Deferring OS Updates with Addigy

Intro

OS Update season is coming up. With Apple’s release of OS 26 on Monday September 15th 2025 this blog post will help you know what steps you need to take if your organization is not ready to adopt OS 26 just yet.

The first thing of note is that totally blocking the OS Upgrade has become more difficult over the years. That is why we refer to this as more of a deferral than a block. You can still take steps to block the upgrade of the OS major version but after a point 90 days after release the suppression of the update will be harder to keep under wraps and out of the line of sight for the end user on the Apple device.

This blog post will cover how to defer and block to the best of your ability major version upgrades for macOS, iOS, and iPadOS. Something of note and some points of clarification that will prove helpful is “Update” versus the term “Upgrade”, in Apple nomenclature update is for a minor version meaning say macOS 15.4 to macOS 15.5 or iOS 18.6 to iOS 18.6.2. This could also be referred to as a DOT release. This is small improvements in the OS vs. a full refactor or major UI change. An upgrade is a major version change like macOS 15 to macOS 26 that we are about to see this fall. With that in mind let’s dive in.

macOS

macOS can have a deferral set via MDM Profile or Declarative Device Management to stop versions from updating and or upgrading. This will stop the end user from seeing native notifications about the new OS update or upgrade, and it will stop them from seeing the new OS version in the Software Update area of the Settings.app on device.

Some device management services such as Addigy also have the ability to kill the OS Full Installer that can be separately sought out by the end user in the Apple App Store. This full installer is its own process that uses its own binary (startosinstall) vs. the built in softwareupdated services on device.

By deferring the notifications and auto install and blocking those processes can stop the rollout of a new OS to your Apple devices for a period of time until your organization is ready to adopt the latest version of Apple’s OS to ensure full device security and a great end user experience.

Starting with macOS Big Sur (released in 2021), Apple has deprecated the ability to block and ignore system updates via the softwareupdate utility. This means that updates and upgrades can only be hidden for a maximum of 90 days.

Ignoring Updates and Upgrades via Restrictions MDM Profile – macOS

The Restrictions MDM Configuration allows you to defer major and minor updates in a range of 1-90 days. When enabled, it prevents end-users from seeing the updates in System Settings > General > Software Updates on their Mac depending on the amount of time that is defined.

This configuration can be found in the Addigy Catalog > MDM Profiles > New > Restrictions > Software Updates. 

The below screenshot is an example configuration of setting up a major version upgrade deferral for 90 days. When setup this way, the end user will not see any major version upgrade prompts that are less than 90 days old when they navigate to System Settings > General > Software Update on their Mac. For example, macOS Tahoe 26.0 will be released on September 15th 2025 which means this MDM profile can no longer force the OS to ignore the upgrade starting on December 14th 2025.

Ignoring Updates and Upgrades via Declarative Device Management – macOS

Added with macOS 15 and iOS/iPadOS 18 in 2024 Apple gave Apple admins a new way to defer OS updates and upgrades via Declarative Device Management this can also be used in conjunction with the new Automatic Actions that use on device machine learning to find the best time to run and update or upgrade with minimal impact to the end user (more on that here).

The Software Update Settings declaration acts very similar to the MDM Profile with the restrictions payload but this new declaration can be used in conjunction with the Automatic 

Let’s take a look at an example of this in a policy using the new  Software Update Settings declaration…

In this policy we see a device that will automatically update and or upgrade the OS after the deferral has run down the clock. However, it is staggered in release cadence and software titles/applications.

In short this is what would happen for each update or upgrade on device as an example:

• Major Update/Upgrade
  • macOS 15.6.1 on device would see macOS 26.0 when it comes out on September 15th 2025, but it would hide it from the end user for 60 days until November 14th 2025. Then after November 14th 2025 the macOS device would attempt to run that upgrade as soon as it can more than likely overnight when the device is in PowerNap with ample state of charge or direct A/C power. It may take a day or two after that November 14th 2025 open window starts but it would update to macOS 26 at that time.
• Minor Update
  • macOS 15.6 to macOS 15.6.1 would act the same but in a shorter window of time for 30 days. Meaning that on October 14th 2025 the macOS device would attempt to run that update as soon as it can more than likely overnight when the device is in PowerNap with ample state of charge or direct A/C power.
• System Non-OS Update
  • Safari 18.5 to 18.6 on macOS would have an even shorter window of time. Safari 18.6 came out on July 29th 2025 so after 14 days on August 12th 2025 Safari would attempt an update to 18.6 from 18.5 if possible. This might not even need a reboot. macOS will just look for a window of time with Safari.app closed and attempt the update at that time. Some versions of Safari may require a reboot but not always.

To see how to deploy this check out this KB link.

The bottom line is that this will stay in place on device as long as you have it added to your policy, but note it is unique to each major version of macOS so adding it once will not cover you for major versions to come. You must add it with each yearly OS release cycle when the blocker is available.

iOS and iPadOS

iOS and iPadOS can have a deferral set via MDM Profile or Declarative Device Management to stop versions from updating and or upgrading. This will stop the end user from seeing native notifications about the new OS update or upgrade, and it will stop them from seeing the new OS version in the Software Update area of the Settings.app on device.

By deferring the notifications and auto-install actions you can slow the rollout of a new OS to your Apple devices for a period of time until your organization is ready to adopt the latest version of Apple’s OS to ensure full device security and a great end user experience.

Ignoring Updates and Upgrades via Restrictions MDM Profile – iOS

The Restrictions MDM Configuration allows you to defer major and minor updates in a range of 1-90 days. When enabled, it prevents end-users from seeing the updates in System Settings > General > Software Updates on their Mac depending on the amount of time that is defined.

This configuration can be found in the Addigy Catalog > MDM Profiles > New > Restrictions > Software Updates. 

The below screenshot is an example configuration of setting up a major version upgrade deferral for 90 days. When setup this way, the end user will not see any major version upgrade prompts that are less than 90 days old when they navigate to System Settings > General > Software Update on their Mac. For example, iOS 26.0 will be released on September 15th 2025 which means this MDM profile can no longer force the OS to ignore the upgrade starting on December 14th 2025.

Ignoring Updates and Upgrades via Declarative Device Management – macOS

Added with OS/iPadOS 18 in 2024 Apple gave Apple admins a new way to defer OS updates and upgrades via Declarative Device Management this can also be used in conjunction with the new Automatic Actions that use on device machine learning to find the best time to run and update or upgrade with minimal impact to the end user
(more on that here).

The Software Update Settings declaration acts very similar to the MDM Profile with the restrictions payload but this new declaration can be used in conjunction with the Automatic 

Let’s take a look at an example of this in a policy using the new Software Update Settings declaration…

In this policy we see a device that will automatically update and or upgrade the OS after the deferral has run down the clock. It will also show the end user the newest version at that time after the deferral window is up

In short this is what would happen for each update or upgrade on device as an example:

• Recommended Cadence
  • Oldest – Shows only the oldest (lower numbered) software update version.
  • Newest – Shows only the newest (highest numbered) software update version.
• Combined Period
  • Unlike macOS with iOS and iPadOS there is not an option to stagger the major vs. minor OS upgrades and updates with a set 1-90 day time period. This value specifies the number of days to defer a major or minor OS software update on the device. When set, software updates only appear after the specified delay, following the release of the software update.

Summary

In closing make sure you check out and utilize these different ways of deferring OS updates and most importantly upgrades before OS Update season. OS updates and upgrades are critical to security, but 3rd party software and special tools that organizations use are not always ready to be used with the latest OS on release day. These controls to phase in the new OS from Apple are here to help make that update and upgrade process smooth and orderly.

Do not forget to join in to the sudo talk webinar on September 16th to learn more about this live and join in the Q&A.

macOS 26 is upon us