How to prevent users from automatically upgrading their macs to macOS Ventura or newer macOS

Mouthbaten_1911
New Contributor III

We have a fleet of mac and we're trying to prevent users from automatically upgrading their macs to macOS Ventura or any other new macOS that Apple releases. This prevents us from users accidentally breaking their software which do not work with the latest macOS.

 

Is there a way to do this in Jamf? 

 

Thanks, 

2 ACCEPTED SOLUTIONS

jpuebs
New Contributor III

Hi! Yes you can do this easily via "Restricted Software" and entering Install macOS Ventura.app as the Process Name to restrict. Then just scope it to your devices. 

View solution in original post

PhillyPhoto
Valued Contributor

We have a signed profile we uploaded that just blocks access to Software Update so users can't access it that way, and we have a Static Computer Group excluded so we can allow upgrades as needed.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>PayloadContent</key>
	<array>
		<dict>
			<key>DisabledPreferencePanes</key>
			<array>
				<string>com.apple.preferences.softwareupdate</string>
			</array>
			<key>PayloadDescription</key>
			<string></string>
			<key>PayloadDisplayName</key>
			<string>System Preferences</string>
			<key>PayloadIdentifier</key>
			<string>BBF6CD21-12F6-4EEB-B6F6-8B2F13A1AC0D</string>
			<key>PayloadType</key>
			<string>com.apple.systempreferences</string>
			<key>PayloadUUID</key>
			<string>BBF6CD21-12F6-4EEB-B6F6-8B2F13A1AC0D</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
		</dict>
	</array>
	<key>PayloadDescription</key>
	<string></string>
	<key>PayloadDisplayName</key>
	<string>Restrictions - Software Update - Disabled</string>
	<key>PayloadIdentifier</key>
	<string>A481F3CB-4DA5-4013-8200-BA107C007152</string>
	<key>PayloadRemovalDisallowed</key>
	<true/>
	<key>PayloadScope</key>
	<string>System</string>
	<key>PayloadType</key>
	<string>Configuration</string>
	<key>PayloadUUID</key>
	<string>434F331B-9E4E-4233-A894-77BAF8D71263</string>
	<key>PayloadVersion</key>
	<integer>1</integer>
</dict>
</plist>

 

View solution in original post

10 REPLIES 10

jpuebs
New Contributor III

Hi! Yes you can do this easily via "Restricted Software" and entering Install macOS Ventura.app as the Process Name to restrict. Then just scope it to your devices. 

AJPinto
Honored Contributor III

If a Mac is running 12.3 or greater, OS upgrades are downloaded as deltas. There will be no install macOS ventura.app to block.

PhillyPhoto
Valued Contributor

We have a signed profile we uploaded that just blocks access to Software Update so users can't access it that way, and we have a Static Computer Group excluded so we can allow upgrades as needed.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>PayloadContent</key>
	<array>
		<dict>
			<key>DisabledPreferencePanes</key>
			<array>
				<string>com.apple.preferences.softwareupdate</string>
			</array>
			<key>PayloadDescription</key>
			<string></string>
			<key>PayloadDisplayName</key>
			<string>System Preferences</string>
			<key>PayloadIdentifier</key>
			<string>BBF6CD21-12F6-4EEB-B6F6-8B2F13A1AC0D</string>
			<key>PayloadType</key>
			<string>com.apple.systempreferences</string>
			<key>PayloadUUID</key>
			<string>BBF6CD21-12F6-4EEB-B6F6-8B2F13A1AC0D</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
		</dict>
	</array>
	<key>PayloadDescription</key>
	<string></string>
	<key>PayloadDisplayName</key>
	<string>Restrictions - Software Update - Disabled</string>
	<key>PayloadIdentifier</key>
	<string>A481F3CB-4DA5-4013-8200-BA107C007152</string>
	<key>PayloadRemovalDisallowed</key>
	<true/>
	<key>PayloadScope</key>
	<string>System</string>
	<key>PayloadType</key>
	<string>Configuration</string>
	<key>PayloadUUID</key>
	<string>434F331B-9E4E-4233-A894-77BAF8D71263</string>
	<key>PayloadVersion</key>
	<integer>1</integer>
</dict>
</plist>

 

Wouldn't this block all the software updates? How do you update the security patches updates?

Yes, we have another config profile that enforces automatic updates (users just need to reboot when prompted), and we also have a policy that runs the MDM software update command in a script.

This will not work anymore. Apple is pushing the macOS Ventura Upgrade to macOS 12.x Clients. Once the 90 days delays are gone there is no way to hide the Ventura Upgrade in Software Update.

This disables Software Update in System Preferences. 

AJPinto
Honored Contributor III

Just commenting because the accepted answer is wrong.

 

With macOS 12.3+ OS upgrades (MacOS 13+) install as a delta, there is no install macOS Ventura.app downloaded to block with a software restriction. You can defer OS upgrades for 90 days, after that users can do whatever they want. MacOS 13's deferral ran up in January, if you search JAMF nation you will see tons of posts on this.

 

If you dont give users admin access they cannot install OS Upgrades, but the mac will keep barking about it to the user.

Just wondering if this is also the case on Apple Silicon Macs. After the macOS Ventura Download the Mac is only asking to confirm the installation with the logged in User Credentials, there is no note that a Admin is required ...?

AJPinto
Honored Contributor III

I believe the popup still says enter administrative credentials. However, all macOS is looking for is a secure token to install OS updates (13.1 > 13.2 > 13.3 > ...) which is not tied to admin access. OS upgrades (11 > 12 > 13) still require Admin Access, at least for now.