Defer Apple OS Updates

What

Use Apple ~~allow~~software update deferrals when you want a testing window before users tocan ~~update~~install ~~devices~~new ~~themselves,~~Apple ~~however~~updates itthemselves. ~~may~~The besetting ~~desired~~hides tomatching ~~delay~~updates anfrom ~~update,~~the ~~perhaps~~device's ~~due~~Software toUpdate ~~some~~pane ~~incompatibility~~for ~~that~~the isnumber ~~not~~of ~~yet~~days ~~resolved.~~you choose.

When/Why

~~When~~This is useful when you want to validate a new Apple release ~~updates,~~before ~~devices~~it ~~report~~reaches ~~these~~production ~~updates~~devices. Apple allows up to ~~the~~90 ~~users~~days of ~~the~~deferral. ~~device; allowing them to trigger~~During that window the update asis ~~soon~~hidden ~~as they desire. Apple provide a method to ‘Defer’ updates. Updates deferred will no longer be visible to~~from the user, ~~may~~but beFileWave ~~deferred~~can upstill install it with MDM if you decide to amove ~~maximum~~ahead.

Deferral 90only ~~days,~~affects ~~yet MDM may still push updates during~~what the ~~deferred~~user ~~timeframe.~~

sees

Asin ~~described,~~Software ~~this~~Update. ~~only~~If ~~blocks~~you also need to stop users from ~~using~~launching ~~Software Updates. Preventing users from using~~full macOS ~~Installer~~installer ~~Applications~~apps, ~~can be achieved with~~use Fileset to block Apple Install macOS applications.

How

~~The~~Create ~~method~~or ofedit ~~deferral~~an ~~varies~~Apple ~~between~~configuration ~~macOS~~profile and ~~mobile~~add ~~devices,~~the ~~but~~Restrictions ~~both~~payload ~~are~~for ~~pushed~~the ~~using~~platform ayou ~~Configuration~~manage. ~~Profile.~~Searching for defer in the Profile Editor is the quickest way to jump to the relevant settings.

iOS/iPadOS

Enable Defer software updates for and choose a value from 1 to 90 days.

macOS

~~On recent~~Current macOS ~~versions,~~payloads ~~the~~let ~~restriction~~you ~~may~~defer ~~not~~different ~~apply~~update types separately:

Defer major macOS updates for to delay major upgrades. Defer macOS updates ~~like~~for to delay minor OS updates. ~~Major~~Defer OSapp updates ~~can~~for beto ~~hidden~~delay ~~using~~non-OS software updates.

For macOS versions earlier than 11.3, the ~~--ignore~~Defer ~~option~~macOS ofupdates ~~softwareupdate~~value ~~command~~is ~~line~~used ~~tool.~~for ~~For~~all ~~instance,~~software ~~Catalina upgrade can be made hidden by running:~~updates.

softwareupdate --ignore "macOS Catalina"

~~To restore hidden updates, run the following command:~~

softwareupdate --reset-ignored

~~These commands can be sent to your devices using scripts within filesets.~~

tvOS

Enable Defer software updates for and choose the delay in days.

~~Consider~~A ashorter ~~recommended workflow where a~~initial defer ~~time frame~~period is ~~less~~usually easier to manage than ~~maximum.~~jumping ~~This~~straight ~~would~~to ~~give~~90 days. If testing slips, you can extend the ~~option~~delay towithout ~~amend~~starting every profile at the ~~policy to a greater amount where the deadline is not met. Remember to lower the defer period, on completion of the additional testing and deployment, back to the lower chosen value.~~maximum.

When updates are deferred, no local tools may be used to view or instal updates released in a time frame less than the deferred period. This not only includes System Preferences, but also the 'softwareupdate' command line tool. MDM is the only method of deployment whilstWhile an update is still ininside its ~~deferred~~defer ~~time~~window, ~~frame.~~local tools such as System Settings / System Preferences and the softwareupdate command will not offer that update. MDM remains the supported way to install it during the deferral period.

Digging Deeper

~~Deferring~~The ~~Examples~~

defer

~~Deferment~~timer ~~duration~~starts ~~commences~~on Apple's release date for each individual update, not on the ~~release~~day ~~date~~you ofassign ~~each~~the ~~update. For example, with a defer period of 10 days:~~profile.

appleOS 1.1 is released on June ~~5th~~5.
~~User~~With a 10-day defer window, users will not ~~be able to~~ see appleOS 1.1 ~~update~~ until ~~15th~~June ~~June~~15.
appleOS 1.2 is released on June ~~12th~~12.
~~Users~~With the same defer window, users will not ~~be able to~~ see appleOS 1.2 ~~update~~ until ~~22rd~~June ~~June~~22.
MDM ~~may~~can still push ~~out~~ appleOS 1.1.1 from June ~~5th~~5 ~~onwards,~~onward, regardless of the ~~deferred~~defer ~~period~~period.
MDM ~~may~~can still push ~~out~~ appleOS 1.2.2 from June ~~12th~~12 ~~onwards,~~onward, regardless of the ~~deferred~~defer ~~period~~period.

Example Process

~~Consider~~With a 60 60-day defer ~~policy.~~policy, ~~Within~~users 60will ~~days~~not ~~after~~see an update isuntil ~~released,~~day 60 after Apple publishes it. If Apple releases newer updates before that date, users may still see none of them until each one ages past its own defer window.

FileWave can still send an MDM install command during the deferral period. That lets IT test and roll out a specific release before it ~~will~~becomes ~~not~~user-visible.

~~be available to~~

Once the ~~user.~~defer ~~Once~~window ~~60 days have passed,~~expires, the update ~~will~~becomes show in Software Updates and the user may instal the update. It is possible that during that 60 day period an update is released to supersede the original. As long as Apple do not deprecate the former, it should still be available for deployment to devices.

In the example, 10.15.2 and 10.15.3 were released prior to 10.15.1 reaching its 60 day policy restriction. As such none of the 10.15 updates will be available to the end user. During the 60 day time frame, an MDM command may be sent to the device to instal the update; as indicated on day 50 of the example. In this instance, the command to instal 10.15.1 was sent. If not deprecated, a 10.15.1 notification should be presentedvisible to the user toagain. ~~instal~~Deferral ~~the~~buys ~~update.~~

time

60for ~~days~~testing; ~~from~~it ~~an updates release, the policy lapses and the user is notified of the update, regardless; any devices that had~~does not ~~yet~~permanently ~~received~~hide the 10.15.1 deployment would then notify the user. If testing has not been completed and the 60 day policy lapses, as seen with 10.15.2, then the user will still be notified that the update exists; day 80, 60 days after day 20 when 10.15.2 was released.updates.

It is therefore possible to be testing multiple versions of updates, prior to release to users. However, it is not possible to prevent the users from seeing those updates once the deferred period has been exceeded.