Restrict Ventura

rtymch_admin
New Contributor

Is there a way to restrict a major software update other than the 90 day deferred update in the configuration profile?

And what about a solution to restrict installing a beta version as system updates?

13 REPLIES 13

Hugonaut
Valued Contributor II

@rtymch_admin  You'll want to utilize the Restricted Software feature as depicted below

(Jamf Dashboard -> Computers Tab -> Restricted Software -> +New)

 

Screen Shot 2022-08-04 at 10.05.04 AM.png

 

Screen Shot 2022-08-04 at 10.11.46 AM.png

________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman
________________


Virtual MacAdmins Monthly Meetup - First Friday, Every Month

sdagley
Honored Contributor III

@rtymch_admin You can block betas by using an Application & Custom Settings payload in a Configuration Profile to deploy the following .plist to the com.apple.SoftwareUpdate domain:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>AllowPreReleaseInstallation</key>
    <false/>
  </dict>
</plist>

As for blocking the macOS Ventura installer there is a problem with the Restricted Software method @Hugonaut presents in that for users on macOS Monterey 12.3 or higher the macOS Ventura update will apparently be done as a delta update via the Software Update process instead of requiring the full app installer to run so you need the update deferral Configuration Profile to block that plus the Restricted Software configurations to block users who try downloading the full installer.

mowtnmn
New Contributor II

@sdagley do you mind please adding a screenshot of how you blocked the Ventura Beta version?

Couple weeks late to the party but in case you still need it, it should look like this. Screenshot 2022-09-02 at 10.43.40 AM.png

Euwanh
New Contributor III

So I already have a restriction policy that does not have the software deferral. I sometimes don't like using this option as it means it will block any new updates for other users on lower firmwares if a new firmware was meant to become available. 

Could I close my current restrictions policy and only assign it to a smart group with those who are already on 12.3 or higher so it blocks Ventura. This means other users can then update normally?

Thanks

Euwanh
New Contributor III

@sdagley  could you confirm how you know this is going to be a delta update?

sdagley
Honored Contributor III

@Euwanh I don't recall if Apple has a public document but if you google "macos ventura delta update" you'll find several references

Euwanh
New Contributor III

Thanks for the response @sdagley  would you happen to know if my method above would work?

sdagley
Honored Contributor III

(Edited to clarify that a Restricted Software policy for the process name InstallAssistant is recommended in any scenario for blocking direct user initiated updates)

@Euwanh I would start with a Restricted Software policy for the process name InstallAssistant so that any user who gets the full installer can't run it via the GUI (you can still run the erase-install script via Jamf Pro to drive the upgrade process with that restriction in place).

You can expect Apple to release a macOS Monterey update that will treat the delta Ventura updater as a major update which would mean a Configuration Profile to defer Major macOS updates would be sufficient. I don't know if it's practical for you to get your entire Mac environment updated to that version of Monterey before Ventura drops, but if not I'd suggest a Configuration Profile to defer Major and Minor macOS updates in addition to restricting the InstallAssistant process.

DanJ_LRSFC
Contributor III

Deleted post

ysdevgan
New Contributor III

There is an official announcement from Apple - Manage upgrading to macOS Ventura in your organization - Apple Support

Restrict software feature still works for M1 Macs. It allows user to download but block on installation.

ysdevgan_0-1666722667408.png

After deploying config profile per apple's documentation. I don't t see he macOS Ventura upgrade in system preferences on another test machine.

 

Eskobar
Contributor

Hi @ysdevgan 

I still see Ventura in Mac Software Update.

Screenshot 2022-10-26 at 16.28.42.png

Could you confirm what I have missed?

Meanwhile I it was said that once a Mac detects the upgrade, there is no way to hide it.

How setup you made ?

Thanks

Hugonaut
Valued Contributor II

@Eskobar 

 

macOS Ventura Update is seen as a Minor Update on macOS 12.3 - 12.6 ~ https://support.apple.com/en-lamr/HT213471

You need to create a Configuration Profile with the Restrictions Payload. Under "Functionality" Tab of Restrictions Payload, you need to check "Defer updates of Software Updates for 30 Days" (Or whatever you deem necessary, there's a few options)

 

Screenshot 2022-10-26 at 9.34.16 AM.png

________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman
________________


Virtual MacAdmins Monthly Meetup - First Friday, Every Month