Block OS Updates and Installers Whist iOS/iPadOS may only be updated using Settings, macOS can alternatively be updated using the macOS Installer. The following articles demonstrate blocking both methods. Fileset to block Apple Install macOS applications Description As described, this only blocks macOS Installer Applications.  Preventing users from using Software Updates can only be achieved with Defer Apple OS Updates and you should consider this because Software Update is capable or running the upgrade even with this solution in place. Apple automatically instals the latest installer application on devices, allowing users to upgrade to the next major release of macOS.  The following provides a method to prevent users from running the application, ensuring administrators have the required time to prepare the business. The provided Fileset includes an unaltered version of the Open Source Software Pashua , which is licensed under the 3-Clause BSD License. Information The attached Fileset prompts users with a message, including alternate languages.  There is also allowance for control over which versions of macOS Installers are blocked.  The only requirements are the following Filesets: mac0S - Block macOS Installer Pashua Daemon.fileset.zip If running macOS 13 or higher, this profile is also required. Profile - Block Notifications A requirement script is included to ensure the profile is installed first, before downloading and installing the blocker. Optionally the following Custom Field may be used to monitor the quantity of times users attempt to upgrade devices: macOSAppInstallerBlockAttempts.customfields.zip The above instals launchd services.  Disassociation of the Fileset will unload these services as well as remove all files. Directions The Fileset is currently configured to block the 'Install macOS Ventrua.app' and future versions of macOS Installer App; it would actually also stop the Beta.  Version control is managed by the plist file in usr > local > etc > block_macos_updates: com.filewave.blockmacosinstaller_user.plist Contents of the file: MinimumBlockedVersion 18 Version of App to Block Edit the file as required for the following: Key - MinimumBlockedVersion Value - Integer Set to 19, which will block macOS Sonoma.  This could be lowered to block earlier (or later versions when Apple release their next major release) Example alternatives: 19 - Block Sonoma and above 18 - Block Ventura and above 17 - Block Monterrey and above 15 - Block Catalina and above 14 - Block Mojave and above The script defines a version to block (and versions above) in the case that no plist file is found.  This is set to 15, since this should never be the case and is a capture to prevent unwanted updates in this unexpected instance. Message Localisation When the installed service blocks the App, a message is reported to the user.  Examples have been provided for English and German. The language is determined by the first two characters from the following command: $ defaults read -g AppleLanguages | awk -F "\"" '/\"/ {print $2; exit}' en-GB As such en-GB, en-US, en-AU, etc will all result in an English version. Language template files are stored in the path: /usr/local/etc/block_macos_updates/ English and German respectively: warning_en.txt warning_de.txt Copy and edit the files appropriately for additional languages. Example to add French User has French language set: $ defaults read -g AppleLanguages | awk -F "\"" '/\"/ {print $2; exit}' fr-FR Based upon this, create a copy warning file (note the suffix '_fr'): warning_fr.txt Edit '*.title' and default message 'txt1.default' appropriately: # Set window title *.title = Installation bloquée # Introductory text txt.type = text txt.default = macOS Installer Application txt.height = 100 txt.width = 310 txt.x = 100 txt.y = 120 txt1.type = text txt1.default = Cette version de macOS n'est pas prête pour l'environnement de production. Veuillez contacter le service informatique si nécessaire. txt1.height = 100 txt1.width = 310 txt1.x = 100 txt1.y = 50 img.type = image img.x = 20 img.y = 70 img.maxwidth = 64 img.path = /usr/local/etc/FileWave_Icon.png Text content will impact the view.  Consider changing height, x and y values if the view does not appear as intended. Upload and replace the 'img.path' as your own company logo for customisation. Logging The launchd scripts have additional logging which will be available in Apple's Console (Debug level Info).  For example: Defer Apple OS Updates What Use Apple software update deferrals when you want a testing window before users can install new Apple updates themselves. The setting hides matching updates from the device's Software Update pane for the number of days you choose. When/Why This is useful when you want to validate a new Apple release before it reaches production devices. Apple allows up to 90 days of deferral. During that window the update is hidden from the user, but FileWave can still install it with MDM if you decide to move ahead. Deferral only affects what the user sees in Software Update. If you also need to stop users from launching full macOS installer apps, use Fileset to block Apple Install macOS applications . How Create or edit an Apple configuration profile and add the Restrictions payload for the platform you manage. Searching for defer in the Profile Editor is the quickest way to jump to the relevant settings. iOS/iPadOS Enable Defer software updates for and choose a value from 1 to 90 days. macOS Current macOS payloads let you defer different update types separately: Defer major macOS updates for to delay major upgrades. Defer macOS updates for to delay minor OS updates. Defer app updates for to delay non-OS software updates. For macOS versions earlier than 11.3, the Defer macOS updates value is used for all software updates. tvOS Enable Defer software updates for and choose the delay in days. A shorter initial defer period is usually easier to manage than jumping straight to 90 days. If testing slips, you can extend the delay without starting every profile at the maximum. While an update is still inside its defer window, local tools such as System Settings / System Preferences and the softwareupdate command will not offer that update. MDM remains the supported way to install it during the deferral period. Digging Deeper The defer timer starts on Apple's release date for each individual update, not on the day you assign the profile. Update 1 is released on June 5. With a 10-day defer window, users will not see Update 1 until June 15. Update 2 is released on June 12. With the same defer window, users will not see Update 2 until June 22. MDM can still push Update 1 from June 5 onward, regardless of the defer period. MDM can still push Update 2 from June 12 onward, regardless of the defer period. Example Process With a 60-day defer policy, users will not see an update until day 60 after Apple publishes it. If Apple releases newer updates before that date, users may still see none of them until each one ages past its own defer window. FileWave can still send an MDM install command during the deferral period. That lets IT test and roll out a specific release before it becomes user-visible. Once the defer window expires, the update becomes visible to the user again. Deferral buys time for testing; it does not permanently hide updates.