Apple Device Management and Security

MacOS Ventura – Major Changes For Enterprise

By Dan Ellis
Systems Engineer

Is your Mac fleet ready for macOS Ventura?

With the new Operating System having been released in October, it brought a whole host of changes and advancements to the way users can get the most out of their Mac. Click here to read through the enhancements Ventura brings.

But what about changes related to Device Management and Enterprise? Let’s break down two major changes that are core to a successful Ventura rollout in your environment.

Major Upgrade vs Delta Upgrade?

This year, Apple introduced the possibility for Ventura to be installed via a ‘Delta Upgrade’, on any Mac running macOS 12.3 or later. This is a big change from previous years, where a full installer app was downloaded, and Admin credentials required to install the upgrade.

The Delta Upgrade variant does not require Admin credentials (a volume owners’ password will still be required on Apple Silicon Macs). While at face value this presents a smoother transition from Monterey, how can we effectively manage this if the organisation is not ready for Ventura?

Extensive Beta testing and feedback led to Apple introducing a big enterprise-only adaptation to the Ventura Upgrade experience, restricted to MDM-Supervised Macs only.

While consumer, non-managed Macs were able to utilise the Delta Upgrade from Day 1, MDM-Supervised Macs were only be able to use the full Installer ‘.app’ variant, for the first 30 days from Ventura’s release. The next Ventura release after this 30-day period will be made available as a Delta Upgrade.

Therefore, the answer of how to block Ventura if you haven’t already deployed on Day 1, is dependant on the version of macOS your fleet is running, and how quickly you can get your Macs onto 12.6.1.

MacOS versions

MacOS 12.6.1

12.6.1 correctly blocks the Delta Upgrade option using the Major Update Deferral key. This means you can adjust your Restrictions Profile in Jamf Pro accordingly and block Ventura for up to 90 days from the day of release.

MacOS 12.3 – 12.6

These Macs do not correctly block Ventura’s Delta Upgrade option via the expected Major Update Deferral Instead, the Minor Update Deferral key needs to be used, however this would also block the ability to update to 12.6.1.

The idea behind Apple’s 30-day, full Installer-only grace period was to give time for organisations to get their fleet up to 12.6.1.

Doing so will make your Ventura deferral experience significantly easier, since you can then block future Ventura Delta Upgrades via the expected Major Update Deferral.

MacOS 12.2.1 or earlier

These Macs will only be offered the full installer .app version of the Upgrade, so there will be no difference to previous Upgrade experiences.

Managed Login Items

Another item of consideration for macOS Ventura comes in the form of Background and Login item management, found within System Settings (System Settings > General > Login Items)

This is largely referring to Launch Daemons and Launch Agents. Users typically do not know these are in use on a Mac, but this is different with Ventura. A user can, by default, navigate to the relevant items in System Settings and turn them off. This could cause issues with management tools and software that rely on these items being enabled.

At the time of writing this. Jamf Pro does not natively provide the required Configuration Profile GUI to manage these (Jamf Pro 10.42 comes with predefined Configuration Profiles that manage Jamf’s Background and Login items).

However, appropriate management can be achieved by creating a custom Configuration Profile and uploading directly to Jamf Pro. This would remove any possibility of users being able to disable these important tools themselves.

  • On a Ventura Mac, running sfltool dumpbtm in Terminal will provide a list of Background and Login Items that can be managed.
  • From here, extracting the Team Identifiers and/or Identifier Label Prefixes and utilising a tool like iMazing Profile Editor to add them to a apple.servicemanagement Configuration Profile will allow these items to be managed centrally, and prevent users tampering with them.
  • It is important to note that you cannot scope this to Macs running Monterey or earlier in preparation for upgrading to Ventura. You must wait to scope only to Macs running macOS 13 or later.

Need Help?

These are just two of the main enterprise-focused Ventura updates that have become apparent during testing. If you need any assistance with upgrading your fleet to macOS Ventura, get in touch with us here at DARE to learn about some of our solutions and allow your users to take advantage of the latest macOS enhancements Apple have to offer.
Book demo