Ventura will be released as a "minor" update (bug)

raymondap
Contributor

We were just made aware of this, and Jamf and Apple have confirmed. The Ventura release on Monday will be considered a minor update for anything 12.3 and higher, so major OS deferrals will not apply. Apple's recommendation is to defer all minor updates as well as major until you can get your clients to 12.6.1 (not released yet, maybe also on the 24th?). Jamf confirmed to us that you should have all your clients at 12.6.1 by Wednesday, November 23, 2022 if you wish to defer Ventura past that date.

 

Just passing on info. Hopefully this helps someone avoid a rough Monday.

Edit: Adding direct quote from our Jamf rep that explains better than I did:

Ventura major deferral bug, in a nutshell

On macOS 12.2 or earlier? - You're all good. Not affected.

On macOS 12.3 or later?

There's a bug. It's fixed in 12.6.1 and Apple has made a change so even 12.3+ will be fine for 30 days - make sure to get 12.6.1 installed

If you don't get 12.6.1 installed, Ventura updates published after 30 days might appear on Macs running 12.3 - 12.6 - even when major deferred

If you're past 30 days but not on 12.6.1, you can mitigate seeing Ventura by deferring both major and minor (but you should focus on getting to 12.6.1)

1 ACCEPTED SOLUTION

AJPinto
Honored Contributor III

Apple on top of things as always with documentation being a day late and a dollar short. Apple needs to do better if they hope to get anywhere with enterprise. This should have been shared before release, and we should have more than 30 days to address it.

 

https://support.apple.com/en-us/HT213471

View solution in original post

42 REPLIES 42

AJPinto
Honored Contributor III

I am figuring much the same. This is going to be sloppy. Very sloppy. Apple really should have released the fix that will be coming in macOS 12.6.1 long before macOS 13 drops.

 

Knowing Apple, both macOS 12.6.1 and macOS 13 will drop on the same day next week and be covered by the same deferrals. So until MDM commands can force the OS update to 12.6.1 (assuming your environment is even ready) the users are free to update to macOS 13 within that same window and its a race to see which finishes first.

obi-k
Valued Contributor III

Thanks for this...

paul_burgess_fu
New Contributor

But this is only relevant if users have access to Software update?

I think it also applies if you're updating with MDM commands or using something like superman.

paul_burgess_fu
New Contributor

Yeah, still testing Superman. In the worst-case scenario, it will be to download the full 12.6.1 installer again :-(

sacomsto
New Contributor II

What's the recommended way to initiate a minor deferral? 

ClassicII
Contributor III

Apple has provided us with a path going forward on this issue. Please reference AppleSeed for IT notes for full details. Anything else is breaking NDA until Monday.

I disagree with your apparent accusation that I am somehow breaking an NDA I never signed by passing on this info, but if the Jamf community admins believe it is, they are free to delete this post.

 

Apple’s secrecy, and (in my opinion) hostility towards IT Admins is exactly why we’re looking to accelerate our plans to switch to PCs.

I didn't say you broke the NDA, all I'm saying is that if you would like more information about this you can go to AppleSeed for IT that has all the information you need. This info is covered by the NDA, if you installed Ventura then you agreed to it. I am not the NDA police, and think the whole thing is dumb as rocks. Especially when iOS Dev's plaster information everywhere on social media. But just because they are doing so, does not give us the right to do the same (even though it's not fair).

To your comment about Apple being hostile towards IT? Apple's own enterprise team employees have communicated with us more than they have in the last 10 years. 

Was this update thing a bad move? YES! Apple should have communicated with everyone at WWDC, but they came up with a good solution that will help many MacAdmins.

 

The whole situation is kind of sad because of how great the new upgrade system is. It should have been touted as a HUGE Ventura feature. The new upgrade will be a game changer and shows that Apple is listening.

Oh I’m sorry, I completely misinterpreted your post. I apologize!

 

I’m glad your organization is having a better experience than mine. Not being able to defer Monterey past 90 days was very rough on us, and I’ve been working with Jamf (great) and Apple (not so great) for over a year on management issues especially around patching. Then on the other side I have a demoralized team and a bunch of frustrated end users.

Anyway sorry again and also for sidetracking this thread.

Ray, no need to apologize. We are all in upgrade mode and are all just trying to get the job done. I'm hoping Apple will communicate more with us on things like this in the future. 👍

mickl089
Contributor III

Are there any sources, links, articles that cover the topic? So far I have not been able to find anything on this error in the trade press or the relevant blogs.

Not that I'm aware of. I first heard of it when our Apple rep mentioned it in a newsletter. He never responded when I asked for more info, but fortunately our Jamf rep was able to provide me with the info I added to my original post. I guess there's something in AppleSeed cloaked in an NDA.

AJPinto
Honored Contributor III

This is totally surrounded in apples NDA. Suffice it to day, be ready to update to 12.6.1 ASAP if you are wanting to block macOS 13.

nlucia
New Contributor II

From what I understand, the "fix" that Apple made for 12.3+ systems only applies to Supervised systems. That should be good for most of us, but for those that have a couple of unsupervised systems in their fleet, be advised that you may want to defer minor until there is some sort of fix.

AJPinto
Honored Contributor III

Apple on top of things as always with documentation being a day late and a dollar short. Apple needs to do better if they hope to get anywhere with enterprise. This should have been shared before release, and we should have more than 30 days to address it.

 

https://support.apple.com/en-us/HT213471

mickl089
Contributor III

Is no one actually bothered by the fact that Apple is releasing the fix at the same time as Ventura, which in itself is a contradiction and the solution "first install 12.6.1" works so wonderfully well with the mass command, which can take 2 weeks or longer until all devices are up to date?

AJPinto
Honored Contributor III

Oh, I am irate about this one and went off on our Apple reps about it. This fix should have come out a month ago at worst. That or they should have delayed Ventura to give more than 30 days to get it out there. 

 

Event better, that 30 day grace period apple was so gracious to give us for MDM enabled devices. Ya that ends on Thanksgiving day (for the US). So most offices will be closed and users can update to Ventura while everyone is out of the office. Apple really needs to get away from 4th quarter Major OS releases. 

Very bothered. The cynic in me suspects Apple isn't concerned because this will help drive Ventura install numbers.

I do have a glimmer of hope because the support doc mentions "at least 30 days" a couple of times, but I'm not counting on them to give more time.

obi-k
Valued Contributor III

Super bothered. Like @AJPinto said, Apple should have provided a fix prior.

The thing that gets me is you see the Ventura logo/banner Update first. In order for users to see the 12.6.1 update, they got to click the "Additional Available" updates or whatever. 

jamf-42
Valued Contributor II

agreed this is filed under 'bad apple' but.. if you disable SW update.. pref pane / binary..  they can't update? or.. have a missed something along the way.. 

AJPinto
Honored Contributor III

I have done this to help deter users, but that will not stop people who know how to run OS updates with terminal. 

 

I have a feeling if you block the softwareupdate binary you will also break your ability to tell updates to install. I have not tested it, but that seems like an Apple thing to do.

jamf-42
Valued Contributor II

św bin blocked.. and updates via System Prefs work fine.. been good for 12.x - 12.5 - 12.6 etc. 

obi-k
Valued Contributor III

Do you have Restricted Software in place? They could download the full installer on a personal Mac and drag the 12 GB full installer over?

AJPinto
Honored Contributor III

That would be more of a DLP concern instead of a MDM concern. If someone went that far to try to get around our policies, I would have their device wiped, reprovisioned and turn them in to HR. 

 

Though, the average Joe would not know how to move the installer like that. You cannot simply move an .app from one computer to the next. To go one step further MacOS installers are cryptographically signed. So the way you move most apps wont work for MacOS installers.

FireboltShade
New Contributor II

Is there any way to block Ventura from showing in software update but allow 12.6.1 since they're both minor updates?

This is how I managed to hide Ventura and only offer 12.6.1, but as always, please test this yourself. 

 

Jay_007_0-1667165582136.pngJay_007_1-1667165590387.png

MajorProduct: 012-92138>(Title:macOS Ventura Version:13.0, Identifier:com.apple.InstallAssistant.macOSVentura, IconSize:0, Deferred:1, Deferred Until:2023-01-22

 

Where might one enter this code?

AJPinto
Honored Contributor III

It’s a configuration profile, and is under the Restrictions Payload > Functionality tab.

 

At a guess the “code” he is referring to is coming from the install.log and is the response when OS updates are doing their thing.

Got it. I figured that was the case but worth checking.

Yeah, I've seen that bit in the Console logs. I didn't realize he was just using it to confirm it was working.

Thanks.

Just for anyone else who might see this: it does not work on the system I tested. It does see it as a major update, but that there's no deferral. Interesting that it works for you.

AJPinto
Honored Contributor III

Apple is very specific in how they are delivering this "exemption". If your devices are not supervised they will not receive the MDM deferral. Whether or not a device is Supervised is down to how it was enrolled. This is where I suggest focusing your attention.

 

Be sure to submit feedback to Apple with your experiences and findings. If you have ACE, open a case with Apple. If you don't have Ace email your Apple rep to see if there is any dialog they can start for you.

 

Manage upgrading to macOS Ventura in your organization - Apple Support

Intro to Apple device enrollment types - Apple Support

Jamf Pro shows all but four of our computers are supervised, all of which are running Catalina, so it doesn't seem like that's the issue here. (Yes, updating those is definitely on the list but it hasn't been a priority.)

Others are saying the same on another post too. I'm not sure why that seems to work for me and not anyone else. There is definitely some weird behaviour going on with Ventura. It's still being advertised to some that have updated to 12.6.1 and excluded major updates even though Apple have stated that they have automatically deferred it for supervised computers. Sorry that I can't help further. Also, I run a script to check for updates daily and the output you see above is returned after running...

 

softwareupdate -l

 

 

Bretterson
Contributor

So I'm fairly new to Jamf and haven't used any MDM in nearly three years. I want to update all of our computers running Monterey to 12.6.1 but it sounds like it's going to be a challenge...

  • The Mass Action command won't work on everything because only a fraction of the computers were enrolled via DEP and went through PreStage. (They're all supervised, but the way it reads sounds like that isn't sufficient.)
  • Doing it via policy doesn't allow you to specify the version to install. Plus some of the the devices have Apple silicon. (Most, but not all, of the M1 computers were enrolled via DEP.)

Is my only real option for this to make a package of the full installer with a post-install script and distribute it via Patch Management? Would the erase-install or S.U.P.E.R.M.A.N. be better options? Any suggestions are appreciated.

AJPinto
Honored Contributor III

You probably really want to get your Apple and JAMF success managers on the phone. You have a lot to hash over. The long term solution, is yes to reprovision your entire fleet and enroll the devices "correctly" for the level of management you want.

 

  • For Intel Macs you can run sudo softwareupdate -aiR and it will grab 12.6.1, not macOS 13. I am not sure what it will do after 11.24 though, but you have 3.5 weeks before that is a concern. 
  • Deploying the full OS installer is possisble, you need to use a DMG to do it. Keep in mind on Apple Silicon it still needs user interaction to use the OS installer to run updates.
  • Just like with Nag, superman is really just a tool to get the users to update themselves. If they see macOS 13, it is up to user education to tech them to not click it until they are on 12.6.1. 

 

My friend, it unfortunately sounds like you are in the nightmare situation. 

And who doesn't love a good nightmare?

Unfortunately, none of the computers were enrolled in DEP/ADE when purchased before I started here. No We switched to Jamf about 2-3 months ago; prior to that, everything was in AirWatch or SimpleMDM. Even if all of the computers were in Apple Business Manager, they wouldn't have gone through PreStage in Jamf since they were moved from another MDM (unless I'm missing something here).

I don't necessarily have a problem with requiring a bit of user interaction to do this. I'll setup a test policy to give that Intel command a shot.

I ended up setting up a relatively nice flow using erase-install. Haven't decided whether to push it via Self Service and send an e-mail to the users who need to do it, or to push the policy with a notification and option to defer. Either way, it's pretty clean and I'm satisfied with it.