Mac OS Deferral

robwm
New Contributor

Hi,

I need to block all Mac OS upgrades for 30 days. I followed the document below to build a new Configuration Profile to defer updates of Only major software updates.

Deferring a macOS Update - Managing macOS Updates | Jamf

I cannot find anything that tells me what is included in Major Software Updates. Is there a list of what is included in major software updates anywhere? Will building a configuration profile as described in the document block the Mac operating system from upgrading?

Thank you!

Rob

4 REPLIES 4

Levi_
Contributor II

Hey Rob,

Creating a restrictions profile in the functionality tab you can set the deferral up to 90 days. You can set this by Minor and Major updates to boot.

Levi__1-1667424777002.png


If your users are not administrators, they won't be able to install a major upgrade without an Administrator password. If your users are Administrators you may want to restrict the macOS installers in the restricted software. They might find a way around the deferral. The red arrow if checked will notify you if someone tries to run in the installer, kill it and optionally tell them something.

Levi__0-1667424699553.png

 

AJPinto
Honored Contributor II

This wont work for Ventura if the Mac is running 12.3 or newer once the MDM deferral has expired. If the user runs updates through System Preferences > Software Update it will download Ventura as a delta (Product 012-92138) with softwareupdated not as install macOS ventura.app.

 

Users need admin access to run OS upgrades, no matter how they are run beyond with a MDM command. So, that could be a control.

gachowski
Valued Contributor II

@robwm 

Might you be seeing this ... Apple changed major and minor a few weeks ago... I am sort of sure that doc you are reading might be out of date?

Solved: Ventura will be released as a "minor" update (bug) - Jamf Nation Community - 276218

AJPinto
Honored Contributor II

There is not really a list, but just knowing how Apple numbers their OS updates.

  • Minor updates: 12.1, 12.2, 12.3, ext
  • Major updates: 11, 12, 13
  • To make things complicated: If you are running macOS 12.3-12.6 there is a bug that allows macOS 13 to install as a minor updates and not a major update. This bug is fixed with 12.6.1
    • If your environment is not running 12.6.1 and you want to differ Ventura, UPDATE NOW you have until 11.24 to be updated before devices will be notified of Ventura.

How to test:

  • Enable the configuration profile on a device.
    • Run softwareupdate -l in terminal to make the Mac check for updates.
    • Check /var/log/install.log and look for the section that talks about product {number here) is deferred until {date}

 

This is a section I took from a few days ago which shows the OS deferral. MacOS will see all updates, but will log what updates it cannot install and only display to the user what it is allowed to install. Product 012-### is the product ID for a given macOS build, you can google this string to figure out what update its talking about; 12.92138 is the macOS 13.0 delta for example. 

2022-11-03 07:38:24-05 C02DPLCYQ6L4 softwareupdated[499]: Adding client SUUpdateServiceClient pid=1162, uid=504, installAuth=NO rights=(), transactions=0 (/System/Library/PrivateFrameworks/SoftwareUpdate.framework/Versions/A/Resources/SoftwareUpdateNotificationManager.app/Contents/MacOS/SoftwareUpdateNotificationManager)
2022-11-03 07:38:24-05 C02DPLCYQ6L4 softwareupdated[499]: Product 012-38280 is deferred until 2022-12-11 07:00:00 +0000
2022-11-03 07:38:24-05 C02DPLCYQ6L4 softwareupdated[499]: Product 012-40494 is deferred until 2022-12-11 07:00:00 +0000
2022-11-03 07:38:24-05 C02DPLCYQ6L4 softwareupdated[499]: Product 012-51693 is deferred until 2022-11-15 07:00:00 +0000
2022-11-03 07:38:24-05 C02DPLCYQ6L4 softwareupdated[499]: Product 012-90253 is deferred until 2023-01-22 07:00:00 +0000
2022-11-03 07:38:24-05 C02DPLCYQ6L4 softwareupdated[499]: Product 012-90254 is deferred until 2023-01-22 07:00:00 +0000
2022-11-03 07:38:24-05 C02DPLCYQ6L4 softwareupdated[499]: Product 012-92138 is deferred until 2023-01-22 07:00:00 +0000
2022-11-03 07:38:24-05 C02DPLCYQ6L4 softwareupdated[499]: SUOSUServiceDaemon: Adding client: (null) (pid = 1162, uid = 504, path = /System/Library/PrivateFrameworks/SoftwareUpdate.framework/Versions/A/Resources/SoftwareUpdateNotificationManager.app/Contents/MacOS/SoftwareUpdateNotificationManager, connection remote object interface = <NSXPCInterface: 0x149c044e0>, exported interface = <NSXPCInterface: 0x149c0e0e0>, remote object proxy = <__NSXPCInterfaceProxy_SUOSUServiceClientProtocol: 0x149c07e40>)

 

 

Do not rely on being able to block install macOS Ventura.app with JAMF. If a Mac is running 12.3+ and a user goes to System Preferences > Software Update and clicks install Ventura. MacOS WILL NOT download macOS Ventura.app but rather it will download the 12.92138 delta to install Ventura which cannot be blocked without going after softwareupdated itself.