softwareupdate --ignore is dead, now what?

Dylan_YYC
Contributor III

As the subject states.... in macOS Big Sur they have officially killed the --ignore flag, now what do we do?

I imagine we can still restrict major version updates, but what happens if there is a incremental update that needs to be restricted for whatever reason?

1 ACCEPTED SOLUTION

talkingmoose
Honored Contributor II
Honored Contributor II

You have a few choices. Pick the one that's most palatable for you or find another procedure.

  1. You can still defer macOS and iOS software updates for up to 90 days using a Restrictions payload in a configuration profile. That gives you three months to decide what to do next and test your options. If Apple has seriously broken something, they'll easily fix it within that time frame.

  2. You can completely turn off automatic software updates using either a script, which allows the end user to turn them back on, or by configuration profile, which enforces your choice. Assuming you're beyond your 90 day deferral, you can then run a command in a policy to call the softwareupdate command and provide the specific updates you want to install.

Has Apple ever released an update that seriously impacts your administration or the end user's experience? I think so, yes, a couple of times. But those issues have been addressed within a week from what I remember and another software update was released to fix things.

My suggestion is you enable automatic download and installation of software updates. Defer them for your general population of devices for 30 days and allow a handful of your savvy end users to be early adopters for testing. You'll likely find any showstoppers within the first few days or couple weeks. That gives you a couple of weeks to research and decide how to proceed.

You should also sign up for and sign in to AppleSeed for IT, Apple's program allowing IT professionals to test beta and other pre-release software. Find a way to keep on the edge of testing these updates, so that you have a good idea of what to expect before your early adopters get it.

My suggestion for testing is to put it on a secondary Mac and then try to use that Mac for most of your daily work. If something fails, be ready to fall back to your primary Mac for critical work. And be sure you dogfood your own administration. Don't exempt yourself from the same policies and profiles you apply to your end users.

View solution in original post

2 REPLIES 2

talkingmoose
Honored Contributor II
Honored Contributor II

You have a few choices. Pick the one that's most palatable for you or find another procedure.

  1. You can still defer macOS and iOS software updates for up to 90 days using a Restrictions payload in a configuration profile. That gives you three months to decide what to do next and test your options. If Apple has seriously broken something, they'll easily fix it within that time frame.

  2. You can completely turn off automatic software updates using either a script, which allows the end user to turn them back on, or by configuration profile, which enforces your choice. Assuming you're beyond your 90 day deferral, you can then run a command in a policy to call the softwareupdate command and provide the specific updates you want to install.

Has Apple ever released an update that seriously impacts your administration or the end user's experience? I think so, yes, a couple of times. But those issues have been addressed within a week from what I remember and another software update was released to fix things.

My suggestion is you enable automatic download and installation of software updates. Defer them for your general population of devices for 30 days and allow a handful of your savvy end users to be early adopters for testing. You'll likely find any showstoppers within the first few days or couple weeks. That gives you a couple of weeks to research and decide how to proceed.

You should also sign up for and sign in to AppleSeed for IT, Apple's program allowing IT professionals to test beta and other pre-release software. Find a way to keep on the edge of testing these updates, so that you have a good idea of what to expect before your early adopters get it.

My suggestion for testing is to put it on a secondary Mac and then try to use that Mac for most of your daily work. If something fails, be ready to fall back to your primary Mac for critical work. And be sure you dogfood your own administration. Don't exempt yourself from the same policies and profiles you apply to your end users.

chrisB
Contributor

Ignoring major updates is back with macOS Catalina 10.15.6 and also macOS Mojave and macOS High Sierra after installing Security Update 2020-004.

However the -ignore flag can only be used if the Mac is enrolled in Apple School Manager, Apple Business Manager, or a user-approved MDM.

We currently use

/usr/sbin/softwareupdate --ignore "macOS Big Sur"

… and it works (again).

see: What's new in the updates for macOS Catalina

Oops, I just noticed you're talking about Big Sur - sorry.