First of all, I'll admit I'm late with this blog due to some technical issues with launching my blog. The latest major macOS update, "Sonoma," came out on the 26th of September. Luckily, macOS major updates are not automatically installed but offered to users instead. It will be visible on their MacBooks, and they will be able to upgrade to the new major version. This blog might still help you in preventing users from updating to Sonoma.
Users updating their MacBooks might not be in line with your company's update policy or vision, especially in an enterprise setting. You will want to delay the update to properly test out new functions, communicate these with user adoption, and have ample time to test your applications.
Delay
Indeed, delay the update. There is currently no way to completely block or hide this update after the limit of 90 days passes. You can configure the update to be deferred (hidden from the users) for up to 90 days from the release date, which was the 26th of September. The update will not be visible in the menu for end-users till the 90 days pass. Regardless of whether you're utilizing Microsoft Intune or Jamf to oversee your macOS devices, there is no distinction in this context. This limitation stems from Apple's platform constraints and, as of now, is beyond the control of MDM platforms.
Important note: This method will not block the startosinstall command line tool. Smart users will still be able to upgrade their major macOS version. There are other ways to block this, which I will mention at the bottom of this post.
Developer version
Companies and especially enterprises should be well prepared for major versions, not only on the macOS platform. While 90 days may sound like not enough time, I enrolled some devices into the macOS Sonoma developer beta around June this year. This gave our company plenty of time to properly test and prepare for this update. You should plan for release and start with an early ring deployment to prevent chaos and panic when Apple hits the release button. Luckily, Apple has always followed the same pattern for releasing major updates every year, which is around September. If you want to get the public beta the first thing you need to do is register for the Apple Beta Software Programme with your Apple ID. There are plenty of blogs on how to do this and install the beta version on your MacBook.
Make sure to properly inform your first ring of users or champions that advocate and promote the adoption of the upgrade.
I recommend you properly test some of your MacBooks with the beta/dev version of the new major release ahead of the release date so you are well prepared.
And most important, make a time-machine back-up before you install any Beta version of the major release!
Create the policy in Microsoft Intune
* Navigate to Endpoint Manager and create a new settings catalog policy
* Create a new settings policy and select the macOS platform
* Select the two settings listed below. A nice to know is that both options need to be selected and toggled to True in order for the policy to work. I tried using only the "Enforced Software Update Major OS Deferred Install Delay" with a value and this did not work when not using the "Force Delayed Major Software Updates" option. Notice the maximum value we can configure is 90 days. For our company we have configured this option to be 30 days, as we've been thoroughly testing the developer version of Sonoma with a group of champions.
* Deploy this to a group of devices. I personally prefer to use filters, selecting all the Corporate macOS devices within the company.
Ways to circumvent the policy?
Some users will find other ways to install the major macOS update. They could for example try to manually install the update using the command line tool in macOS.
You can use an Intune policy, specifically the macOS policy template "Device restrictions"> "Restricted Apps" to block the installer application that is launched when using this process. Add the following bundle ID's to the policy block list to block the installer from running
"com.apple.InstallAssistant.macOSSonoma"
"com.apple.InstallAssistant.Seed.macOS14Seed" "com.apple.InstallAssistant.macOS14"