Access Keys:
Skip to content (Access Key - 0)

Jamf Pro - Restricting upgrades to macOS

There are two ways to restrict OS updates on Macs with Jamf Pro: via Configuration Profiles, and via Restricted Software entries. The configuration profile will allow you to hide updates from end users for up to 90 days after release, while the restricted software entry will automatically quit the installer app if a user tries to launch it. It is recommended to use the configuration profile, but if you need to restrict upgrades for more than 90 days you should also make a Restricted Software entry.

Configuration Profile setup

  1. Go the Configuration Profiles section of Jamf Pro and click New.
  2. In the Restrictions payload on the left, click Configure.
  3. Under the Functionality tab, scroll down and check the "Defer updates" box. Set the the menu options to "Software Updates" and "90 days" (or less if you prefer).
  4. If you would like restrict the updating to a major OS update (e.g. macOS 12 Monterey to macOS 13 Ventura), and allow minor OS updates, simply select "Only major software updates"
  5. Click on the Scope tab, and select the computers, groups, or users you want this restriction to apply to.
  6. Save.

The configuration profile should be installed and take effect as soon as the target computers are connected to the Internet.

Restricted Software

  1. Go to the Restricted Software section and click New. Depending on your OS you can enter the following:
  2. In the "Process Name" field, enter e.g. "Install macOS Monterey.app" or "Install macOS Ventura.app"
  3. Check the "kill process" box.
  4. Add a message to display to the end user if they try to launch the macOS installer.
  5. Click on the Scope tab, and select the computers, groups, or users you want this restriction to apply to.
  6. Save.
  7. If you'd like to restrict more than one version, clone this and edit the process name. For example, you may wish to restrict the beta version of macOS 13 with "Install macOS Ventura beta.app" as well as the final release with "Install macOS Ventura.app".
    1. Note: While it is possible to use a wildcard to catch both the beta and final release, we have found it more reliable to enter the app name exactly, and recommend avoiding wildcards.

Software restrictions should take effect on computers after their next check in, which normally happens about once every half hour.

When a user tries to run the macOS installer, it will quit instantly and the user will see the message you specified.

Have Questions or Still Need Help?

  • If you need assistance creating restrictions or have any questions, please contact the End User Computing team at euc-help@mit.edu.

IS&T Contributions

Documentation and information provided by IS&T staff members

Last Modified:

October 24, 2022

Get Help

Request help
from the Help Desk
Report a security incident
to the Security Team
Labels:
endpoint endpoint Delete
management management Delete
restrict restrict Delete
block block Delete
osx osx Delete
macos macos Delete
jamf jamf Delete
c-macos-catalina c-macos-catalina Delete
c-jamf c-jamf Delete
catalina catalina Delete
euc euc Delete
bigsur bigsur Delete
monterey monterey Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.
Feedback
This product/service is:
Easy to use
Average
Difficult to use
This article is:
Helpful
Inaccurate
Obsolete
Adaptavist Theme Builder (4.2.3) Powered by Atlassian Confluence 3.5.13, the Enterprise Wiki