Merge pull request #103 from mpanighetti/deferred-sonoma

removed Sonoma from `softwareupdate --list` on Ventura

README.md

@@ -57,8 +57,9 @@ The framework has a few limitations of note:
 
 - Sequential updates cannot be installed as a group (e.g. Security Update 2022-003 Catalina cannot be installed unless 10.15.7 is already installed). If multiple sequential security updates are available, they are treated as two separate rounds of prompting/deferring. As a result, Macs requiring sequential updates may take more than one deferral and enforcement cycle (default 3 days) to be fully patched.
 - Reasonable attempts have been made to make this workflow enforceable, but there's nothing stopping an administrator of a Mac from unloading the LaunchDaemon or resetting the preference file.
-- On Apple Silicon Macs, running `softwareupdate --download` and `softwareupdate --install` via background script are unsupported. When this framework is run on an Apple Silicon Mac, enforcement takes a "softer" form, instead opening Software Update and leaving a persistent prompt in place until the updates are applied. Note that this workflow requires the Software Update preference pane to be available to a user with a [secure token and volume ownership](https://support.apple.com/guide/deployment/use-secure-and-bootstrap-tokens-dep24dbdcf9e/), so that they can apply available software updates and restart their Mac.
-- macOS Big Sur, macOS Monterey, and macOS Ventura have known reliability issues when attempting to update your Mac using the `softwareupdate` binary, resulting in inconsistently presenting new updates as available or failing to install updates. Some measures have been taken to improve reliability in the latest releases of this framework, but ultimately a resolution will require a fix from Apple. The hope is that these bugs will be fixed in a future macOS software update; in the meantime, see [#54](https://github.com/mpanighetti/install-or-defer/issues/54) and [#76](https://github.com/mpanighetti/install-or-defer/issues/76) for ongoing discussions, and reach out to Apple Enterprise Support to increase signal on the issue.
+- On Apple Silicon Macs, running `softwareupdate --download` and `softwareupdate --install` via background script are unsupported. When this framework is run on an Apple Silicon Mac, enforcement instead takes a "softer" form, opening Software Update and leaving a persistent prompt in place until the updates are applied. Note that this workflow requires the Software Update preference pane to be available to a user with a [secure token and volume ownership](https://support.apple.com/guide/deployment/use-secure-and-bootstrap-tokens-dep24dbdcf9e/), so that they can apply available software updates and restart their Mac.
+- macOS will occasionally present major macOS upgrades (such as macOS Sonoma) on Macs running previous releases, even if an MDM profile deferring major updates is in place. The suggested workaround is to also defer minor updates (possibly for a shorter period) until you can approve the major upgrade in your environment. This script will remove Sonoma as a listed update when on macOS Ventura or older, but if the Mac sees multiple updates requiring restart, the deferred update may still be installed.
+- macOS Big Sur, macOS Monterey, and macOS Ventura (prior to version 13.3) had known reliability issues when attempting to update your Mac using the `softwareupdate` binary, resulting in inconsistently presenting new updates as available or failing to install updates. Some measures have been taken to improve the reliability of this script when encountering these issues, but the recommendation for a fix is to upgrade to the current supported macOS release, as Apple is no longer providing bug fixes for these macOS versions beyond security patches.
 
 
 ## Settings customization

build-info.plist

@@ -17,6 +17,6 @@
 	<key>suppress_bundle_relocation</key>
 	<true/>
 	<key>version</key>
-	<string>6.0.1</string>
+	<string>6.0.2</string>
 </dict>
 </plist>

payload/Library/Scripts/Install or Defer.sh

@@ -4,19 +4,12 @@
 ###
 #
 #            Name:  Install or Defer.sh
-#     Description:  This script prompts users to install Apple system updates
-#                   that the IT department has deemed "critical." Users will
-#                   have the option to install the listed updates or defer for
-#                   the established time period, with a LaunchDaemon
-#                   periodically triggering the script to rerun. After a
-#                   specified amount of time, alerts will be displayed until all
-#                   required updates have been run, and if updates requiring a
-#                   restart were run, the system restarts automatically.
+#     Description:  This script prompts users to install Apple system updates that the IT department has deemed "critical." Users will have the option to install the listed updates or defer for the established time period, with a LaunchDaemon periodically triggering the script to rerun. After a specified amount of time, alerts will be displayed until all required updates have been run, and if updates requiring a restart were run, the system restarts automatically.
 #                   https://github.com/mpanighetti/install-or-defer
 #         Authors:  Mario Panighetti and Elliot Jordan
 #         Created:  2017-03-09
-#   Last Modified:  2023-03-09
-#         Version:  6.0.1
+#   Last Modified:  2023-10-13
+#         Version:  6.0.2
 #
 ###
 
@@ -150,10 +143,10 @@ quit_jamfhelper () {
 
 }
 
-# Deletes cached results of previous software update checks, force-restarts the com.apple.softwareupdated system service, and sleeps for a period specified by the function run command. This is a workaround for reliability issues with repeated software update checks in macOS Big Sur, macOS Monterey, and macOS Ventura (13.2.1 and older).
+# Deletes cached results of previous software update checks, force-restarts the com.apple.softwareupdated system service, and sleeps for a period specified by the function run command. This is a workaround for reliability issues with repeated software update checks in macOS versions prior to macOS Ventura 13.3.
 restart_softwareupdate_daemon () {
 
-    if [[ "$OS_MAJOR" -eq 11 ]] || [[ "$OS_MAJOR" -eq 12 ]] || [[ "$OS_MAJOR" -eq 13 && "$OS_MINOR" -lt 3 ]]; then
+    if [[ "$OS_MAJOR" -lt 13 ]] || [[ "$OS_MAJOR" -eq 13 && "$OS_MINOR" -lt 3 ]]; then
         echo "Deleting cached update check data..."
         /usr/bin/defaults delete "/Library/Preferences/com.apple.SoftwareUpdate.plist"
         /bin/rm -f "/Library/Preferences/com.apple.SoftwareUpdate.plist"
@@ -164,21 +157,21 @@ restart_softwareupdate_daemon () {
         fi
         echo "Restarting com.apple.softwareupdated system service..."
         /bin/launchctl kickstart -k "system/com.apple.softwareupdated"
-        sleep "${1}"
+        sleep 30
     fi
 
 }
 
 # Checks for recommended macOS updates, or exits if no such updates are available.
 check_for_updates () {
 
-    restart_softwareupdate_daemon "30"
+    restart_softwareupdate_daemon
     echo "Checking for pending macOS updates..."
     # Capture output of softwareupdate --list, omitting any lines containing updates deferred via MDM.
     UPDATE_CHECK="$(/usr/sbin/softwareupdate --list 2>&1 | /usr/bin/grep -v 'Deferred: YES')"
-    # Remove any softwareupdate --list lines containing "macOS Ventura" for older macOS versions. This is a workaround for an issue where the softwareupdate output includes minor updates for later major macOS releases deferred via MDM and may not identify them as deferred in macOS Big Sur and macOS Monterey.
-    if [[ "$OS_MAJOR" -lt 13 ]]; then
-        UPDATE_CHECK=$(echo "$UPDATE_CHECK" | /usr/bin/grep -v "macOS Ventura")
+    # Remove any softwareupdate --list lines containing "macOS Sonoma" for older macOS versions. This addresses a macOS bug where major macOS releases are advertised as minor updates, which bypasses major macOS update deferrals via MDM. Note that this will only prevent the update from being displayed in script alerts, and the update may still be installed if multiple updates are available that require restarts.
+    if [[ "$OS_MAJOR" -lt 14 ]]; then
+        UPDATE_CHECK=$(echo "$UPDATE_CHECK" | /usr/bin/grep -v "macOS Sonoma")
     fi
 
     # Determine whether any recommended macOS updates are available. If a restart is required for any pending updates, then install all available software updates.
@@ -294,7 +287,7 @@ install_updates () {
         "$JAMFHELPER" -windowType "hud" -windowPosition "ur" -icon "$MESSAGING_LOGO" -title "$MSG_UPDATING_HEADING" -description "$MSG_UPDATING" -lockHUD &
 
         # Install Apple system updates.
-        restart_softwareupdate_daemon "30"
+        restart_softwareupdate_daemon
         echo "Installing ${INSTALL_WHICH} Apple system updates..."
         # macOS Big Sur and later automatically trigger a restart as part of the softwareupdate action, meaning the script will not be able to run its clean_up functions until the next time it is run.
         if [[ "$OS_MAJOR" -gt 10 ]] && [[ "$INSTALL_WHICH" = "all" ]]; then