How to postpone/defer the macOS Sequoia upgrade using Endpoint Central?

Applicable Methods (Product Wise)

Find the appropriate methods applicable based on product:

Product Sequoia support Block Configuration Using MDM Using Application Control Plus Disable Automatic Updates (Patch) Disable Automatic Updates (Script)
Endpoint Central Yes Yes Yes Yes Yes Yes
Endpoint Central MSP Yes Yes Yes Yes Yes Yes
Patch Manager Plus Yes No No No Yes No
Patch Connect Plus No N/A N/A N/A N/A N/A
Vulnerability Manager Plus Yes No No No Yes No
Application Control Plus Yes No No Yes No No
Device Control Plus Yes No No No No No
Browser Security Plus Yes No No No No No
RMM Central Yes Yes Yes No Yes Yes
Remote Access Plus Yes No No No No No
Endpoint DLP No N/A N/A N/A N/A N/A

Deploying a block configuration to prevent application execution

Admins can deploy a block configuration to prevent the macOS Sequoia upgrade application from running in their environment using Endpoint Central. For more details, refer to this guide: App restriction in Mac

  • Bundle Identifier: com.apple.InstallAssistant.macOSSequoia
  • Installer Name: Install macOS Sequoia.app
NOTE: Deferring MacOS Sequoia through block configuration will not work for MacOS Sonoma.
 

MDM specific configurations

  1. Through Custom Configurations:

    • Download RestrictOSUpgrade.mobileconfig file
    • Extract the zip file and get the profile named "RestrictOSUpgrade.mobileconfig".
    • Navigate to Configuration > Mac Configuration > Custom Configuration.
    • Attach the "RestrictOSUpgrade.mobileconfig" profile and deploy it to the target devices. This will defer the OS upgrade and prevent it from being shown in Software Update.
  • NOTE: The macOS Upgrade through custom configuration can be deferred via MDM for upto 90 days.

 

       2. Disabling the software update system settings menu:

    • Navigate to Configurations -> Mac Configuration -> System Preferences.
    • Select Software Update and deploy the configuration to the target devices. This will remove the Software Update option from the System Settings menu.

Blocking the OS upgrade application via Application Control Plus

        To block the macOS Sequoia upgrade application via Application Control Plus:

  • Navigate to App Ctrl -> Application Groups -> Create Blocklist (Mac).
  • Select Install macOS Sequoia.app and deploy the created blocklisted app group to the target devices.
  • This will prevent end users from upgrading via the application.
 
    NOTE: If Install macOS Sequoia.app is not already available in the App Group list, you can create a custom rule. For more details, refer here: Creating custom rules
  • Custom Rule Details: 
    • Rule Type: Application
    • Vendor Name: Apple Upgrade
    • Team Identifier: unknown-acp
    • Application Name: Install macOS Sequoia.app
    • Bundle Identifier: com.apple.InstallAssistant.macOSSequoia
    • Verified Publisher: Yes
 

Turning off automatic updates 

  1. Using Patch:
    • Navigate to Patch Management > Patches > Supported Patches > 604011 - Turn off Mac Automatic Update (Deployment-Only).
    • Deploy this patch to the target devices. This will turn off automatic updates on those endpoints.
    • To enable automatic updatesnavigate to Patch Management > Patches > Supported Patches > 604012 - Turn on Mac Automatic Update (Deployment-Only).
  2. Using Scripts:
    • Navigate to Configuration > Script Repository > Templates > Search "AppStoreAutoUpdateDisable.sh" > Add to Repository.
    • Create a Mac custom script configuration with "AppStoreAutoUpdateDisable.sh" and deploy it.
    • To enable automatic updates, use the "AppStoreAutoUpdateEnable.sh" script and deploy it.
     NOTE: "Turning off automatic updates" will only disable the Mac Automatic Update. Endpoint users can still update their Mac manually.