Ventura Delay and Kill not working for all users

Sclewis
New Contributor III

I have a 90 day delay in place as well as restricted software payload to kill the installer. However, some computers Ventura still show up on and is still able to install, others it displays correctly "your on the most current OS allowed by your administration". These are both applied to the same static group I don't get what is going on. I'm frustrated and feel like nothing works right in Jamf. Help! 

 

Screenshot 2022-12-29 at 11.55.48 AM.pngScreenshot 2022-12-29 at 12.02.32 PM.png

3 REPLIES 3

curran
New Contributor III

I would check the Management tab of computers that are able to install Ventura to verify the group(s) they are in and that they received the Restricted Software scope.

Might not be an issue but I noticed you have the process name as Install MacOS Ventura.app. I had a hiccup before with that and having Restrict exact process name checked as that makes it case sensitive. For my restriction, I put the process name as Install macOS Ventura.app.

There was an interesting not on updating to Ventura and how it would impact the delay command from an MDM. I believe the relevant points are at the bottom of the Apple Article Manage upgrading to macOS Ventura in your organization.

AJPinto
Honored Contributor III

Killing install macOS Ventura.app will not do anything for users that tell Ventura to install from Software Update running 12.3+. Ventura is downloaded as a delta not a Full Installer (.app). So, there is nothing for JAMF to kill unless you wanted to try to break the binary that controls software updates as a whole which I strongly recommend against.

This is not so much a JAMF Problem. It is an Apple's approach to OS updates is absolutely garbage. It does not matter what MDM platform you use, they all send the same commands to the devices. Its all Apples MDM Framework. There are lots of poorly documented nuances that must be in place for you to be able to restrict Ventura, as detailed as how the device was enrolled in some cases to what the current build of Monterey is on the device. However, you can only block Ventura until the 23rd of next month anyway so it may not be worth figuring out this go around as you wont even get a full month out of the deferral now.

 

Manage upgrading to macOS Ventura in your organization - Apple Support

brockwalters
Contributor II

There is also a case in which computers that were configured with User MDM (or perhaps user-initiated enrollment) tend to not respect the macOS deferral settings because the computers may not be actually supervised. This was something I discovered in my fleet after seeing that some users installed Ventura with blocks & deferrals deployed. I did raise it to my Apple SE & if you have one you should too. Luckily for me this was very small number of users.