Help

Restrict Ventura

rtymch_admin
New Contributor

Posted on ‎08-04-2022 07:36 AM

Is there a way to restrict a major software update other than the 90 day deferred update in the configuration profile?

And what about a solution to restrict installing a beta version as system updates?

Reply
13 REPLIES 13

Hugonaut
Valued Contributor II

‎08-04-2022 08:06 AM - edited ‎08-04-2022 08:13 AM

@rtymch_admin  You'll want to utilize the Restricted Software feature as depicted below

(Jamf Dashboard -> Computers Tab -> Restricted Software -> +New)

 

Screen Shot 2022-08-04 at 10.05.04 AM.png

 

Screen Shot 2022-08-04 at 10.11.46 AM.png

________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman
________________


Virtual MacAdmins Monthly Meetup - First Friday, Every Month
Reply

sdagley
Esteemed Contributor II

‎08-04-2022 08:41 AM - edited ‎08-04-2022 09:08 AM

@rtymch_admin You can block betas by using an Application & Custom Settings payload in a Configuration Profile to deploy the following .plist to the com.apple.SoftwareUpdate domain:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>AllowPreReleaseInstallation</key>
    <false/>
  </dict>
</plist>

As for blocking the macOS Ventura installer there is a problem with the Restricted Software method @Hugonaut presents in that for users on macOS Monterey 12.3 or higher the macOS Ventura update will apparently be done as a delta update via the Software Update process instead of requiring the full app installer to run so you need the update deferral Configuration Profile to block that plus the Restricted Software configurations to block users who try downloading the full installer.

Reply

mowtnmn
New Contributor II

Posted on ‎08-17-2022 08:17 AM

@sdagley do you mind please adding a screenshot of how you blocked the Ventura Beta version?

0 Kudos
Reply

Shloobs
New Contributor
In response to mowtnmn

Posted on ‎09-02-2022 08:45 AM

Couple weeks late to the party but in case you still need it, it should look like this. Screenshot 2022-09-02 at 10.43.40 AM.png

Reply

Euwanh
New Contributor III

Posted on ‎10-03-2022 03:55 AM

So I already have a restriction policy that does not have the software deferral. I sometimes don't like using this option as it means it will block any new updates for other users on lower firmwares if a new firmware was meant to become available. 

Could I close my current restrictions policy and only assign it to a smart group with those who are already on 12.3 or higher so it blocks Ventura. This means other users can then update normally?

Thanks

0 Kudos
Reply

Euwanh
New Contributor III

Posted on ‎10-03-2022 04:22 AM

@sdagley  could you confirm how you know this is going to be a delta update?

0 Kudos
Reply

sdagley
Esteemed Contributor II
In response to Euwanh

‎10-03-2022 05:51 AM - edited ‎10-03-2022 05:55 AM

@Euwanh I don't recall if Apple has a public document but if you google "macos ventura delta update" you'll find several references

0 Kudos
Reply

Euwanh
New Contributor III

Posted on ‎10-03-2022 06:08 AM

Thanks for the response @sdagley  would you happen to know if my method above would work?

0 Kudos
Reply

sdagley
Esteemed Contributor II
In response to Euwanh

‎10-03-2022 06:38 AM - edited ‎10-03-2022 07:15 AM

(Edited to clarify that a Restricted Software policy for the process name InstallAssistant is recommended in any scenario for blocking direct user initiated updates)

@Euwanh I would start with a Restricted Software policy for the process name InstallAssistant so that any user who gets the full installer can't run it via the GUI (you can still run the erase-install script via Jamf Pro to drive the upgrade process with that restriction in place).

You can expect Apple to release a macOS Monterey update that will treat the delta Ventura updater as a major update which would mean a Configuration Profile to defer Major macOS updates would be sufficient. I don't know if it's practical for you to get your entire Mac environment updated to that version of Monterey before Ventura drops, but if not I'd suggest a Configuration Profile to defer Major and Minor macOS updates in addition to restricting the InstallAssistant process.

Reply

DanJ_LRSFC
Contributor III

‎10-21-2022 06:12 AM - edited ‎10-21-2022 07:44 AM

Deleted post

0 Kudos
Reply

ysdevgan
Contributor

Posted on ‎10-25-2022 11:34 AM

There is an official announcement from Apple - Manage upgrading to macOS Ventura in your organization - Apple Support

Restrict software feature still works for M1 Macs. It allows user to download but block on installation.

ysdevgan_0-1666722667408.png

After deploying config profile per apple's documentation. I don't t see he macOS Ventura upgrade in system preferences on another test machine.

 

0 Kudos
Reply

Eskobar
Contributor

Posted on ‎10-26-2022 07:31 AM

Hi @ysdevgan 

I still see Ventura in Mac Software Update.

Screenshot 2022-10-26 at 16.28.42.png

Could you confirm what I have missed?

Meanwhile I it was said that once a Mac detects the upgrade, there is no way to hide it.

How setup you made ?

Thanks

0 Kudos
Reply

Hugonaut
Valued Contributor II
In response to Eskobar

‎10-26-2022 07:35 AM - edited ‎10-26-2022 07:36 AM

@Eskobar 

 

macOS Ventura Update is seen as a Minor Update on macOS 12.3 - 12.6 ~ https://support.apple.com/en-lamr/HT213471

You need to create a Configuration Profile with the Restrictions Payload. Under "Functionality" Tab of Restrictions Payload, you need to check "Defer updates of Software Updates for 30 Days" (Or whatever you deem necessary, there's a few options)

 

Screenshot 2022-10-26 at 9.34.16 AM.png

________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman
________________


Virtual MacAdmins Monthly Meetup - First Friday, Every Month
Reply