Jamf Nation Community

Mouthbaten_1911 · ‎04-18-2023

We have a fleet of mac and we're trying to prevent users from automatically upgrading their macs to macOS Ventura or any other new macOS that Apple releases. This prevents us from users accidentally breaking their software which do not work with the latest macOS.

Is there a way to do this in Jamf?

Thanks,

jpuebs · ‎04-18-2023

Hi! Yes you can do this easily via "Restricted Software" and entering Install macOS Ventura.app as the Process Name to restrict. Then just scope it to your devices.

View solution in original post

PhillyPhoto · ‎04-19-2023

We have a signed profile we uploaded that just blocks access to Software Update so users can't access it that way, and we have a Static Computer Group excluded so we can allow upgrades as needed.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>PayloadContent</key>
	<array>
		<dict>
			<key>DisabledPreferencePanes</key>
			<array>
				<string>com.apple.preferences.softwareupdate</string>
			</array>
			<key>PayloadDescription</key>
			<string></string>
			<key>PayloadDisplayName</key>
			<string>System Preferences</string>
			<key>PayloadIdentifier</key>
			<string>BBF6CD21-12F6-4EEB-B6F6-8B2F13A1AC0D</string>
			<key>PayloadType</key>
			<string>com.apple.systempreferences</string>
			<key>PayloadUUID</key>
			<string>BBF6CD21-12F6-4EEB-B6F6-8B2F13A1AC0D</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
		</dict>
	</array>
	<key>PayloadDescription</key>
	<string></string>
	<key>PayloadDisplayName</key>
	<string>Restrictions - Software Update - Disabled</string>
	<key>PayloadIdentifier</key>
	<string>A481F3CB-4DA5-4013-8200-BA107C007152</string>
	<key>PayloadRemovalDisallowed</key>
	<true/>
	<key>PayloadScope</key>
	<string>System</string>
	<key>PayloadType</key>
	<string>Configuration</string>
	<key>PayloadUUID</key>
	<string>434F331B-9E4E-4233-A894-77BAF8D71263</string>
	<key>PayloadVersion</key>
	<integer>1</integer>
</dict>
</plist>

View solution in original post

jpuebs · ‎04-18-2023

Hi! Yes you can do this easily via "Restricted Software" and entering Install macOS Ventura.app as the Process Name to restrict. Then just scope it to your devices.

AJPinto · ‎04-21-2023

If a Mac is running 12.3 or greater, OS upgrades are downloaded as deltas. There will be no install macOS ventura.app to block.

PhillyPhoto · ‎04-19-2023

We have a signed profile we uploaded that just blocks access to Software Update so users can't access it that way, and we have a Static Computer Group excluded so we can allow upgrades as needed.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>PayloadContent</key>
	<array>
		<dict>
			<key>DisabledPreferencePanes</key>
			<array>
				<string>com.apple.preferences.softwareupdate</string>
			</array>
			<key>PayloadDescription</key>
			<string></string>
			<key>PayloadDisplayName</key>
			<string>System Preferences</string>
			<key>PayloadIdentifier</key>
			<string>BBF6CD21-12F6-4EEB-B6F6-8B2F13A1AC0D</string>
			<key>PayloadType</key>
			<string>com.apple.systempreferences</string>
			<key>PayloadUUID</key>
			<string>BBF6CD21-12F6-4EEB-B6F6-8B2F13A1AC0D</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
		</dict>
	</array>
	<key>PayloadDescription</key>
	<string></string>
	<key>PayloadDisplayName</key>
	<string>Restrictions - Software Update - Disabled</string>
	<key>PayloadIdentifier</key>
	<string>A481F3CB-4DA5-4013-8200-BA107C007152</string>
	<key>PayloadRemovalDisallowed</key>
	<true/>
	<key>PayloadScope</key>
	<string>System</string>
	<key>PayloadType</key>
	<string>Configuration</string>
	<key>PayloadUUID</key>
	<string>434F331B-9E4E-4233-A894-77BAF8D71263</string>
	<key>PayloadVersion</key>
	<integer>1</integer>
</dict>
</plist>

Mouthbaten_1911 · ‎04-19-2023

Wouldn't this block all the software updates? How do you update the security patches updates?

PhillyPhoto · ‎04-21-2023

Yes, we have another config profile that enforces automatic updates (users just need to reboot when prompted), and we also have a policy that runs the MDM software update command in a script.

JevermannNG · ‎04-21-2023

This will not work anymore. Apple is pushing the macOS Ventura Upgrade to macOS 12.x Clients. Once the 90 days delays are gone there is no way to hide the Ventura Upgrade in Software Update.

PhillyPhoto · ‎04-21-2023

This disables Software Update in System Preferences.

AJPinto · ‎04-21-2023

Just commenting because the accepted answer is wrong.

With macOS 12.3+ OS upgrades (MacOS 13+) install as a delta, there is no install macOS Ventura.app downloaded to block with a software restriction. You can defer OS upgrades for 90 days, after that users can do whatever they want. MacOS 13's deferral ran up in January, if you search JAMF nation you will see tons of posts on this.

If you dont give users admin access they cannot install OS Upgrades, but the mac will keep barking about it to the user.

JevermannNG · ‎04-24-2023

Just wondering if this is also the case on Apple Silicon Macs. After the macOS Ventura Download the Mac is only asking to confirm the installation with the logged in User Credentials, there is no note that a Admin is required ...?

AJPinto · ‎04-24-2023

I believe the popup still says enter administrative credentials. However, all macOS is looking for is a secure token to install OS updates (13.1 > 13.2 > 13.3 > ...) which is not tied to admin access. OS upgrades (11 > 12 > 13) still require Admin Access, at least for now.

Jamf Nation Community

How to prevent users from automatically upgrading their macs to macOS Ventura or newer macOS