Overview
Starting with macOS Big Sur (released in 2021), Apple has deprecated the ability to block and ignore system updates via the softwareupdate utility. This means that updates and upgrades can only be hidden for a maximum of 90 days, and that upgrades can only be blocked via the .app macOS installer. Blocking and ignoring updates/upgrades is something that must be tackled in a layered approach, and this article aims to address two suggested workflows.
Please be sure to review the "Important Things to Account For" section at the bottom to familiarize yourself with specific behavior and expectations with deferring and blocking updates and upgrades.
Hiding Updates in System Settings via Restrictions MDM Payload
The Restrictions MDM payload allows you to defer major and minor updates in a range of 1-90 days. When enabled, updates/upgrades within the deferral period will be hidden in System Settings > General > Software Updates. This deferral does not serve as a blocker; it will only hide the update from users.
This payload can be found in Catalog > Device Settings > New > Restrictions > Software Updates. (Reference this article if you are unfamiliar with Device Settings.)
The screenshot below is an example of setting up a major OS deferral for 90 days. When configured this way, the end user will not see any major OS upgrades that are less than 90 days old. For example, macOS Tahoe (26) was released on September 15th 2025, which means this MDM payload will hide the upgrade from the user until December 14th 2025.
Note: Selecting "How many days to delay a minor macOS software update on the device" will accomplish the same behavior as defined above, but for minor OS updates. (ie. macOS 15.1 to macOS 15.2)
If you would like to hide these updates for iPhones, iPads, and tvOS devices, you will want to leverage the two settings below. Please note that this will hide all updates that are within the deferral criteria, not just OS upgrades. This also applies to macOS, so if you want your Mac users to be able to manually update to minor macOS versions, consider deploying this to just iPhones/iPads via a Flex Policy.
Blocking .app Upgrades using Prebuilt Apps (macOS Only)
The second layer of suggested workflows to avoid unwanted upgrades is to leverage our macOS blocker for the specific version of macOS you would like to block.
For more information and instructions on how to deploy this, please follow this article.
Important Things to Account For
- The Restrictions MDM payload and blocker highlighted in this article do not prevent System Updates via DDM or System Updates via MDM. If you have your System Update settings configured to keep devices on the latest version, or have a maximum version configured that covers the OS you wish to prevent, your devices will upgrade.
- The Addigy macOS blocker is only capable of blocking the macOS installer .app files. As of now, macOS devices can upgrade to a major version via System Settings without the use of the macOS installer .app files. This is why it's important to deploy a Restrictions MDM payload to hide the upgrade from your users in System Settings.
- The "Set maximum version" setting when configuring managed System Updates does not serve as a deferral/blocker. It simply determines the OS version Addigy will send to devices. For example, if you have the maximum version set to "15.99.99", that alone will not prevent Tahoe (26) from being offered to the user (assuming no deferrals are configured).
If you see that devices have been upgraded unintentionally, please account for the 3 points above and review your policy settings. If you have verified that all possible preventative measures are in place, yet a device was upgraded within the deferral window, please do not hesitate to submit a support ticket.