Posted on 11-02-2022 01:26 PM
I need to block all Mac OS upgrades for 30 days. I followed the document below to build a new Configuration Profile to defer updates of Only major software updates.
Deferring a macOS Update - Managing macOS Updates | Jamf
I cannot find anything that tells me what is included in Major Software Updates. Is there a list of what is included in major software updates anywhere? Will building a configuration profile as described in the document block the Mac operating system from upgrading?
Posted on 11-02-2022 02:34 PM
Creating a restrictions profile in the functionality tab you can set the deferral up to 90 days. You can set this by Minor and Major updates to boot.
If your users are not administrators, they won't be able to install a major upgrade without an Administrator password. If your users are Administrators you may want to restrict the macOS installers in the restricted software. They might find a way around the deferral. The red arrow if checked will notify you if someone tries to run in the installer, kill it and optionally tell them something.
11-07-2022 06:54 AM - edited 11-07-2022 06:55 AM
This wont work for Ventura if the Mac is running 12.3 or newer once the MDM deferral has expired. If the user runs updates through System Preferences > Software Update it will download Ventura as a delta (Product 012-92138) with softwareupdated not as install macOS ventura.app.
Users need admin access to run OS upgrades, no matter how they are run beyond with a MDM command. So, that could be a control.
Posted on 11-02-2022 02:38 PM
Might you be seeing this ... Apple changed major and minor a few weeks ago... I am sort of sure that doc you are reading might be out of date?
Solved: Ventura will be released as a "minor" update (bug) - Jamf Nation Community - 276218
Posted on 11-07-2022 06:51 AM
There is not really a list, but just knowing how Apple numbers their OS updates.
How to test:
This is a section I took from a few days ago which shows the OS deferral. MacOS will see all updates, but will log what updates it cannot install and only display to the user what it is allowed to install. Product 012-### is the product ID for a given macOS build, you can google this string to figure out what update its talking about; 12.92138 is the macOS 13.0 delta for example.
2022-11-03 07:38:24-05 C02DPLCYQ6L4 softwareupdated: Adding client SUUpdateServiceClient pid=1162, uid=504, installAuth=NO rights=(), transactions=0 (/System/Library/PrivateFrameworks/SoftwareUpdate.framework/Versions/A/Resources/SoftwareUpdateNotificationManager.app/Contents/MacOS/SoftwareUpdateNotificationManager) 2022-11-03 07:38:24-05 C02DPLCYQ6L4 softwareupdated: Product 012-38280 is deferred until 2022-12-11 07:00:00 +0000 2022-11-03 07:38:24-05 C02DPLCYQ6L4 softwareupdated: Product 012-40494 is deferred until 2022-12-11 07:00:00 +0000 2022-11-03 07:38:24-05 C02DPLCYQ6L4 softwareupdated: Product 012-51693 is deferred until 2022-11-15 07:00:00 +0000 2022-11-03 07:38:24-05 C02DPLCYQ6L4 softwareupdated: Product 012-90253 is deferred until 2023-01-22 07:00:00 +0000 2022-11-03 07:38:24-05 C02DPLCYQ6L4 softwareupdated: Product 012-90254 is deferred until 2023-01-22 07:00:00 +0000 2022-11-03 07:38:24-05 C02DPLCYQ6L4 softwareupdated: Product 012-92138 is deferred until 2023-01-22 07:00:00 +0000 2022-11-03 07:38:24-05 C02DPLCYQ6L4 softwareupdated: SUOSUServiceDaemon: Adding client: (null) (pid = 1162, uid = 504, path = /System/Library/PrivateFrameworks/SoftwareUpdate.framework/Versions/A/Resources/SoftwareUpdateNotificationManager.app/Contents/MacOS/SoftwareUpdateNotificationManager, connection remote object interface = <NSXPCInterface: 0x149c044e0>, exported interface = <NSXPCInterface: 0x149c0e0e0>, remote object proxy = <__NSXPCInterfaceProxy_SUOSUServiceClientProtocol: 0x149c07e40>)
Do not rely on being able to block install macOS Ventura.app with JAMF. If a Mac is running 12.3+ and a user goes to System Preferences > Software Update and clicks install Ventura. MacOS WILL NOT download macOS Ventura.app but rather it will download the 12.92138 delta to install Ventura which cannot be blocked without going after softwareupdated itself.