Mac upgraded to Ventura with Restricted Software set to block upgrades

bcbackes
Contributor III

Hello Community,

 

Hoping someone might be able to help me figure out how a user was able to upgrade their Mac to macOS Ventura when I have the installer being blocked using Restricted Software. Is there a log or something that will tell me what triggered the upgrade? I have seen two users do this now. 

Thoughts?

1 ACCEPTED SOLUTION

jamf-42
Valued Contributor II

remove software update option from system settings with config profile

yes, you need to set software update config profile to just install security updates

block the binary ' InstallAssistant' 

block the binary 'softwareupdate'    <-- this needs careful thought.. its used by jamf by default 

View solution in original post

11 REPLIES 11

red_beard
Contributor

It might be because on macOS 12.3 through 12.6 machines will see the macOS 13 upgrade as a minor update due to a bug that wasn't patched until 12.6.1.  If you choose to try and block per the Apple Support dock you will also have to block minor updates that will affect Monterey point updates.
https://support.apple.com/en-us/HT213471 

jamf-42
Valued Contributor II

what are you blocking in Restricted Software? InstallAssitant or Install Mac OS Ventura.app

I'm blocking "Install macOS Ventura.app".

jamf-42
Valued Contributor II

to stop update to 13.4, use config profile with 90 major 90 minor. you can also remove software update from system settings.

I've used that before but that only prevents them from upgrading for 90 days after the new macOS is released

red_beard
Contributor

We were only blocking - Install macOS Ventura.app. Ironically enough just yesterday I removed blocking Ventura from our fleet now that we have so many users on it and not reporting issues in our environment. 

bcbackes
Contributor III

Interesting enough we were able to look at the Software Update settings on the device and they have everything turned on including "Install macOS updates". However I would think that Restricted Software would block that or am I wrong?

bcbackes
Contributor III

Talking with Jamf Support they think that if Software Update has "Install macOS updates" turned on they think it doesn't use the "Install macOS Ventura.app" to kick off the install. In that case Restricted Software won't block the new macOS from installing in that situation. I might need to find a way to turn off the "Install macOS updates" from within Software Updates.

They did suggest using a config profile to defer updates just like @jamf-42 suggested. The other thing they suggested was to use Restricted Software to block "InstallAssistant". That however will prevent users from doing any major macOS upgrade. 

jamf-42
Valued Contributor II

remove software update option from system settings with config profile

yes, you need to set software update config profile to just install security updates

block the binary ' InstallAssistant' 

block the binary 'softwareupdate'    <-- this needs careful thought.. its used by jamf by default 

Tribruin
Valued Contributor II

Uh, those suggestions are blocking all software updates, including minor updates. You are putting your fleet at risk by not keeping current with updates.  I don't recommend this approach. 

 

I apologize if this comes off as preachy, but this is a fact. Apple has made it VERY clear that there will be be security patches that only apply to Ventura and will not be back rev'd to Monterey or Big Sur. This is isn't Microsoft which will supply patches for N-30 revisions (or something like that.) 

It is now 7 months after the release of Ventura. Apple allows for a 90 day deferral, knowing that companies may not be ready, but we are long past that now. If there is some technical reason you can't upgrade, you would be better off addressing the technical reason and not blocking your users from upgrading. 

 

@Tribruin we did have some technical issues. We found that when some users upgraded to Ventura everything was fine until they rebooted. When they went to login after the reboot it would freeze during the login and wouldn't progress any further. The user was dead in the water. If they came onsite and connected to our internal network they could login without any issues. 

After opening tickets with Jamf and Apple we found out the issue was with the account trying to connect to network shares during the login process. Since their VPN connection wasn't established yet it wouldn't connect but worse than that the user was never prompted that \\networkshare couldn't be connected. I found on Monterey and Big Sur they received the prompt and could click OK to proceed but Ventura they didn't get the prompt. Apple said it was a known issue that would be fixed in 13.4. That is why we started restricting the upgrade to Ventura. However, I had a couple users that still managed to update somehow that that's why I posted. I was trying to figure out how they could've upgraded with the Restricted Software in place.