Software Update, macOS Ventura, and the Mac Admin

I think it’s fair to say that every Mac Admin I know has a nemesis and it’s softwareupdate. The command line binary that has lived in every Mac since Mac OS X was released has grown much like my cat: reliable, but deeply crotchety, and occasionally, vindictive.

Major Upgrades to macOS, that is to say, between major versions (11 to 12, 10.15 to 11) have traditionally been done with large installers contained in an app bundle. This is the traditional “Install macOS Monterey.app” that you can download from System Preferences, or the App Store. This installer is a specially-signed app bundle that allows for software updates to existing sealed system volumes through the inclusion of an Apple-only entitlement for updating the system.

These applications require admin rights to run, and the interactive process of downloading the large installer and running it puts the onus on the end-user of the device to complete the process. This is a roadblock for some organizations who want to keep their devices on the latest major version after a new version is released, but their users are not granted admin rights for security reasons.

What’s Different About Ventura?

During this year’s beta cycle, Apple released a new method of updating the operating system. You may have noticed it if you added your device to the beta of Ventura. On a Monterey device running macOS 12.3 and later, you were offered a 5-6GB install of Ventura directly in Software Update, instead of the full 11-12GB installer application.

Apple has adopted the newer mobile software update (MSU) process for macOS in macOS Ventura, from its origins on iOS. That allows for major and minor updates to be smaller, depending on the origin OS and the target OS.

As Admins inadvertently discovered — as Apple did not document this at WWDC or in the material that followed — during the beta period, macOS 12.3 – 12.6 see these “delta” updates as minor software updates, even if they would result in a major upgrade. That means the following things are true:

  • Delta updates do not require admin rights to install
  • Delta updates are substantially smaller
  • Delta updates install substantially faster

These are all great things for end users. No more 60 minute major upgrades that have to happen when the user can spare an hour! Standard users can upgrade on their own! Upgrades are much smaller!

But if you’re on macOS 12.3 – 12.6, all is not perfect.

Sturm und Drang

Late in the beta cycle when it became clear that macOS 12.3 – 12.6 would see these updates as a minor update, and not a major upgrade, admins had to make some hard choices. These updates could be delayed with a minor update delay, which was something, but that meant that you had a vanishingly small period of time to get a fixed version of the operating system in the hands of admins to get it on their fleet.

This was fixed in the 12.6.1 release of macOS, and it now respects the major version upgrade delay, which is awesome. But 12.6.1 didn’t come out before macOS Ventura’s release. It’s only out today, on Ventura’s release day.

Fortunately, there was a change released at Apple that saved the day, and we’re all indebted to those who worked hard to make this happen.

Releases of macOS Ventura made between October 24th and November 23rd of 2022 will show differently to MDM-enrolled macOS devices. Any MDM-enrolled macOS device will see macOS Ventura as the full installer version of the operating system, same as in prior years. As with previous years, you can delay the appearance of these full installer versions by delaying major version upgrades. In addition, you can continue to block the process with a root agent, if you get the full installer version.

What this means, though, is you can’t permanently block macOS Ventura from being installed.

After 90 days – January 22, 2023 – all macOS systems that are eligible to run macOS Ventura will advertise it to the end user of the device. And, if they’re a disk owner on their computer, they will be able to upgrade to it with or without admin rights.

Enough. Tell Me How To Deal With This?

Okay fine. Here’s what you need to do:

  1. Get to macOS 12.6.1 within 30 days.
    If you want to block Ventura for as long as you can – 90 days – you need to get to 12.6.1 when it’s out. If you need a way to do this, I strongly recommend Nudge, written by Erik Gomez and released as Open Source.
  2. Use a Major Version Delay if you want to delay Ventura.
    Everyone’s got their own reasons for a delay. I’m not getting into that. If you want to delay Ventura, use a Major Version Delay policy that uses the enforcedSoftwareUpdateMajorOSDeferredInstallDelay key in the Restrictions payload, coupled with a forceDelayedMajorSoftwareUpdates key set to true.
  3. If you can’t get to 12.6.1 within 30 days…
    One, rethink your life choices. Once you’ve done that, add a Minor Version Delay policy to go with the Major Version Delay policy. Recognize that you are now no longer getting security updates for as long as you’re in this pickle. Maybe rethink those life choices again. You can still use MDM Software Update commands to update the OS to new versions of macOS Monterey in these circumstances, when they function.

If you have blockers for macOS Ventura, you need to get working to resolve them before 22 January 2023, because all of these solutions will stop working at that time. Non-admin users will be advertised upgrades at that time, and you’re not going to be able to rely on the process blockers to accomplish a block. If this is insufficient for your organization, I strongly recommend filing an AppleCare Enterprise ticket if that’s available to you, as well as a Feedback request to Apple.

My testing this summer has largely been positive, and now that Login Items have their own policies, I feel most of the things stopping orgs from adopting Ventura are largely about defeating the paperwork processes that admins are subject to.

I, for one, welcome our new Venturan overlords.