To block macOS 26 upgrades and control updates overall, Addigy admins should implement a layered approach using both Prebuilt Apps "blockers" and a Restrictions MDM Profile.
Overview
Apple’s release of macOS 26 requires action from Apple Device Management admins to prevent unvetted updates across your fleet. Addigy enables organizations to block and defer both major and minor OS updates, but Apple platform and MDM limitations like the 90-day max deferral necessitate a combination of methods to more thoroughly prevent updates from running.
Prerequisites
- Devices must be supervised and MDM enrolled to use the MDM and Declarative Deferral Profile and Settings so that end users do not see the macOS Upgrade (or updates for minor version installers) in the Settings app.
- Process Blockers for App Store Full OS Installers should be kept up-to-date in each of the policies that needs them. As the desired Blocked OS Version as the blockers are unique to each OS release.
- A layered approach is required for thorough coverage and to limit as much as possible of the OS Upgrade advertisement to the user as well as paths they could intentionally or inadvertently upgrade. This means...
- The blocker app for installer-based upgrades
- MDM restrictions for updates via System Settings.app
- Or Software Update Settings Declaration when new OS Update settings for macOS 15+ are in use with Automatic Actions
Avenues for macOS Updates & How to Block
Blocking all possible methods is essential to prevent unwanted updates.
1. Blocking the macOS Installer Apps
- Method: Use Addigy’s Prebuilt Apps "Block Install of macOS 26 Tahoe" utility (latest version).
- Scope: Prevents .app-based upgrade attempts (i.e., downloaded Apple installers).
-
Deployment:
- Go to Catalog > Software > Prebuilt Apps.
- Search for "Block Install of macOS [version]" (e.g., "Block Install of macOS 26 Tahoe").
-
Assign this software to your desired Policies.
-
What it Prevents:
- Stops the execution of Install macOS [Version].app regardless of source.
- Removes existing installer apps from devices as part of a recurring policy action (~every 30 minutes).
- Optionally suppresses upgrade notifications and disables automatic macOS update downloads and installs (non-critical only).
- Limitations: Will NOT block upgrades initiated from System Settings or upgrades pushed via MDM/DDM.
2. Hiding OS Updates in System Settings (MDM Deferral)
- Method: Use the Restrictions configuration profile within Addigy.
- Scope: Hides specified updates from appearing in "System Settings > General > Software Update."
-
Deployment:
- Go to Catalog > MDM Profiles > New > Restrictions > Software Updates.
- Set "Delay user visibility of major macOS Software Updates" and "How many days to delay a major software update on the device" for up to 90 days (max allowed by Apple).
- Assign this profile to all target devices.
-
What it Prevents:
- Prevents user-initiated upgrades from System Settings for up to 90 days from release.
- Once 90 days elapse, the upgrade will appear and can be installed if other blocks are not in place.
-
Limitations:
-
Does NOT prevent forced updates via MDM, or if the user leverages an alternative upgrade path post-90 day window.
-
3. Ignoring Updates and Upgrades via Declarative Device Management – macOS(Addigy Policies)
- Method: Controlling Updates from Previously Set Software Update Settings Declaration (DDM OS Updates)
- Scope: Prevents Addigy from enforcing OS Upgrades from DDM Configurations set by the Addigy Admin.
-
Deployment:
- In Policies > [policy name] > Updates > Updates by OS, set the “Maximum version allowed” to the last approved version (e.g., 25.9.9) to prevent Addigy from sending 26.x updates.
-
Deployment Schedules:
- Avoid setting policies to "Keep devices updated to the latest OS" if wishing to block major upgrades.
-
Limitations:
- Setting Maximum Version only controls what Addigy deploys—not what users can manually initiate.
- Must be used in conjunction with other blocking methods.
-
Addigy Declarative OS Updates MUST be enabled.
Deferring vs. Blocking: 90-Day Limitations
- Apple only allows deferral (via MDM profile restrictions) of major and minor updates for a maximum of 90 days. For macOS 26, this means the final date will be December 13, 2025.
- After this period, updates will become visible in System Settings and available for users to install.
Summary Deployment Steps in Addigy (All Three Methods Combined)
1. Assign macOS Blocker from Prebuilt Apps
- Catalog > Software > Prebuilt Apps > "Block Install of macOS [version]"
- Click the three dots > Assignments
- Select policies to enforce
2. Create/Add MDM Configuration Profile for Deferral
- Catalog > MDM Profiles > New
- Choose "Restrictions" > "Software Updates"
- Set "Delay user visibility of major macOS Software Updates" and "How many days to delay a major software update on the device" for up to 90 days (max allowed by Apple)
- Assign to all applicable device policies
3. Set Policy Update Settings
- Policies > [Policy] > Updates > Updates by OS (Enable macOS Updates)
- Set “Maximum version allowed” to desired version (e.g. 25.9.9)
- Do NOT select "Keep devices updated to latest OS" if you wish to block major upgrades
4. Monitor
- Use GoLive and Update Reports to confirm blocker/deferral is enforced across devices.
- Review installed versions and availability.
Important Notes
- The Addigy Major OS Blocker ONLY blocks .app-based upgrades.
- The MDM Restriction hides updates for 90 days max, and DOES NOT block from DDM-pushed upgrades.
- Keeping both methods in place is necessary for maximum coverage.
- Always use the latest macOS blocker version.
- For full unblocking, remove the macOS Blocker from PreBuilt Apps, and/or the MDM Configuration for Deferral.
By layering these methods—Prebuilt Apps Blockers for installer-based upgrades, MDM restrictions for user-initiated updates, and careful policy controls—Addigy admins can robustly prevent premature adoption of macOS 26 and later versions with best-practice configuration.