Holding Back the OS Upgrades

(with apologies to Simply Red)

There has been some recent confusion about deferring major Apple OS upgrades, specifically relating to macOS 13 Ventura. In general, one should strive to support Apple’s new OSes on the day that they are released; I recognize this is not possible for everyone, however.

1. macOS Ventura supports a new OS upgrade mechanism (for client endpoints running macOS 12.3 or later), where the OS upgrade is available as a much smaller software update, rather than requiring the download of the 12+ GB Install macOS Ventura.app
2. Apple does support setting keys for ForceDelayedMajorSoftwareUpdates as well as the associated enforcedSoftwareUpdateMajorOSDeferredInstallDelay key (default: 30 days, minimum: 1 day, maximum: 90 days) https://developer.apple.com/documentation/devicemanagement/restrictions — however, be aware that macOS 12 versions prior to 12.6.1 do not support restricting major software updates using the new OS upgrade mechanism. Apple prevented macOS 12.3+ devices enrolled in an MDM from updating to macOS 13.0 or 13.0.1 using this new mechanism, but not for 13.1 and later.
3. Even if you are on macOS 12.6.1 or later, the deferral is only reflected in the Software Update preferences — the softwareupdate binary will still display the 13.1 update as available. So if you have workflows that leverage the use of softwareupdate, this may lead to inadvertent OS upgrades.
4. One major issue is how you build a deferral profile. Some MDMs, if you have an existing Restrictions profile, default the value of ForceDelayedMajorSoftwareUpdates to false. If you subsequently have a separate OS deferral profile, set to true, the actual results on the endpoint can be inconsistent.

To diagnose 4. above, run the following command in the macOS Terminal:
sudo profiles show -output stdout-xml | grep -i delay

If you see the forceDelayedMajorSoftwareUpdates key set twice, you’ll want to re-run the command without the grep, i.e.
sudo profiles show -output stdout-xml

This will give you list of every preference key set by every config profile on your Mac. You’ll want to search for that forceDelayedMajorSoftwareUpdates key and see in which profiles it’s being set, with potentially-conflicting values. Once found, remove the duplicate profile from your devices, and set the desired value in one of your profiles, likely your Restrictions profile.

Keeping in mind the limitations mentioned in 2 and 3, this should prevent client endpoints from being able to upgrade to macOS Ventura, at least until the 90 days (from the date of the OS release, i.e. 90 days from October 24), at which point in time you will not be able to prevent the OS upgrades from being presented to users.

More details straight from Apple here: https://support.apple.com/en-us/HT213471