Suppressing Ventura Upgrade

FireboltShade
New Contributor II

I'm looking for a way to properly suppress the Ventura upgrade, as it has started appearing for our end users. We currently have a config profile scoped to defer major updates by 90 days pushed to all users, but I've gotten reports that users are getting the Ventura upgrade in Software Update.

 

We have Ventura blocked from installing via restricted software, but I need a way to stop it from showing in Software update as the config profile to defer it by 90 days is not working.

 

Any advice?

23 REPLIES 23

McAwesome
Valued Contributor

macOS 12.3 through 12.6 incorrectly see macOS 13 as a Minor Update.  If you want to defer it, you'll need to either update those machines to 12.6.1 so they respect your Major Update deferral or defer Minor Updates for 90 days as well.

More information

Yep I just found some other articles here saying the same, thank you. I will go test this!

Tribruin
Valued Contributor II

That is not entirely correct. For the first 30 days, Apple has made a server-side change that should respect the Major deferral, even under 12.3-12.6. They have done this by disabling the new "delta" upgrade process and reverting to the full installer for MDM managed computers. However, after the 30 days, Apple will disable this change and, you are correct, users not yet on 12.6.1 will see Ventura as an option. 

 

That is how it supposed to work (and I have confirmed on my test units.) I have a deferral setting of 2 day Minor/90 day Major on my test computer and I only see 12.6.1 available in Software Updates. HOWEVER, I have seen other reports in the Mac community that some users are still seeing the Ventura upgrade, despite the temporary change Apple made. I will see in 3 more days as most of my users have a 5 day deferral. 

I have seen users as of this morning get the Ventura update, so I don't know how much of Apple's 30 day delay is working. We are moving towards 12.6.1 asap.

Fveja
New Contributor III

From my understanding the Apple 30 day delay is only for advertising the update, but if users search for it they will still see it.

donmontalvo
Esteemed Contributor III

FireboltShade
New Contributor II

Still getting Ventura update on our Macs. Does anyone know how to suppress Ventura from showing in Software Update but allow 12.6.1 to show? 

You need to restrict the Install macOS Ventura.app and tell your users to select more info when updating to 12.6.1. We're currently using Nudge to do this. Unfortunately, the Ventura ad can't be blocked by the deferral profile until they are on 12.6.1. (Unless you block all minor updates as well, which I wouldn't recommend).

bwoods_3-1666813586308.png

bwoods_0-1666813346495.png

bwoods_1-1666813357361.png

 

This is how I managed to hide Ventura and only offer 12.6.1, but as always, please test this yourself. 

Jay_007_0-1667166073897.pngJay_007_1-1667166100683.png

MajorProduct: 012-92138>(Title:macOS Ventura Version:13.0, Identifier:com.apple.InstallAssistant.macOSVentura, IconSize:0, Deferred:1, Deferred Until:2023-01-22

 

revive
New Contributor III

Experiencing the same. We got some users who can't see 12.6.1 since we blocked minor updates and only see 12.5.1. Or worst, Ventura itself. 

mainelysteve
Valued Contributor II

See this post in another thread about this topic. That should hide the installer and allow minor updates to still display.

bwoods
Valued Contributor

The results of using that profile are not consistent. The enforcedSoftwareUpdateMajorOSDeferredInstallDelay

key is the the source of the 12.6.0 bug. The OP explains this in his post.

mainelysteve
Valued Contributor II

True. I did have consistent results with 12.5 and 12.6.0 machines though. Getting everyone on 12.6.1 is the key, but I'm in the education sector so that's easier said than done :/ .

FireboltShade
New Contributor II

What I may end up doing is using the erase-installs script to only upgrade a machine to 12.6.1, then the restrictions policy can kick in so ventura is properly blocked.

channy-cl
New Contributor III

We (think) have been able to use below guide. We have also requested all users to not upgrade to Ventura, so take with a grain of salt

http://kb.mit.edu/confluence/display/istcontrib/Jamf+Pro+-+Restricting+upgrades+to+macOS

theJingster
New Contributor

We started noticing this exact issue shortly after Apple's CDNs updated with Ventura. We have Major and Minor updates delayed in a configuration profile and confirmed that it works to block both the update and the Ventura upgrade banner in System Preferences.

We've found that the Ventura upgrade banner re-appears after a reboot and that's how people are installing it. If we push the configuration profile to restrict the updates again, it will work but not across reboots still.

We think this issue is resolved when on 12.6.1 but we've only been able to test that on a handful of machines.

FireboltShade
New Contributor II

I have test Macs on 12.6.1 and Ventura still shows when using a config policy to block major software updates for 90 days. I think it's still being seen as a minor update, because a config policy restricting minor and major updates makes the Ventura update disappear and the mac says "you're running the latest version your admin allows"

Something seems to be broken on Apple's end.

 

*EDIT*

After more testing, this seems to be working now...Screen Shot 2022-10-27 at 10.01.20 AM.pngScreen Shot 2022-10-27 at 10.02.00 AM.pnghere's the kicker... choosing 60 days over 90 days seems to workhere's the kicker... choosing 60 days over 90 days seems to work

The interesting part - choosing 60 days to suppress major updates instead of 90 days seems to work fully. Please test and see if this helps anyone.

 

*EDIT 2*

Ok so after lots more testing, the normal defer major updates for 90 days policy works on 12.6.1, our macs needed 2-5 reboots before it properly displayed "you are on the highest version your admin allows" instead of showing Ventura. Will continue to test but wish it didn't have to be this difficult.

What is wrong with Jamf vs. Apple - Even Ventura Blocker, Restricted Software (kill installAssistant) and now the deployed Config Profile (defer Major Software updates) in place - i can update my Machines. Deployed yesterday the Profile. Worked fine Yesterday, but today i see the Option again to Upgrade to Ventura. Yesterday when deployedYesterday when deployed

Yesterday when i deployed the Profile

Screenshot 2022-12-18 at 10.43.42.png

 

But today (Again)

IMG_0156.jpg

My Client is 12.6.2 so no disclaimer to that technical Jamf Doc with Versions 12.3-12.6 https://docs.jamf.com/technical-papers/jamf-pro/deploying-macos-upgrades/10.34.0/Deferring_maOS_Soft...

Profile is still installed (Computerlevel and not to remove)

Is this a Jamf BUG? - paying lots of money and then not getting their promised functionality working. 

Thanks Regards,

Michael

Same thing here... people upgrade around JAMF Restricted Software block, today after another person upgraded to Ventura in our environment (their macs is checking in and has healthy relationship with JSS), so I decided to try it out on my own mac, not only did it not block it - it immediately started rebooting my mac and upgraded it to Ventura, so 1 click > reboot > upgrade... this is complete BS.

Ahoy!

Tribruin
Valued Contributor II

What do you have set for your Major Deferral. What O/S was the user running?

standard JAMF Restricted Software for "Install macOS Ventura.app" - it certainly worked for some as people reported, but I did not keep track what macOS they currently were on as I thought it should not matter, a block is a block.

My own mac/upgrade situation - it was on the latest macOS Monterey and there was nothing - it immediately started restarting my mac and upgraded it to Ventura.

Ahoy!

can confirm this the exact and expected behavior from apple

Tribruin
Valued Contributor II

If the profile still exists in the Profile System Preference Pane, then it is not likely a Jamf bug. Jamf just is responsible to get the profile on the computer. Apple is responsible for respecting the settings. 

Did you check if somehow you have two profiles on the computer with conflicting settings? Some people have found they have multiple profiles, each with different deferrals, which will cause unpredictable results. 

 

That being said, Apple is saying that to be secure, you must be on the latest O/S. Some security fixes will never come to Monterey or lower, only Ventura. 

This is a year of transition for upgrades. The old process of downloading a full (>12GB) installer and running it is now longer the preferred solution. Downloading a (~5GB) delta update is the new way. It is faster and easier for the user. 

Honestly, except for a "major" bug in 12.3-12.6 MacAdmins would be looking at having users be able to upgrade to Ventura without restriction  starting on Jan. 22nd. But, Apple granted us a grace period due to the Major deferral bug. 

As I understand it right now, here the current situation (assuming a 90 day major deferral and 12.6.1+)

Today - Users can not see Ventura

Starting Jan 22nd - Users will see the FULL installer in Software Update for 13.0 (not 13.1/13.2) and will be able to download the installer. Jamf can block the FULL installer via Restricted Software 

Starting Mar. 13th - Users will see the Delta installer for 13.1 and be able to install Ventura. The delta installer can not be blocked by Restricted Software. 

(There have been some reports that users are seeing Ventura, even when the proper deferrals are installed. But that is not the expected result.) 

To us, the biggest issue is that when Apple releases 12.6.3, users will see the Ventura full upgrade as the default in Software Update. If we prompt our users to upgrade to 12.6.3, they will get confused. We have made a corporate decision that we can not longer delay allowing users to upgrade to Ventura. Starting next week, we are going to reduce our Major deferral to allow 13.2 to be visible.