Help

macOS Ventura - further delay for Lab Macs

ICT-JPC
New Contributor III

Posted on ‎01-17-2023 03:40 AM

Hi,

We've a number of Intel and M1 Labs Mac's that are running macOS Monterey for this academic year, at least so we'd planned ... They were updated to 12.6.1 to allow maximum deferral of Ventura, which is of course coming to an end imminently ...

Testing various options, using Jamf's Restricted Software feature:

On M1 Mac's we're seeing that you have to be logged on to and authenticate as Local Administrator to proceed with the update

However with Intel Mac's this simply isn't the case, even with the Restricted Software setting in place, a standard user can simply instigate the update, without any issue

 

Might anyone know if I am doing anything wrong here? Or is this simply as it is? As if it is, this could present a potential issue in our Labs ...

 

Thanks for any input / advice   

0 Kudos
4 REPLIES 4

AJPinto
Honored Contributor II

Posted on ‎01-17-2023 04:54 AM

To put it plainly, there is no way to defer Ventura past the 22nd (I think that is the date) on any device running 12.3 or newer. Period.

 

On Apple Silicon nor intel do you need to be an admin to install OS Updates. You do need to be a Volume Owner to install OS Upgrades, even Major Upgrades delivered as a delta like Ventura. Though give it time and I am sure Apple will "fix" this also. Another way to hem up standard users, leave a second user account logged in. For whatever reason in 2023 MacOS still needs admin credentials to reboot if 2 users are logged in. Background tasks that macOS cannot force quit will also prevent the upgrade from running. Exploiting Apples poorly designed OS updates, does not count as deferring in my book.

0 Kudos

pete_c
Contributor III

Posted on ‎01-17-2023 07:32 AM

Be sure to file feedback with Apple as to why these mandatory upgrades are problematic for your organization.  We got their attention to fix the deferral bug last summer; Apple is mandating what operating software will run on devices they do not own, which is not only problematic for orgs with 3rd-party tooling but is contrary to their own positions on privacy.

 

AppleSeed is the much better place to file feedback, but something is better than nothing.

0 Kudos

shaquir
Contributor III

Posted on ‎01-18-2023 05:31 PM

Are you just trying to block users from running the updater (outside of Self Service ex.)?

If so, in Restricted Software:

  • block "InstallAssistant" 
    • Restrict exact process name
    • kill process
0 Kudos

teodle
Contributor II

Posted on ‎01-19-2023 08:05 AM

Trying to stop Ventura "minor update" using JAMF is like trying to stop a freight train by parking a tricycle on the tracks. 

0 Kudos