Today, Apple released macOS 13 Ventura. While many orgs may be ready to upgrade today, others may need time to do final testing and/or get verification from your vendor on the compatibility of your software.
Apple has made some major improvements in the software update mechanism to make installing Ventura easier and faster for users. Instead of forcing the user to download the full installer and running it locally (like previous upgrades), a computer running macOS 12.3 or higher will perform the upgrade like a software update and only download the changes. In my testing, a full installer was over 12GB, but the new update only required 5.5GB of download. This is great news.
However, there is a bug that Mac Admins needs to be aware of. Because this new upgrade process acts like an update, macOS 12.3 - 12.6 were only respecting the Minor Deferral time for Ventura, instead the Major Deferral. If you have different settings for these two deferrals, you may be surprised to find that Ventura is being advertised to your users.
To resolve this issue, Apple has given MacAdmins two work arounds. (1) macOS 12.6.1, also released today, correctly classifies the Ventura upgrade as a Major upgrade and will respect the Major Deferral window and (2) to give MacAdmins time to rollout 12.6.1 to their users, Apple has implemented a server side change. Any computer that is Supervised (e.g. enrolled in an MDM) will not see the new upgrade process for 30 days. Instead, the full installer would need to be download. However, this also forces 12.3-12.6 to respect the Major Deferral window in relation to Venutra.
Here is an Apple support article with the details:
Make sure you are preparing your fleet to either upgrade to 12.6.1 (if you are not 13 ready) or be ready for 13 within 30 days.
This seems somewhat flawed though, users still see the option to install macOS Ventura and they don’t know (or care) that it is the full installer rather than the managed software update.
We had the impression that managed/supervised Macs under 12.6.1 would not see the update to Ventura in their Software Updates pane at all and that install via downloading the full installer would mean they would use softwareupdate —fetch-full-installer to get it.
Just tested this configuration profile on macOS 12.6 , this will remove the macOS Ventura entry in software update:
<plist> <dict> <key>enforcedSoftwareUpdateMajorOSDeferredInstallDelay</key> <integer>90</integer> <key>forceDelayedMajorSoftwareUpdates</key> <true/> </dict> </plist>
The temporary server side change that Apple made to delay the delta upgrade allows 12.3 - 12.6 to respect the Major deferral. However, this server-side change is only for 30 days. After that, only 12.6.1 (or below 12.3) will continue to block Ventura using the Major deferral.
One slight disadvantage is for 30 days, computers enrolled in an MDM can't use the new delta upgrade process. Users will be forced to download the full installer.
Apple really screwed us this time. lol. No worries though...we have a workaround to safely update to 12.6.1, but you will need to allow Ventura to advertise. Apple basically gave us 30 days to update to 12.6.1 before the delta upgrades begin. For now Ventura is still downloading full installers when a users attempt to update. So you can basically restrict the macOS Ventura.app and install assistant with Jamf and guide your users to "More Info" with Nudge. I would highly advise against deferring minor updates to make this go away because the delta upgrades will be here by 11/24/2022.
What are you current deferrals (major/minor)? If you have a major deferral set, it will respect it, even under 12.3-12.6. You should not be seeing Ventura unless you don't have a Major deferral delay set.
I am testing and have minor set to 1 and major set to 45. As of today, I only see 12.6.1 as available on my test computer.
Graham Pugh made a nice blog post regarding this situation:
Just saw this link, clearest explanation yet, passed it along to our stakeholders and security folks.
Thanks for posting!
Did something changed or rolled back? a newly imaged machine running macOS 12.6.3 does not give an option to upgrade to macOS Ventura directly from system preference.
Instead it's downloaded the full installer like and requires admin privilege to upgrade.
this still indicate that upgrades can be done by any users but 2 of our new macs are not showing this behaviour.
Important: On a Mac, any user can perform software updates. Prior to macOS 12.3, local administrators are required to perform software upgrades. Using macOS 12.3 or later, any user can perform a software upgrade. On Apple silicon, users must be a volume owner to perform software updates and upgrades.
It didn’t quite fix for me as we start seeing macOS Ventura updates showing on system preference which tells me the 90day major upgrade deferral has reached. A couple of weeks back, I was able to *Update* some monterey macs to ventura from system preference without admin privileges but it’s different today after the expiry of the 90days major deferral
Ok I've actually solved this now in my environment.
Tl;dr if you have a Config Profile set to defer Major Updates 7 days or longer it will block the 13.2 delta update because it only just came out, but will instead offer an older update version as the full .App installer which requires admin credentials of course.
I tested this a few times in the lab and the results were consistent:
Major deferral off or 1 day = 13.2 delta update offered in System Preferences/Software Update
Major deferral 7 or 30 days = 13.1 full installer offered in System Preferences/Software Update
Major deferral 90 days = 13.0 full installer offered in System Preferences/Software Update
13.0 will never be offered as a delta to MDM enrolled computers. 13.1 is the first update that can be installed as a delta. If you have a 90 day Major deferral set, 13.0 is offered as a full installer. You need to set your Major deferral to about 30 days to see 13.1 as a delta update.
And, there is some issues with 13.1 or 13.2 showing as full installers. I think it has something to do with minor deferrals versus major deferrals. But, haven't had the time to research.
so prior to this with the forced delayed major updates config, users won't even see that major update in system preference and just reports that they are up to date. But if it works for you, i guess I shall try disabling that as a workaround. It's just a little annoying needing to manually enable this again on the next major OS release.
Not exactly. Since 90 days have passed since the first release of macOS Ventura, you will not be able to hide it in Software Update.
However, Apple has given Mac Admins a slight reprieve. macOS 13.0 & 13.0.1 are still full installers. You can use a Restricted Software against Install macOS Ventura.app or something like GitHub - Theile/venturablocker: Blocking Ventura installer
However, after 90 days has passed from the release of macOS 13.1 (March 13th), users will be able to upgrade from Software Update using the delta update. At that point, the options to block are very limited and usually have unattended consquences.