "infoText": "Key: forceDelayedMajorSoftwareUpdates"
                                }
                            }
            ]
        },
        "enforcedSoftwareUpdateMajorOSDeferredInstallDelay": {
            "title": "Major OS UpdateDeferral length (in days)",
            "description": "Supervised only. macOS 11.3 and later. This restriction allows the admin to set how many days to delay a major software update on the device. When this restriction is in place the user sees a software update only after the specified delay after the release of the software update. This value controls the delay for forceDelayedMajorSoftwareUpdates.",
            "propertyOrder": 70,
            "anyOf": [
                            {
                                "title": "Not Configured",
                                "type": "null"
                            },
                            {
                                "title": "Configured",
                                "type": "integer",
                                "minimum": 0,
                                "maximum": 90,
                                "default": 30,
                                "options": {
                                    "infoText": "Key: enforcedSoftwareUpdateMajorOSDeferredInstallDelay"
                                }
                            }
            ]
        }
    }
}

 

Reply

Go to solution
liubkkkk0
New Contributor II
In response to howie_isaacks

Posted on ‎10-18-2024 05:09 AM

 I've tried using your profile or default functional restrictions in jamf and at first everything seems fine and after a few reboots my test macbooks start offering to download macOS Sequoia 15.0.1 under System Update. The same goes for the rest of the users in our organization. It seems that they do not show a message with an offer to download a new OS, and by going to "System Update" the user can download and install the latest update.

 

image (3).png

0 Kudos
Reply

Go to solution
iOllie
New Contributor III

Posted on ‎09-13-2024 04:01 AM

@howie_isaacksThank you for the JSON file! I had a chance to work with it a bit yesterday, and it looks great.

Reply

Go to solution
J0n
New Contributor
In response to iOllie

Posted on ‎10-03-2024 09:47 AM

What is your config profile? Do you mind sharing it?

0 Kudos
Reply

Go to solution
howie_isaacks
Valued Contributor II
In response to J0n

Posted on ‎10-03-2024 12:58 PM

Use the JSON that I shared above in a profile. Place the JSON in the Application & Custom Settings payload, External Applications. The preference domain is com.apple.applicationaccess. You can use the form editor to choose your settings.

0 Kudos
Reply

Go to solution
iOllie
New Contributor III
In response to J0n

a week ago

Apologies for the delayed response.

 

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>forceDelayedSoftwareUpdates</key>
    <true/>
    <key>enforcedSoftwareUpdateDelay</key>
    <integer>90</integer>
    <key>enforcedSoftwareUpdateMinorOSDeferredInstallDelay</key>
    <integer>30</integer>
    <key>forceDelayedMajorSoftwareUpdates</key>
    <true/>
    <key>enforcedSoftwareUpdateMajorOSDeferredInstallDelay</key>
    <integer>90</integer>
  </dict>
</plist>

 

 

0 Kudos
Reply