Access Keys:
Skip to content (Access Key - 0)

Jamf Pro - Restricting upgrades to macOS

If you need to prevent users from installing the latest version of macOS immediately, you can create a configuration profile in Jamf Pro to defer updates for up to 90 days after release. Using this profile, you can choose to defer minor updates (e.g. 13.5 to 13.6), major upgrades (e.g. 13.6 to 14.0), or both

You can also create a Restricted Software entry in Jamf to block users from launching macOS installer .app, but note that this only applies to legacy Macs. Apple Silicon Macs running macOS 12.3 or later will be able to perform major upgrades without running the .app installer, so the configuration profile is the only way to block major upgrades on those Macs.

Configuration Profile setup

  1. Go the Configuration Profiles section of Jamf Pro and click New.
  2. In the Restrictions payload on the left, click Configure.
  3. Under the Functionality tab, scroll down and check the "Defer updates" box. Set the the menu options to "Software Updates" and "90 days" (or less if you prefer).
  4. If you would like restrict the updating to a major OS update (e.g. macOS 12 Monterey to macOS 13 Ventura) while allowing minor OS updates, simply select "Only major software updates"
  5. Click on the Scope tab, and select the computers or groups you want this restriction to apply to.
  6. Save.

The configuration profile should be installed and take effect as soon as the target computers are connected to the Internet.

Restricted Software

If you wish to restrict upgrades on Apple Silicon Macs running macOS 12.3 or later, you must use the configuration profile method described above. The following steps are only effective on older Macs.
  1. Go to the Restricted Software section and click New. Depending on your OS you can enter the following:
  2. In the "Process Name" field, enter e.g. "Install macOS Sonoma.app" or "Install macOS Ventura.app"
  3. Check the "kill process" box.
  4. Add a message to display to the end user if they try to launch the macOS installer.
  5. Click on the Scope tab, and select the computers or groups you want this restriction to apply to.
  6. Save.
  7. If you'd like to restrict more than one version, clone this and edit the process name. For example, you may wish to restrict the beta version of macOS 14 with "Install macOS Sonoma beta.app" as well as the final release with "Install macOS Sonoma.app".
    1. Note: While it is possible to use a wildcard to catch both the beta and final release, we have found it more reliable to enter the app name exactly, and recommend avoiding wildcards.

Software restrictions should take effect on computers after their next check in, which normally happens about once every half hour.

When a user tries to run the macOS installer, it will quit instantly and the user will see the message you specified.

Have Questions or Still Need Help?

  • If you need assistance creating restrictions or have any questions, please contact the End User Computing team at euc-help@mit.edu.

IS&T Contributions

Documentation and information provided by IS&T staff members

Last Modified:

September 22, 2023

Get Help

Request help
from the Help Desk
Report a security incident
to the Security Team
Labels:
endpoint endpoint Delete
management management Delete
restrict restrict Delete
block block Delete
osx osx Delete
macos macos Delete
jamf jamf Delete
c-macos-catalina c-macos-catalina Delete
c-jamf c-jamf Delete
catalina catalina Delete
euc euc Delete
bigsur bigsur Delete
monterey monterey Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.
Feedback
This product/service is:
Easy to use
Average
Difficult to use
This article is:
Helpful
Inaccurate
Obsolete
Adaptavist Theme Builder (4.2.3) Powered by Atlassian Confluence 3.5.13, the Enterprise Wiki