Jamf Nation Community

The short answer. Managing MacOS updates absolute sucks and has always sucked as Apples concept of update management is garbage. 

There is really a lot to decompress, and this gets very complicated very fast. There are literally tons of JAMF Nations discussions on this very topic if you search for them. I like to complain so here is my take.

OS update deferrals

• Deferring with MDM - You can pick 1-7-30-60-90 days to defer minor and major OS updates. Generally, this works as expected except you will see different results depending on many variables like how the device was enrolled. If you are not using DEP do not expect OS update deferrals to work very well.
• Deferring MacOS Ventura on MacOS 12.3-12.6 is not possible anymore without deferring all updates.
• Deferring MacOS Ventura on MacOS 12.6.1 works as expected providing your devices are enrolled and managed correctly. Though Apple does not really say what "correctly" is.

How MacOS Ventura is installed

• MacOS 12.2 and below will download macOS Ventura as an install macOS Ventura.app
• You can use JAMF to block install macOS Ventura.app with a software restriction
• MacOS 12.3 and above will download macOS Ventura as a delta, there is no .app downloaded
• You can only block this with MDM Deferrals, and cannot block it past 90 days
• MacOS 12.3 - 12.6 there is a bug where MacOS Sees Ventura as a Minor update, not a Major update. You must defer Minor updates to block Ventura for these builds of macOS.

How MacOS Updates are installed

• Intel Macs can use a bootstrap token or a secure token to authorize the install of OS updates
• Bootstrap token could be used when running OS updates from command line using the softwareupdate binary. No user notification tools beyond what you build in to the script.
• Apple Silicon Macs CAN ONLY authorize updates with a Secure Token
• The Secure token is given to volume owners on macOS and to MDM if a device is managed correctly
• Secure token allows JAMF to tell macOS to install OS updates and will prompt the users if the correct options are picked.
• Some people have written scripts to put in JAMF SS to allow a user to tell macOS to install OS updates using JAMF API commands to send the MDM Command down. I find this rather dumb as the user can just click the install update button. 
• Some people have wrapped these API scripts into policies to try to force OS updates to run, again you can just do this with JAMF and clicking a button.
• One of the major problems with using MDM commands to run OS updates is they have about a 30% fail rate, and JAMF has no notifications or logging built in for the admin. You just need to watch the OS builds change with smart groups and hope.

All that aside. What should you be doing?

Deferring Ventura

• You need your entire fleet on macOS 12.6.1+, and you need to enable the major OS update deferral. Your devices also need to have been enrolled with DEP and many other nuances. If you are not able to defer Ventura at this point, I would say don't bother. You can’t defer Ventura past 1.22.23 anyway as that is the 90-day mark and the farthest you can defer anyway.

Issuing software updates

• Apple has been loud and clear. You should be using MDM commands to tell Macs to run OS updates and Upgrades. You can still get by using scripts on intel macs which also don’t work very well, but MDM commands are what apple wants you doing if you don’t want users in control of the update process.

Just to say it again, there is no way to defer Ventura past 1.22.23 on macOS 12.3+, period. If this is a problem for your org, you need to submit feedback to apple but are a bit late to hope for any changes.