Resolved
Latest Update: January 18, 2023
Apple has confirmed this bug and created a fix for this issue in macOS 12.6.3
Issue
Apple's macOS Software Update Daemon Upgrading Devices to macOS 13.1 (Ventura)
We have identified a subset of users and devices upgraded to macOS 13. 1 (Ventura) following the 30-day release window of macOS Ventura, as it is now available as a System Update instead of a System Upgrade. After our initial investigation, Addigy is not passing this update to devices using MDM.
Findings
It appears that the macOS softwareupdated process is launching the macOS Ventura Upgrade automatically without it explicitly being sent to devices. This means the update does not appear to be MDM-initiated but appears to run automatically.
Confirm symptom via log file:
You will need to pull a sysdiagnose log; we have documented how to do so here: https://support.addigy.com/hc/en-us/articles/4403542584851-Gathering-a-sysdiagnose-File-on-Affected-Hardware.
From the `/var/log/install.log` file (Apple Specific Install Log), the following will be logged when this occurs:
softwareupdated[567]: SUOSUServiceDaemon: Commit stash failed: Error Domain=SUMacControllerError Code=7109 "[SUMacControllerErrorDuplicateRequest=7109] New request in progress for this client" UserInfo={NSDebugDescription=[SUMacControllerErrorDuplicateRequest=7109] New request in progress for this client, NSLocalizedDescription=A request was issued for the same operation.} 2022-12-14 03:09:59-05 <device-name> softwareupdated[567]: SUOSUServiceDaemon: Commit stash failed: Error Domain=SUMacControllerError Code=7109 "[SUMacControllerErrorDuplicateRequest=7109] New request in progress for this client" UserInfo={NSDebugDescription=[SUMacControllerErrorDuplicateRequest=7109] New request in progress for this client, NSLocalizedDescription=A request was issued for the same operation.} 2022-12-14 03:10:00-05 <device-name> softwareupdated[567]: SUOSUServiceDaemon: Proceeding to postlogout apply 2022-12-14 03:10:00-05 <device-name> softwareupdated[567]: SUOSUServiceDaemon: Queued descriptor up for postlogout apply: ( "[>>>\n humanReadableUpdateName: macOS Ventura 13.1\n humanReadableMoreInfoLink: https://www.apple.com/macos/ventura\n uniqueBuildID: (null)\n originalUpdateType: Major\n updateUUID: CCD923F0-2FD9-475A-9041-3A5360DB4AFB\n productVersion: 13.1\n productBuildVersion: 22C65\n productSystemName: macOS\n releaseType: (null)\n publisher: Apple Inc.\n releaseDate: 2022-12-13 00:00:00 +0000\n restoreVersion: 22.3.65.0.0,0\n targetUpdateBridgeVersion: (null)\n targetUpdateSFRVersion: (null)\n prerequisiteBuild: 21G320\n prerequisiteOSVersion: 12.6.2\n |
How to verify an MDM-initiated update:
2022-12-12 21:01:41-05 <device-name> softwareupdated[29386]: SUOSUServiceDaemon: No active client to do MDM minor OS update, performing update via softwareupdated w/ options: { DoInForeground = 0; MDMInitiated = 1; ProductKeys = ( "012-89022" ); } |
Remediation
- If you are concerned about devices upgrading to 13.1, we would advise you to temporarily turn off System Updates using MDM Beta for the time being. This is a precautionary step even though at the time of writing, we have not found any evidence of MDM-based System Updates kicking off the install.
- If you are not concerned about devices upgrading to 13.1, you can continue to use the System Updates using MDM Beta.
MDM System Update Restriction Deferrals
Updates can be deferred for up to 90 days with an MDM Restrictions Profile. However, note that the following mechanisms do not respect this MDM Profile:
- MDM-based System Updates will ignore System Update deferral payloads and still deployed macOS system updates, as the key is passed directly to the update, which ignores deferral settings.
- The Software Update binary on Intel devices can still install without volume ownership authorization, and ignore MDM deferral settings.
MDM Restrictions Profile for Deferring Updates
The Restrictions MDM profile can be used to defer updates for up to 90 days. This now includes major OS Upgrades due to Apple's recent change with macOS Ventura. This is only a visual deferment meaning it prevents the users from seeing the update, but the update can still be deployed by specifying the exact update in a mechanism described above. We would still recommend deferring, but note this simply prevents visibility of the update and the end-user from seeing it in System Preferences.
Addigy's macOS Blocker
As Apple has changed the full OS Upgrade of macOS Ventura 13.1 to run as a minor system update, this prevents the blocker from being able to stop this action. The only mechanism to prevent this functionality is to stop allowing System Updates on the device. We will continue to explore new options to block macOS Ventura with our latest blockers.