In addition to being able to install and manage macOS System Updates, the Addigy platform gives you some great ways to restrict the installation of System Updates.
Please note: Starting with macOS Big Sur Apple has deprecated the ability to block system updates via the softwareupdate utility. Starting with macOS 11, Big Sur, OS updates will only be able to be deferred for 90 days following their release. The deferral is done via the Addigy Restrictions Software MDM payload. See below for additional information from Apple on how the deferral works.
TABLE OF CONTENTS
- Hiding System Updates
- Disabling Automatic Updates
- Managing Software Update Settings
- Resetting Hidden Updates
- Deferring System Updates with the MDM Restriction Payload
- New in Big Sur macOS 11
Hiding System Updates
First, head over to the policy to which your device(s) is assigned, and start hiding System Updates from your users. Hiding will effectively prevent the end-user from applying updates as they will not see any updates to apply. It will not prevent updates from being installed (which is something that cannot be disabled entirely).
This option will hide any available updates (pre Big Sur) from the App Store from the end-user. It will not hide updates for apps downloaded through the App Store.
This process is achieved by using the softwareupdate utility available as part of the macOS command line. Specifically, it is passing updates to the softwareupdate utility for ignoring updates like this:
softwareupdate --ignore "$nameOfUpdate"
Disabling Automatic Updates
Once the updates are successfully hidden, the next step is to ensure that the device does not install the updates on its own. We achieve this by calling the softwareupdate utility again, this time with the --schedule argument.
Here's how to query whether automatic system updates are enabled for the device:
And here is how to disable automatic the updates:
softwareupdate --schedule off
If the App Store preferences pane is open within System Preferences when running this command, then the change will not be reflected until System Preferences is quit and re-opened.
Managing Software Update Settings
In addition to turning automatic updates off and on, the individual settings of softwareupdate can be managed. These settings can normally be found through the Software Update pane in System Preferences.
However, these settings can also so be managed by modifying /Library/Preferences/com.apple.SoftwareUpdate.plist with a simple /usr/bin/defaults write command or an Apple Configuration Profile. Here is a simple Bash script that can be deployed via Addigy to toggle off the corresponding settings in System Preferences.
defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist AutomaticCheckEnabled -bool false defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist AutomaticDownload -bool false defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist AutomaticallyInstallMacOSUpdates -bool false defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist CriticalUpdateInstall -bool false
Resetting Hidden Updates
If you've hidden updates from the App Store, and you'd like to make them visible again to your user, then run this command to reset all the ignored system updates:
Deferring System Updates with the MDM Restriction Payload
Restrictions MDM Configuration allows you to set the amount of days to defer (1-90). This can be found in Policies > Catalog > MDM Configurations > Restrictions > Software Updates.
New in Big Sur macOS 11
Resources from Apple on Software Update Changes
WWDC 20 "Discover AppleSeed for IT and Managed Software Updates" explains the new deferral process in macOS 11
What's new in mobile device management for Apple Devices - see "New restriction updates for macOS 11"