@rtymch_admin You'll want to utilize the Restricted Software feature as depicted below
(Jamf Dashboard -> Computers Tab -> Restricted Software -> +New)
@rtymch_admin You can block betas by using an Application & Custom Settings payload in a Configuration Profile to deploy the following .plist to the com.apple.SoftwareUpdate domain:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>AllowPreReleaseInstallation</key> <false/> </dict> </plist>
As for blocking the macOS Ventura installer there is a problem with the Restricted Software method @Hugonaut presents in that for users on macOS Monterey 12.3 or higher the macOS Ventura update will apparently be done as a delta update via the Software Update process instead of requiring the full app installer to run so you need the update deferral Configuration Profile to block that plus the Restricted Software configurations to block users who try downloading the full installer.
So I already have a restriction policy that does not have the software deferral. I sometimes don't like using this option as it means it will block any new updates for other users on lower firmwares if a new firmware was meant to become available.
Could I close my current restrictions policy and only assign it to a smart group with those who are already on 12.3 or higher so it blocks Ventura. This means other users can then update normally?
(Edited to clarify that a Restricted Software policy for the process name InstallAssistant is recommended in any scenario for blocking direct user initiated updates)
@Euwanh I would start with a Restricted Software policy for the process name InstallAssistant so that any user who gets the full installer can't run it via the GUI (you can still run the erase-install script via Jamf Pro to drive the upgrade process with that restriction in place).
You can expect Apple to release a macOS Monterey update that will treat the delta Ventura updater as a major update which would mean a Configuration Profile to defer Major macOS updates would be sufficient. I don't know if it's practical for you to get your entire Mac environment updated to that version of Monterey before Ventura drops, but if not I'd suggest a Configuration Profile to defer Major and Minor macOS updates in addition to restricting the InstallAssistant process.
There is an official announcement from Apple - Manage upgrading to macOS Ventura in your organization - Apple Support
Restrict software feature still works for M1 Macs. It allows user to download but block on installation.
After deploying config profile per apple's documentation. I don't t see he macOS Ventura upgrade in system preferences on another test machine.
macOS Ventura Update is seen as a Minor Update on macOS 12.3 - 12.6 ~ https://support.apple.com/en-lamr/HT213471
You need to create a Configuration Profile with the Restrictions Payload. Under "Functionality" Tab of Restrictions Payload, you need to check "Defer updates of Software Updates for 30 Days" (Or whatever you deem necessary, there's a few options)