Hi, I am working to get my company up and running with Jamf Pro and I'm not sure how best to proceed. I want users to not be able to install any macOS updates, and for me to have control over when updates are installed.
I was able to prevent a test machine from installing macOS updates with a configuration profile scoped to it. Then, while the configuration profile was scoped to that device, I also scoped to it a policy that updates macOS. The computer did not update. I removed the configuration profile and eventually, the computer did receive the prompt to update.
This sounds like it worked as intended by Jamf, so to achieve what I described at the top, do I need to do this every time there is a macOS update and I'm ready for updating our devices?
Jamf's documentation (https://docs.jamf.com/best-practice-workflows/jamf-pro/managing-macos-updates/Deferring_a_macOS_Update.html) stipulates that "Note: macOS can still be updated via an MDM command even if updates are deferred." This sounds like what I would want, so I can keep the configuration profile that prevents updates in place, and then issue the MDM command when I'm ready. I'm not sure how to do this.
(Addition question: If a user is up to date but has this configuration profile scoped to them, what happens when they try to check for updates - do they see none available or get the same message that an administrator has prevented updates?).
