Overview
Starting with macOS Big Sur (released in 2021), Apple has deprecated the ability to block and ignore system updates via the softwareupdate utility. This means that updates and upgrades can only be hidden for a maximum of 90 days. Blocking and ignoring updates/upgrades is something that must be tackled in a layered approach, and this article aims to address all of the known layers.
Ignoring Updates via Restrictions MDM Profile
The Restrictions MDM Configuration allows you to defer major and minor updates in a range of 1-90 days. When enabled, it prevents end-users from seeing the updates in System Settings > General > Software Updates on their Mac depending on the amount of time that is defined.
This configuration can be found in Catalog > MDM Profiles > New > Restrictions > Software Updates. (Reference How to Create MDM Configurations if you are unfamiliar with this process.)
The below screenshot is an example configuration of setting up a Major OS deferral for 90 days. When setup this way, the end user will not see any Major OS updates that are less than 90 days old when they navigate to System Settings > General > Software Update on their Mac. For example, macOS Sonoma 14.0 was released on September 26th which means this MDM profile can no longer ignore the upgrade starting on December 25th.
Note: Selecting "How many days to delay a minor macOS software update on the device" will accomplish the same behavior as defined above, but for minor OS updates. (ie. macOS 13.1 to macOS 13.2)
Outside of the Restrictions MDM profile, it is also advisable that you deploy our major macOS blocker for the specific version of macOS you would like to block.
Important things to account for:
- The Restrictions MDM profile does not prevent System Updates via MDM. If you have your System Updates via MDM settings configured to keep devices on the latest version, your devices will upgrade.
- The Addigy Major OS Blocker is only capable of blocking the macOS installer .app files. As of now, macOS devices can upgrade to a major version via System Settings without the use of the macOS installer .app files which is why it's important to deploy a Restrictions MDM profile to prevent your users from upgrading manually through System Settings on their Mac.
- Similarly to #1, System Updates via MDM are not affected by the Addigy Major OS blocker.
- The "Set maximum version" setting when configuring System Updates via MDM does not serve as a deferral/blocker. It simply determines the maximum OS version Addigy will send to devices. As #1 states, if it is configured to keep devices on the latest OS, the device will attempt to update/upgrade.
If you see that devices upgraded unintentionally, please account for the 4 points above and review your policy settings. If you have verified you have all possible preventative measures are in place yet a device upgraded, please do not hesitate to submit a support ticket.