macOS Ventura Update - Major & Minor Update Deferrals - Oh My!

Tribruin
Valued Contributor II

Today, Apple released macOS 13 Ventura. While many orgs may be ready to upgrade today, others may need time to do final testing and/or get verification from your vendor on the compatibility of your software. 

Apple has made some major improvements in the software update mechanism to make installing Ventura easier and faster for users. Instead of forcing the user to download the full installer and running it locally (like previous upgrades), a computer running macOS 12.3 or higher will perform the upgrade like a software update and only download the changes. In my testing, a full installer was over 12GB, but the new update only required 5.5GB of download. This is great news. 

However, there is a bug that Mac Admins needs to be aware of. Because this new upgrade process acts like an update, macOS 12.3 - 12.6 were only respecting the Minor Deferral time for Ventura, instead the Major Deferral. If you have different settings for these two deferrals, you may be surprised to find that Ventura is being advertised to your users. 

To resolve this issue, Apple has given MacAdmins two work arounds. (1) macOS 12.6.1, also released today, correctly classifies the Ventura upgrade as a Major upgrade and will respect the Major Deferral window and (2) to give MacAdmins time to rollout 12.6.1 to their users, Apple has implemented a server side change. Any computer that is Supervised (e.g. enrolled in an MDM) will not see the new upgrade process for 30 days. Instead, the full installer would need to be download. However, this also forces 12.3-12.6 to respect the Major Deferral window in relation to Venutra. 

Here is an Apple support article with the details:

Manage upgrading to macOS Ventura in your organization - Apple Support

Make sure you are preparing your fleet to either upgrade to 12.6.1 (if you are not 13 ready) or be ready for 13 within 30 days.  

24 REPLIES 24

pbenware1
Release Candidate Programs Tester

Thank you for this summary.  I was having a time wrapping my brain around this.

awginger
Contributor

This seems somewhat flawed though, users still see the option to install macOS Ventura and they don’t know (or care) that it is the full installer rather than the managed software update. 
We had the impression that managed/supervised Macs under 12.6.1 would not see the update to Ventura in their Software Updates pane at all and that install via downloading the full installer would mean they would use softwareupdate —fetch-full-installer to get it. 

pkleiber
Contributor

Just tested this configuration profile on macOS 12.6 , this will remove the macOS Ventura entry in software update:

Screenshot 2022-10-25 at 09.14.36.png

 

<plist>
	<dict>	
		<key>enforcedSoftwareUpdateMajorOSDeferredInstallDelay</key>
			<integer>90</integer>
			<key>forceDelayedMajorSoftwareUpdates</key>
			<true/>
	</dict>
</plist>

 

Screenshot 2022-10-25 at 09.21.07.png

That is great, thanks. Have just tried it here too and it does the same.
I though the whole point on 12.6.1 was because the enforcedSoftwareUpdateMajorOSDerferredInstallDelay key was not being honoured on 12.6 and lower?

Tribruin
Valued Contributor II

The temporary server side change that Apple made to delay the delta upgrade allows 12.3 - 12.6 to respect the Major deferral. However, this server-side change is only for 30 days. After that, only 12.6.1 (or below 12.3) will continue to block Ventura using the Major deferral. 

One slight disadvantage is for 30 days, computers enrolled in an MDM can't use the new delta upgrade process. Users will be forced to download the full installer. 

EUC-Admin
New Contributor III

This is fantastic! Interestingly, tested it on a machine running 12.4 and took Ventura out of things!

bwoods
Valued Contributor

Apple really screwed us this time. lol. No worries though...we have a workaround to safely update to 12.6.1, but you will need to allow Ventura to advertise. Apple basically gave us 30 days to update to 12.6.1 before the delta upgrades begin. For now Ventura is still downloading full installers when a users attempt to update. So you can basically restrict the macOS Ventura.app and install assistant with Jamf and guide your users to "More Info" with Nudge. I would highly advise against deferring minor updates to make this go away because the delta upgrades will be here by 11/24/2022.

 

bwoods_2-1666702258515.png

 

bwoods_0-1666701863570.png

 

Tribruin
Valued Contributor II

What are you current deferrals (major/minor)? If you have a major deferral set, it will respect it, even under 12.3-12.6. You should not be seeing Ventura unless you don't have a Major deferral delay set. 

I am testing and have minor set to 1 and major set to 45. As of today, I only see 12.6.1 as available on my test computer. 

bwoods
Valued Contributor

I'm deferring, major updates for 90 days only. My users can't install Ventura even if they wanted to with my restrictions in place. Once updated to 12.6.1, I'll be able to ride out the full 90 day deferral period.

pkleiber
Contributor

donmontalvo
Esteemed Contributor III

@pkleiber wrote:

Graham Pugh made a nice blog post regarding this situation:

https://unlimited.ethz.ch/display/idclientdelivery/2022/10/13/When+and+how+to+upgrade+to+macOS+Ventu...


Just saw this link, clearest explanation yet, passed it along to our stakeholders and security folks.

Thanks for posting!

--
https://donmontalvo.com

Asri-Zainal
New Contributor II

Did something changed or rolled back? a newly imaged machine running macOS 12.6.3 does not give an option to upgrade to macOS Ventura directly from system preference.

Instead it's downloaded the full installer like and requires admin privilege to upgrade.
this still indicate that upgrades can be done by any users but 2 of our new macs are not showing this behaviour.

Important: On a Mac, any user can perform software updates. Prior to macOS 12.3, local administrators are required to perform software upgrades. Using macOS 12.3 or later, any user can perform a software upgrade. On Apple silicon, users must be a volume owner to perform software updates and upgrades.

bwoods
Valued Contributor

That's a bug that was reported. Sometimes the full installer appears and sometimes the delta appears. I should be fixed today with the ended of the 90 day deferral ending and the release of 13.2.

Asri-Zainal
New Contributor II

It didn’t quite fix for me as we start seeing macOS Ventura updates showing on system preference which tells me the 90day major upgrade deferral has reached. A couple of weeks back, I was able to *Update* some monterey macs to ventura from system preference without admin privileges but it’s different today after the expiry of the 90days major deferral

Yeah I'm running into the same issue as well.  A number of machines were able to update to Ventura without admin credentials in the past few weeks but starting today standard users are being prompted for them.

Ok I've actually solved this now in my environment.

Tl;dr if you have a Config Profile set to defer Major Updates 7 days or longer it will block the 13.2 delta update because it only just came out, but will instead offer an older update version as the full .App installer which requires admin credentials of course. 

 

I tested this a few times in the lab and the results were consistent:

Major deferral off or 1 day = 13.2 delta update offered in System Preferences/Software Update

Major deferral 7 or 30 days = 13.1 full installer offered in System Preferences/Software Update

Major deferral 90 days = 13.0 full installer offered in System Preferences/Software Update

bwoods
Valued Contributor

13.0 should be offered as the delta.

Tribruin
Valued Contributor II

13.0 will never be offered as a delta to MDM enrolled computers. 13.1 is the first update that can be installed as a delta. If you have a 90 day Major deferral set, 13.0 is offered as a full installer. You need to set your Major deferral to about 30 days to see 13.1 as a delta update. 

 

And, there is some issues with 13.1 or 13.2 showing as full installers. I think it has something to do with minor deferrals versus major deferrals. But, haven't had the time to research. 

so prior to this with the forced delayed major updates config, users won't even see that major update in system preference and just reports that they are up to date. But if it works for you, i guess I shall try disabling that as a workaround. It's just a little annoying needing to manually enable this again on the next major OS release.

dp_dolby
New Contributor

Is there a way to defer Ventura beyond 90 days (since enforcedSoftwareUpdateMajorOSDeferredInstallDelay max value is 90). We are still pushing back the Ventura upgrade for couple more weeks.

Tribruin
Valued Contributor II

Not exactly. Since 90 days have passed since the first release of macOS Ventura, you will not be able to hide it in Software Update.

However, Apple has given Mac Admins a slight reprieve. macOS 13.0 & 13.0.1 are still full installers. You can use a Restricted Software against Install macOS Ventura.app or something like GitHub - Theile/venturablocker: Blocking Ventura installer

However, after 90 days has passed from the release of macOS 13.1 (March 13th), users will be able to upgrade from Software Update using the delta update. At that point, the options to block are very limited and usually have unattended consquences. 

@Tribruin , thank you for that info. I didn't think there would be, but thought there may be work arounds on this topic. Apprecite the quick reply there.

 

Thank you!

bwoods
Valued Contributor

@dp_dolby , you can try the hack below out, but I would advise bending to the will of Apple. They've given us no other choice. lol

bwoods_0-1675183294490.png

 

R_C
Contributor

Running macOS Monterey 12.6.3,

Just triggered "softwareupdate -ia" to get safari updated, didnt think anything of it since all past uses should only have this run minor version updates.... It just started download macOS Ventura 13.2.1.... Im quite annoyed right since this command was kicked off to a number of machines in my fleet.

 

I would strongly recommend avoiding "SoftwareUpdate -ia" if you too used to leverage that. I am now using "softwareupdate -i --safari-only". More to the point I just triggered "killall softwareupdate; softwareupdate -i --safari-only" ,  let's hope it works to prevent a surprise upgrade to Ventura.