Jamf Nation Community

johnsmith1950 · ‎09-21-2023

I'm wanting to enable the "Defer Updates of software updates" to block Sonoma when it comes out, but we don't have an outstanding Restrictions profile in place.

So take this screenshot from below. This is some of the default things ticked/unticked etc in a Restrictions profile.

So. if i JUST want to have the restrictions for defering software updates.....should i leave the existing options enabled....or....untick them all?

I just don't want to push out a restrictions profile, and then block a load of things that perviously were allowed.

Thanks

mm2270 · ‎09-21-2023

All of those other items in the profile start with "Allow", so if you want to ensure that those services and options are still allowed on devices that receive your profile, then yes, you should keep them checked. Unchecking any of them would mean that function gets blocked.

Oof course, like anything, test out such a Restrictions profile on one or two devices to see what the effects will be, before you consider rolling it out to your whole fleet of Macs.

View solution in original post

mm2270 · ‎09-21-2023

All of those other items in the profile start with "Allow", so if you want to ensure that those services and options are still allowed on devices that receive your profile, then yes, you should keep them checked. Unchecking any of them would mean that function gets blocked.

Oof course, like anything, test out such a Restrictions profile on one or two devices to see what the effects will be, before you consider rolling it out to your whole fleet of Macs.

johnsmith1950 · ‎09-21-2023

Ahhh ok, sorry, so...if i don't have a restrictions profile already in place, then all of these will be allowed anyway, and the default profile has them all ticked to "Allow"

Yeah sorry, was thinking that all wrong. Appreciate the help

wildfrog · ‎09-23-2023

Something to keep in mind about the Restrictions payload (and others). As you surmised, you are acting upon ALL of those settings. You are setting them to either a true state or a false state, but you are setting them.

If you want to specifically target only those keys relating to software update, I feel your path of least resistance is to find or create a JSON schema which allows you to target only those settings surrounding software update without affecting any of the other settings in that preference domain.

This is a JSON schema I found for this - allowing me to target only software update keys and leave all other settings untouched.

https://github.com/Jamf-Custom-Profile-Schemas/mscottblake-schemas/blob/master/com.apple.application...

Good luck.

howie_isaacks · ‎09-23-2023

I have a profile in my Jamf Pro server that we use for delaying macOS updates. I think the JSON you mentioned here will work better. Thanks for posting this.

wildfrog · ‎09-23-2023

Glad to help.

Also. . .if you want to make your own JSON schemas, Managed App Schema Builder is a godsend. If you know the preference domain, the keys to be acted upon, and the type of value required for those keys (i.e. integer, boolean, etc), you can create your own JSON schemas.

jtrant · ‎09-26-2023

iMazing Profile Editor will allow you to create a profile with only the preferences you want, whereas Jamf Pro requires that you set a bunch of other preferences (which you might already have set elsewhere).

Recommend you sign the profile before uploading to Jamf. A custom schema is also a great way to achieve the same result.

wildfrog · ‎10-12-2023

Indeed. I love me some iMazing, but generally prefer to use Jamf's built in UI when I can. I just find it to be cleaner. But as always, YMMV.

PhillyPhoto · 3 weeks ago

I know this is a little late to the party, but please upvote JN-I-27743 which would directly address this issue!

Jamf Nation Community

How do restrictions profiles work?