I'm looking for a way to properly suppress the Ventura upgrade, as it has started appearing for our end users. We currently have a config profile scoped to defer major updates by 90 days pushed to all users, but I've gotten reports that users are getting the Ventura upgrade in Software Update.
We have Ventura blocked from installing via restricted software, but I need a way to stop it from showing in Software update as the config profile to defer it by 90 days is not working.
That is not entirely correct. For the first 30 days, Apple has made a server-side change that should respect the Major deferral, even under 12.3-12.6. They have done this by disabling the new "delta" upgrade process and reverting to the full installer for MDM managed computers. However, after the 30 days, Apple will disable this change and, you are correct, users not yet on 12.6.1 will see Ventura as an option.
That is how it supposed to work (and I have confirmed on my test units.) I have a deferral setting of 2 day Minor/90 day Major on my test computer and I only see 12.6.1 available in Software Updates. HOWEVER, I have seen other reports in the Mac community that some users are still seeing the Ventura upgrade, despite the temporary change Apple made. I will see in 3 more days as most of my users have a 5 day deferral.
You need to restrict the Install macOS Ventura.app and tell your users to select more info when updating to 12.6.1. We're currently using Nudge to do this. Unfortunately, the Ventura ad can't be blocked by the deferral profile until they are on 12.6.1. (Unless you block all minor updates as well, which I wouldn't recommend).
We (think) have been able to use below guide. We have also requested all users to not upgrade to Ventura, so take with a grain of salt
We started noticing this exact issue shortly after Apple's CDNs updated with Ventura. We have Major and Minor updates delayed in a configuration profile and confirmed that it works to block both the update and the Ventura upgrade banner in System Preferences.
We've found that the Ventura upgrade banner re-appears after a reboot and that's how people are installing it. If we push the configuration profile to restrict the updates again, it will work but not across reboots still.
We think this issue is resolved when on 12.6.1 but we've only been able to test that on a handful of machines.
I have test Macs on 12.6.1 and Ventura still shows when using a config policy to block major software updates for 90 days. I think it's still being seen as a minor update, because a config policy restricting minor and major updates makes the Ventura update disappear and the mac says "you're running the latest version your admin allows"
Something seems to be broken on Apple's end.
After more testing, this seems to be working now...
The interesting part - choosing 60 days to suppress major updates instead of 90 days seems to work fully. Please test and see if this helps anyone.
Ok so after lots more testing, the normal defer major updates for 90 days policy works on 12.6.1, our macs needed 2-5 reboots before it properly displayed "you are on the highest version your admin allows" instead of showing Ventura. Will continue to test but wish it didn't have to be this difficult.
What is wrong with Jamf vs. Apple - Even Ventura Blocker, Restricted Software (kill installAssistant) and now the deployed Config Profile (defer Major Software updates) in place - i can update my Machines. Deployed yesterday the Profile. Worked fine Yesterday, but today i see the Option again to Upgrade to Ventura.
Yesterday when i deployed the Profile
But today (Again)
My Client is 12.6.2 so no disclaimer to that technical Jamf Doc with Versions 12.3-12.6 https://docs.jamf.com/technical-papers/jamf-pro/deploying-macos-upgrades/10.34.0/Deferring_maOS_Soft...
Profile is still installed (Computerlevel and not to remove)
Is this a Jamf BUG? - paying lots of money and then not getting their promised functionality working.
Same thing here... people upgrade around JAMF Restricted Software block, today after another person upgraded to Ventura in our environment (their macs is checking in and has healthy relationship with JSS), so I decided to try it out on my own mac, not only did it not block it - it immediately started rebooting my mac and upgraded it to Ventura, so 1 click > reboot > upgrade... this is complete BS.
standard JAMF Restricted Software for "Install macOS Ventura.app" - it certainly worked for some as people reported, but I did not keep track what macOS they currently were on as I thought it should not matter, a block is a block.
My own mac/upgrade situation - it was on the latest macOS Monterey and there was nothing - it immediately started restarting my mac and upgraded it to Ventura.
If the profile still exists in the Profile System Preference Pane, then it is not likely a Jamf bug. Jamf just is responsible to get the profile on the computer. Apple is responsible for respecting the settings.
Did you check if somehow you have two profiles on the computer with conflicting settings? Some people have found they have multiple profiles, each with different deferrals, which will cause unpredictable results.
That being said, Apple is saying that to be secure, you must be on the latest O/S. Some security fixes will never come to Monterey or lower, only Ventura.
This is a year of transition for upgrades. The old process of downloading a full (>12GB) installer and running it is now longer the preferred solution. Downloading a (~5GB) delta update is the new way. It is faster and easier for the user.
Honestly, except for a "major" bug in 12.3-12.6 MacAdmins would be looking at having users be able to upgrade to Ventura without restriction starting on Jan. 22nd. But, Apple granted us a grace period due to the Major deferral bug.
As I understand it right now, here the current situation (assuming a 90 day major deferral and 12.6.1+)
Today - Users can not see Ventura
Starting Jan 22nd - Users will see the FULL installer in Software Update for 13.0 (not 13.1/13.2) and will be able to download the installer. Jamf can block the FULL installer via Restricted Software
Starting Mar. 13th - Users will see the Delta installer for 13.1 and be able to install Ventura. The delta installer can not be blocked by Restricted Software.
(There have been some reports that users are seeing Ventura, even when the proper deferrals are installed. But that is not the expected result.)
To us, the biggest issue is that when Apple releases 12.6.3, users will see the Ventura full upgrade as the default in Software Update. If we prompt our users to upgrade to 12.6.3, they will get confused. We have made a corporate decision that we can not longer delay allowing users to upgrade to Ventura. Starting next week, we are going to reduce our Major deferral to allow 13.2 to be visible.