Jamf Nation Community

I think it also applies if you're updating with MDM commands or using something like superman.

Config profile. This should help: https://docs.jamf.com/best-practice-workflows/jamf-pro/managing-macos-updates/Deferring_a_macOS_Upda... 

I disagree with your apparent accusation that I am somehow breaking an NDA I never signed by passing on this info, but if the Jamf community admins believe it is, they are free to delete this post.

Apple’s secrecy, and (in my opinion) hostility towards IT Admins is exactly why we’re looking to accelerate our plans to switch to PCs.

I didn't say you broke the NDA, all I'm saying is that if you would like more information about this you can go to AppleSeed for IT that has all the information you need. This info is covered by the NDA, if you installed Ventura then you agreed to it. I am not the NDA police, and think the whole thing is dumb as rocks. Especially when iOS Dev's plaster information everywhere on social media. But just because they are doing so, does not give us the right to do the same (even though it's not fair).

To your comment about Apple being hostile towards IT? Apple's own enterprise team employees have communicated with us more than they have in the last 10 years. 

Was this update thing a bad move? YES! Apple should have communicated with everyone at WWDC, but they came up with a good solution that will help many MacAdmins.

The whole situation is kind of sad because of how great the new upgrade system is. It should have been touted as a HUGE Ventura feature. The new upgrade will be a game changer and shows that Apple is listening.

Oh I’m sorry, I completely misinterpreted your post. I apologize!

I’m glad your organization is having a better experience than mine. Not being able to defer Monterey past 90 days was very rough on us, and I’ve been working with Jamf (great) and Apple (not so great) for over a year on management issues especially around patching. Then on the other side I have a demoralized team and a bunch of frustrated end users.

Anyway sorry again and also for sidetracking this thread.

Ray, no need to apologize. We are all in upgrade mode and are all just trying to get the job done. I'm hoping Apple will communicate more with us on things like this in the future. 👍

Not that I'm aware of. I first heard of it when our Apple rep mentioned it in a newsletter. He never responded when I asked for more info, but fortunately our Jamf rep was able to provide me with the info I added to my original post. I guess there's something in AppleSeed cloaked in an NDA.

This is totally surrounded in apples NDA. Suffice it to day, be ready to update to 12.6.1 ASAP if you are wanting to block macOS 13.

Oh, I am irate about this one and went off on our Apple reps about it. This fix should have come out a month ago at worst. That or they should have delayed Ventura to give more than 30 days to get it out there. 

Event better, that 30 day grace period apple was so gracious to give us for MDM enabled devices. Ya that ends on Thanksgiving day (for the US). So most offices will be closed and users can update to Ventura while everyone is out of the office. Apple really needs to get away from 4th quarter Major OS releases. 

Very bothered. The cynic in me suspects Apple isn't concerned because this will help drive Ventura install numbers.

I do have a glimmer of hope because the support doc mentions "at least 30 days" a couple of times, but I'm not counting on them to give more time.

Super bothered. Like @AJPinto said, Apple should have provided a fix prior.

The thing that gets me is you see the Ventura logo/banner Update first. In order for users to see the 12.6.1 update, they got to click the "Additional Available" updates or whatever. 

I have done this to help deter users, but that will not stop people who know how to run OS updates with terminal. 

I have a feeling if you block the softwareupdate binary you will also break your ability to tell updates to install. I have not tested it, but that seems like an Apple thing to do.

św bin blocked.. and updates via System Prefs work fine.. been good for 12.x - 12.5 - 12.6 etc. 

Do you have Restricted Software in place? They could download the full installer on a personal Mac and drag the 12 GB full installer over?

That would be more of a DLP concern instead of a MDM concern. If someone went that far to try to get around our policies, I would have their device wiped, reprovisioned and turn them in to HR. 

Though, the average Joe would not know how to move the installer like that. You cannot simply move an .app from one computer to the next. To go one step further MacOS installers are cryptographically signed. So the way you move most apps wont work for MacOS installers.

This is how I managed to hide Ventura and only offer 12.6.1, but as always, please test this yourself. 

MajorProduct: 012-92138>(Title:macOS Ventura Version:13.0, Identifier:com.apple.InstallAssistant.macOSVentura, IconSize:0, Deferred:1, Deferred Until:2023-01-22

Where might one enter this code?

It’s a configuration profile, and is under the Restrictions Payload > Functionality tab.

At a guess the “code” he is referring to is coming from the install.log and is the response when OS updates are doing their thing.

Got it. I figured that was the case but worth checking.

Yeah, I've seen that bit in the Console logs. I didn't realize he was just using it to confirm it was working.

Thanks.

Just for anyone else who might see this: it does not work on the system I tested. It does see it as a major update, but that there's no deferral. Interesting that it works for you.

Apple is very specific in how they are delivering this "exemption". If your devices are not supervised they will not receive the MDM deferral. Whether or not a device is Supervised is down to how it was enrolled. This is where I suggest focusing your attention.

Be sure to submit feedback to Apple with your experiences and findings. If you have ACE, open a case with Apple. If you don't have Ace email your Apple rep to see if there is any dialog they can start for you.

Manage upgrading to macOS Ventura in your organization - Apple Support

Intro to Apple device enrollment types - Apple Support

Jamf Pro shows all but four of our computers are supervised, all of which are running Catalina, so it doesn't seem like that's the issue here. (Yes, updating those is definitely on the list but it hasn't been a priority.)

Others are saying the same on another post too. I'm not sure why that seems to work for me and not anyone else. There is definitely some weird behaviour going on with Ventura. It's still being advertised to some that have updated to 12.6.1 and excluded major updates even though Apple have stated that they have automatically deferred it for supervised computers. Sorry that I can't help further. Also, I run a script to check for updates daily and the output you see above is returned after running...

softwareupdate -l

You probably really want to get your Apple and JAMF success managers on the phone. You have a lot to hash over. The long term solution, is yes to reprovision your entire fleet and enroll the devices "correctly" for the level of management you want.

• For Intel Macs you can run sudo softwareupdate -aiR and it will grab 12.6.1, not macOS 13. I am not sure what it will do after 11.24 though, but you have 3.5 weeks before that is a concern. 
• Deploying the full OS installer is possisble, you need to use a DMG to do it. Keep in mind on Apple Silicon it still needs user interaction to use the OS installer to run updates.
• Just like with Nag, superman is really just a tool to get the users to update themselves. If they see macOS 13, it is up to user education to tech them to not click it until they are on 12.6.1. 

My friend, it unfortunately sounds like you are in the nightmare situation. 

And who doesn't love a good nightmare?

Unfortunately, none of the computers were enrolled in DEP/ADE when purchased before I started here. No We switched to Jamf about 2-3 months ago; prior to that, everything was in AirWatch or SimpleMDM. Even if all of the computers were in Apple Business Manager, they wouldn't have gone through PreStage in Jamf since they were moved from another MDM (unless I'm missing something here).

I don't necessarily have a problem with requiring a bit of user interaction to do this. I'll setup a test policy to give that Intel command a shot.

I ended up setting up a relatively nice flow using erase-install. Haven't decided whether to push it via Self Service and send an e-mail to the users who need to do it, or to push the policy with a notification and option to defer. Either way, it's pretty clean and I'm satisfied with it.