Create a Mac Policy to Block Upgrades to MacOS Big Sur or Monterey

Note:

For blocking updates to macOS 13 Ventura, see Create a Mac Policy to Delay or Block Ventura.

You can block end users with standard or administrative permissions from upgrading to macOS Big Sur or Monterey using a JumpCloud policy. Two policies are available:

  • Block Monterey Installation policy - Prevents users from launching installers for Monterey or Monterey Beta.
  • Block Big Sur Installation policy - Prevents users from launching installers for Big Sur or Big Sur Beta.

These policies restricts these installers from running. A policy will not prevent the download of the Big Sur or Monterey package. However, when end users attempt to launch the macOS Big Sur installer, it's terminated. End users don't receive a block message. To allow end users to upgrade their systems to Big Sur or Monterey, systems must be disassociated from the policy.

These policies provide a safeguard against any local user upgrading to Big Sur or Monterey until your organization is ready. The policy can prevent most, if not all, of the Big Sur or Monterey upgrades from happening.

To block an upgrade to macOS Big Sur or Monterey:

  1. Create the Block Monterey Installation policy or the Block Big Sur Installation policy:
    1. Log in to the JumpCloud Admin Portal: https://console.jumpcloud.com/login.
    2. Go to DEVICE MANAGEMENT > Policy Management.
    3. In the All tab, click (+).
    4. On the New Policy panel, select the Mac tab.
    5. Select the policy from the list, then click configure.
    6. (Optional) On the New Policy panel, enter a new name for the policy or keep the default. Policy names must be unique.
    7. (Optional) Select the Device Groups tab and select one or more device groups where you'll apply this policy. For device groups with multiple OS member types, the policy is applied only to the supported OS.
    8. (Optional) Select the Devices tab. Select one or more devices where you'll apply this policy.
    9. Click save, then click save again.
  2. After the policy is applied to devices or device groups, you can run the following command on the device to ensure that the appropriate process is running that will block the Big Sur or Monterey installation. For example, for Monterey: ps -ef|grep 'com.apple.InstallAssistant.macOSMonterey'
  3. If the process to block the Big Sur or Monterey installation is running, the command output will be similar to this Big Sur message:

$ ps -ef|grep 'com.apple.InstallAssistant.macOSBigSur'
0 94708 71196 0 11:35AM ?? 0:00.01 log stream --predicate (subsystem matches
"com.apple.launchservices") && (category matches "cas") && (processImagePath contains
"InstallAssistant") && ((eventMessage contains "\"CFBundleNameLowerCase\"=\"install
mac os\"" ) && ((eventMessage contains
"\"CFBundleIdentifier\"=\"com.apple.InstallAssistant.Seed.") || (eventMessage contains
"\"CFBundleIdentifier\"=\"com.apple.InstallAssistant.macOSBigSur\"")))
--style json --level debug

If the process to block the installation is not running, the command output will be similar to this Big Sur message:

501 2216 698 0 8:39 PM ttys000 0:00.00 grep com.apple.InstallAssistant.BigSur;
501 2225 698 0 8:39 PM ttys000 0:00.00 grep com.apple.InstallAssistant.BigSur

You can further verify that the policy is applied by reviewing the jcagent log located here: /var/log/jcagent.log.

The following items appear in the log if the policy was applied successfully:

[INFO] policies manager received a request to apply block_macos_big_sur_install_darwin
policy
[INFO] policy block_macos_big_sur_install_darwin install succeeded

Considerations:

  • Applying the policy installs a monitoring process that checks for the start of the Big Sur or Monterey installation, and if detected, immediately stops it. The policy will not prevent the download of the Big Sur or Monterey package. However, after the download has completed, the installation process receives a kill signal and does not complete.
  • In System Preferences, the existence of the Block Big Sur or Monterey policy will work for local user (unmanaged) profiles.
  • This policy restricts the macOS Big Sur or Monterey installer from running. When end users attempt to launch the installer, it is terminated. End users will not receive a block message; the upgrade will simply fail.
  • This table provides an overview of the policy and the instances in which it will prevent an upgrade:
Block Big Sur or Monterey Policy State Managed and Unmanaged Users Policy Applied Results Visible
Off Allow Upgrade N/A
On Do Not Allow Upgrade

Check the status of the policy in the Admin Portal by selecting the policy and selecting the Status tab.

You can also view the jcagent.log for Managed Users and the System Preferences for Unmanaged Users.

  • If you need to return to a previous version of Big Sur or Monterey, follow Apple’s recommendations.
Troubleshooting
  1. View the jcagent log to determine if the policy was applied correctly.
  2. Gather jcagent logs prior to upgrading.
  3. Run the command below on your devices to determine if the appropriate process is running that will block the update when the Block Big Sur or Block Monterey Installation policy is applied. For example, for Big Sur: ps -ef|grep 'com.apple.InstallAssistant.macOSBigSur'
  4. If the policy is successfully applied on a device and the process to block the upgrade is running, verify that the command results look similar to this. For example, for Big Sur:

$ ps -ef|grep 'com.apple.InstallAssistant.macOSBigSur'
0 94708 71196 0 11:35AM ?? 0:00.01 log stream --predicate (subsystem matches
"com.apple.launchservices") && (category matches "cas") && (processImagePath contains
"InstallAssistant") && ((eventMessage contains "\"CFBundleNameLowerCase\"=\"install
mac os\"" ) && ((eventMessage contains
"\"CFBundleIdentifier\"=\"com.apple.InstallAssistant.Seed.") || (eventMessage contains
"\"CFBundleIdentifier\"=\"com.apple.InstallAssistant.macOSBigSur\""))) --style json --level debug

The results are similar to this if the process is not running. For example, for Big Sur:

501 2216 698 0 8:39 PM ttys000 0:00.00 grep com.apple.InstallAssistant.BigSur;
501 2225 698 0 8:39 PM ttys000 0:00.00 grep com.apple.InstallAssistant.BigSur

Back to Top

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case