Starting with macOS Big Sur (released in 2021), Apple has deprecated the ability to block and ignore system updates via the softwareupdate utility. This means that updates and upgrades can only be hidden for a maximum of 90 days. Blocking and ignoring updates/upgrades is something that must be tackled in a layered approach, and this article aims to address all of the known layers.
Ignoring Updates via Restrictions MDM Profile
The Restrictions MDM Configuration allows you to defer major and minor updates in a range of 1-90 days. This can be found in Catalog > MDM Profiles > New > Restrictions > Software Updates.
More information on How to Create MDM Configurations.
The below screenshot shows how to prevent your devices from upgrading to major OS versions that are newer than 90 days. For example, macOS Sonoma 14.0 was released on September 26th which means this MDM profile can no longer ignore the upgrade starting on December 25th.
Note: Selecting "Delay user visibility of minor macOS software updates" will prevent minor versions newer than 90 days from appearing in System Preferences > Software Update.
Outside of the Restrictions MDM profile, it is also advisable that you deploy our major macOS blocker.
Important things to account for:
- The Restrictions MDM profile does not prevent System Updates via MDM. If you have your System Updates via MDM settings configured to keep devices on the latest version, your devices can and likely will upgrade.
- The Addigy Blocker is only capable of blocking the macOS installer .app files. As of now, macOS devices can upgrade to a major version via System Settings without the use of the macOS installer .app files.
- Similarly to #1, System Updates via MDM are not affected by the blocker.
- The "Set maximum version" setting does not serve as a deferral/blocker. It simply determines the maximum OS version Addigy will send to devices. As #1 states, if it is configured to keep devices on the latest OS, the device will attempt to update/upgrade.
If you see that devices upgraded unintentionally, please account for the 4 points above and review your policy settings. If you have verified you have all possible preventative measures are in place yet a device upgraded, please do not hesitate to submit a support ticket.