Delay and Enforce OS Updates

By David Marks

Keep computers updated and set a delay for installation of updates to a specified number of days

Delay macOS software updates

To maintain a consistent software update schema across your organization you can defer software updates and choose when they will automatically be installed. There are two places you'll want to configure this; Software Update profile and Restrictions profile from within your Library.

Software Update Library Item 

You can use the Software Update Library Item for Mac computers to manage downloading, installing, and deferring updates for macOS & App Store apps. This is a great way to make sure that, at minimum, security updates are being automatically installed on all of your computers.

Create a Software Update Library Item

  1. Navigate to the Library module.
  2. Click Add New in the upper right-hand corner.
  3. Select the Software Update Profile option.

Configure the Software Update Library Item 

  1. Give your software update profile a Name.
  2. Assign to your desired Assignment Maps or Classic Blueprints
  3. Select your desired settings for Automatic Updates. B6VQugdvi-QN4w9HQqXhfK-rBVZDcNXx3g
  4. Select Defer macOS updates by typefor Defer macOS updates.
    • Select the desired deferrals for each macOS update type.
  5. Click Save in the bottom right corner. V_HCY6oueMlbKxsMCrXXGNpyajkia1X-aA

Restrictions Library Item 

You can defer OS updates with the Restrictions profile in your Kandji Library. This option allows you to defer updates for a specified number of days. This can be especially helpful if you are managing Mac computers, iOS, iPadOS, and tvOS. The Restrictions profile allows you to choose whether any of the options set are applied to the specific platform you want to restrict.

T9VEafKVyiWMOVRPLsSikEtMYbc4uP4QBw

For Mac computers, Kandji recommends using a Software Update Library Item and deferring updates by specific types.

Block Beta & Standard Upgrades

The native options for blocking beta updates are also enabled using the Software Update profile in your Blueprints. With macOS Monterey 12.3 and later, a user can be offered a new software upgrade path to macOS Ventura without running a larger full installer app or authenticate as an administrator.

Due to this change, the Application Blocking Parameter cannot block these upgrades. The only circumstance when the Application Blocking Parameter will block the update is when it is downloaded from the Mac App Store. Learn more about Restricting Access to Beta OS Releases.

The following examples are specific to macOS Sonoma, macOS Ventura, and macOS Monterey. For each release, you'll need to update each setting with the relevant info specific to that release. This will only block the installer if it is downloaded from the App Store and will not block the update in Software Update.

Sequoia - Public Release

  • Process nameInstall macOS Sequoia
    • Match Type: Contains
  • Path/Applications/Install macOS Sequoia.app
    • Match Type: Contains
  • Bundle IDcom.apple.InstallAssistant.macOSSequoia
    • Match Type: Exact

Sonoma - Public Release

  • Process nameInstall macOS Sonoma
    • Match Type: Contains
  • Path/Applications/Install macOS Sonoma.app
    • Match Type: Contains
  • Bundle IDcom.apple.InstallAssistant.macOSSonoma
    • Match Type: Exact

Ventura - Public Release

  • Process nameInstall macOS Ventura
    • Match Type: Contains
  • Path/Applications/Install macOS Ventura.app
    • Match Type: Contains
  • Bundle IDcom.apple.InstallAssistant.macOSVentura
    • Match Type: Exact

Monterey - Public Release

  • Process nameInstall macOS Monterey
    • Match Type: Contains
  • Path/Applications/Install macOS Monterey.app
    • Match Type: Contains
  • Bundle IDcom.apple.InstallAssistant.macOSMonterey
    • Match Type: Exact