hoakley February 12, 2024 Macs, Technology

Can you avoid a forced upgrade to Sonoma?

In the middle of January, several whose Macs were capable of running macOS Sonoma, but were still running Monterey or Ventura, reported that their Macs had automatically started to download and install the upgrade to Sonoma, despite not having opted to do that. Although a detailed analysis by Adam Engst on TidBITS laid the blame on what could only have been a serious bug in the upgrade notification, I’ve had reports from users who insist that they never saw or dismissed that. Reports of this problem have since petered out, and in the absence of further information such as log records, it has been assumed that blocking the upgrade notification is sufficient to prevent future forced macOS upgrades. Most recently, Jeff Johnson has detailed how to stop Upgrade to macOS Sonoma notifications.

Current situation

Since 23 January, repeated attempts to reproduce the reported behaviour using VMs running Monterey and Ventura have failed to result in any unintended download of a Sonoma upgrade. Whatever the original cause of those forced upgrades thus appears to have been rectified, and dismissing an Upgrade to macOS Sonoma notification should, for now, be a safe action for those intending to continue using older macOS.

Blocking the notification

Jeff Johnson’s remedy of using a command like
defaults write com.apple.SoftwareUpdate MajorOSUserNotificationDate -date "2025-02-07 23:22:47 +0000"
to set the MajorOSUserNotificationDate key to the distant future is completely effective in preventing that notification, but has two important limitations. First, macOS stores that key-value pair not in the system-level /Library/Preferences/com.apple.SoftwareUpdate.plist, but in that file in each user’s Home folder Library. For Macs with more than one user, that key-value pair must be set in each user’s ~/Library/Preferences/com.apple.SoftwareUpdate.plist to ensure the notification doesn’t occur.

Of greater concern, though, is that command only blocks macOS from showing the notification, and doesn’t alter the behaviour of any other part of Software Update, softwareupdate, or their supporting processes. If those forced upgrades had been initiated independently of that notification, as some accounts imply, then blocking its appearance wouldn’t have prevented the upgrade from occurring.

Blocking the upgrade

There are two ways to prevent software update processes in recent versions of macOS from initiating and performing an upgrade to Sonoma. The ‘hard’ way is to block outgoing access for those processes that access Apple’s software update service, either by severing that Mac’s network connections altogether, or by selective blocking in software. As both of those also block access to all software updates, including security updates to that version of macOS and security data updates to XProtect and others, few could contemplate doing that for long.

Automatic checks for updates are controlled by Software Update settings in System Preferences or System Settings, but those ‘soft’ controls only determine whether macOS makes those checks automatically. Merely opening those settings initiates a full check for updates, and will inform software update processes that the Sonoma upgrade is available. Similarly, there appears to be no available option to the softwareupdate command which can avoid that.

At times macOS can appear to be devious about Sonoma upgrades. In this example, a VM running Monterey 12.7.3 without a network connection was set with Check for updates disabled, shut down, then run again with a bridged Ethernet connection. When the command
softwareupdate -l --include-config-data
was run in Terminal, it didn’t report the availability of the macOS Sonoma upgrade, but still triggered the upgrade notification and offered that upgrade in Software Update. When repeated in Ventura 13.6.4, the Sonoma upgrade was at least listed among those available.

softwareupd01

When Check for updates is disabled, any access to Software Update or use of the softwareupdate command tool seems certain to result in software update processes preparing to perform the upgrade.

I here declare a personal interest, as SilentKnight uses the softwareupdate -l --include-config-data command when it checks for available updates. I’m aware of at least one Mac that underwent forced upgrade to Sonoma immediately after its user had opened SilentKnight, and suspicious that command could have triggered the bug, apparently without any user notification.

Update check and notification

Examining the log following triggering of processes intending to initiate upgrade to Sonoma is concerning. For a period of 6 seconds, there are copious entries from com.apple.SoftwareUpdate and related subsystems and processes such as SoftwareUpdateNotificationManager (in the SoftwareUpdate private framework). The latter does check the MajorOSUserNotificationDate key-value pair (as identified by Jeff Johnson) when deciding whether to post a notification to the user.

The com.apple.SoftwareUpdateMacController subsystem in conjunction with the softwareupdated service are largely responsible for scanning for available updates. Once detailed information about all the available updates and their components has been assembled, SoftwareUpdateNotificationManager considers whether to post a notification, in log entries such as
SoftwareUpdateNotificationManager SUOSUNotificationUpdateService: Posting major OS notification for <SUOSUMajorProduct: MSU_UPDATE_23D60_patch_14.3.1>(Title:macOS Sonoma 14.3.1 Version:14.3.1, Identifier:(null), IconSize:6941084, Deferred:0, Deferred Until:(null)) SoftwareUpdateNotificationManager Check if exceeded last user notification major OS update post date (Sat Feb 10 16:03:49 2024) with interval (604800.000000): 0 SoftwareUpdateNotificationManager SUOSUNotificationManager: Major OS time interval not elapsed, don't post notification SoftwareUpdateMacController SUMacControllerDescriptor:initWithCoder - using initialization method: SUMacControllerDescriptorInitWithSUCoreDescriptor SoftwareUpdateCore [DOCUMENTATION] Using icon path: /System/Library/AssetsV2/com_apple_MobileAsset_SoftwareUpdateDocumentation/9edef03105afe359100bb20e674974d267bcfcfd.asset/AssetData/OSBadge.icns

Examination of com.apple.SoftwareUpdate.plist preferences has failed to reveal the source of the interval of 604800 seconds allowed between upgrade notifications; that amounts to a period of one week.

This confirms that posting the Upgrade to macOS Sonoma notification is but the final step in extensive preparations to start the upgrade. If forced upgrades that took place in the middle of January did occur without the user interacting with that notification, then it suggests that blocking the appearance of the notification may not be effective in the event of a repetition of this or a similar bug.

Conclusions

In recent versions of macOS, software update processes are weighted heavily in favour of upgrading macOS, and the slightest user error or bug can result in an unintended upgrade. This is even more of a problem with Ventura and Sonoma upgrades, as they no longer require a full installer to be downloaded and run, but can be installed using a similar process to a minor version update. For those reliant on software or hardware that can’t be used in macOS Sonoma, that can burden them with the task of downgrading their macOS before their Mac can be used again.

macOS should better accommodate the needs of its users. While it’s fair game to encourage and persuade users to upgrade, tricking them into doing so is in no one’s best interest.

32Comments

Add yours

1

EcleX on February 12, 2024 at 7:58 am

Thanks for the interesting article. Apple should also show available updates like security ones when automatic updates are NOT selected in “Apple – System Settings – General – Software Updates”. Now it only shows macOS or Safari updates, but not security ones. Is Apple listening?

LikeLiked by 1 person
- 2
  
  hoakley on February 12, 2024 at 8:35 am
  
  Thank you.
  I don’t think security data updates have ever been shown in Software Update. They’re so important that they must be kept secret :)
  Howard.
  
  LikeLike
  - 3
    
    EcleX on February 12, 2024 at 9:03 am
    
    Thanks. Then, perhaps Apple should say “an update is available to improve your Mac” (or similar). Anything except leaving users without knowing that an update is available just because they have NOT automatic updates. Not all Mac users know SilentKnight… BTW, a Safari update is showing now, and they usually are security updates.
    
    LikeLiked by 1 person
4

Eric deRuiter on February 12, 2024 at 11:30 am

I used to block updates by making a dummy installer file in Applications so the download of it would fail. Not sure if that still works but here is Big Sur version, would have to be edited with Sonoma installer name and tested.

cd /Applications; sudo echo “placeholderFileDisablesDownloading” > “Install macOS Big Sur.app”; sudo chflags uchg “Install macOS Big Sur.app”

LikeLiked by 1 person
- 5
  
  hoakley on February 12, 2024 at 12:29 pm
  
  Thank you.
  I’m never sure of the purpose of doing that. When an upgrade downloads a full Installer app, while that app starts automatically, it requires user interaction and can’t install a forced upgrade. All you have to do is quit the app and trash it.
  As I’ve pointed out above, the problem with both Ventura and Sonoma is that they often aren’t upgraded via a full Installer app, but using the same mechanism as a minor update. That not only starts automatically, but in these cases will proceed automatically to install the upgrade, to the point where the Mac simply reboots in the new version of macOS without any user intervention at all. That shouldn’t happen on Apple silicon Macs, where authentication is supposed to be required before the upgrade can start, but in these cases even that seems to be bypassed. And there’s no full Installer app involved at all.
  Howard.
  
  LikeLike
  - 6
    
    Eric deRuiter on February 22, 2024 at 8:08 pm
    
    I found it useful to prevent users from being able to install major version upgrades, not for my own computer.
    
    I wonder if this method can be used to block the minor update download file creation by creating a dummy file so it isn’t downloaded in the first place. I don’t know the path that it stores them, and there may be other hurdles. Is it a temp folder created at the time of download so there is nowhere to make the dummy file in advance? Is it somewhere that is blocked by SIP in modifying? Is the filename of the installer file predictable so we know what to name the dummy file?
    
    LikeLiked by 1 person
    - 7
      
      hoakley on February 22, 2024 at 8:37 pm
      
      I don’t think that macOS updates work the way that you think they do, any more. On Apple silicon Macs in particular, download is into a stream that’s decompressed and in some cases at least installed directly. There’s no indication that Software Update downloads an installer bundle/package, then runs its softwareupdate brain, as separate actions. And any storage used is heavily obfuscated, and rendered as inaccessible as possible.
      Perhaps you might try looking for the location.
      Howard.
      
      LikeLike
8

lestertwice on February 12, 2024 at 4:34 pm

Hi Howard, thanks as usual. I just wanted to confirm partly your caveat about SilentKnight. I use your blog as my personal update notifier and on January 31, after reading about XProtect 2183 fresh release, I proceeded to download and install it with SilentKnight (“Install named update”). A couple of minutes later I received the Upgrade to Sonoma notification and, much worse, a further notification that “updates are ready to be installed” (XProtect update had already been installed, but I noticed that not infrequently I’m getting notifications with some delay. I hope this was the case). Unfortunately I was bewildered and didn’t rush to take a screenshot. A quick control revealed that nothing else had actually been downloaded.

Needless to say, all automatic software checks and updates are disabled on my MacBookAir8,2 running Ventura 13.6.3. I don’t really feel like updating anything in the next future.

LikeLiked by 1 person
- 9
  
  hoakley on February 12, 2024 at 5:59 pm
  
  Thankfully, you weren’t running the gauntlet of a forced upgrade. Since 23 January, if not slightly earlier, the error/bug that caused it has been fixed. Yes, you’ll continue to get those notifications unless you block them using Jeff Johnson’s technique, but all you have to do is dismiss them.
  Unfortunately, as I make clear above, there’s no way to even check which updates are available, let alone download the ones you want, without triggering this. But it shouldn’t put your Mac at risk, so long as you don’t inadvertently choose to upgrade in Software Update.
  Howard.
  
  LikeLiked by 1 person
10

Ric C on February 13, 2024 at 12:24 am

My wife’s MacBook Air 8,1 was forcibly upgraded to Sonoma 14.2.1 on February 7. I had updated it to 13.6.3 on January 10 and planned to update to 13.6.4 on February 10. She had been using the machine daily during that time.

She had been using Safari and getting frustrated with the Air France website which was alternately telling her she did and did not have a reservation. A popup notification appeared asking something she did not understand and she clicked ‘no’. After that, Safari stopped functioning, and then she came to me. I quit Safari, reopened, and indeed it would not open any webpage. Wifi was still functioning, so I figured the easy way out was to reboot the machine. A long pause for a black screen and then the upgrade started.

I asked her if the notification could have said the word Sonoma. She did not remember what it said, but that it was different than all the Sonoma prompts she had been clicking off for months. However, she could not tell me any more details since her mind was focused elsewhere. And, yes, the only update boxes I previously checked were (1) check for updates, and (2) Install security responses and system files; and definitely not macOS updates. It’s still that way, and we have had no further forced updates from 14.2.1.

One last thought to ponder: February 7 was the release date for 14.3.1. Was that a coincidence or a trigger?

LikeLiked by 1 person
- 11
  
  hoakley on February 13, 2024 at 7:54 am
  
  I’m very sorry to hear that. However, I’m not sure that there’s sufficient information to conclude that this was a ‘forced’ rather than ‘tricked’ upgrade.
  The notification that others have seen is the standard upgrade notification that she has been seeing. There is no ‘no’ option in that notification – you can either click on the Details button, which takes you to the Sonoma website, or the X button to dismiss it. I’ve been testing well over a dozen (it seems like more!) VMs and have seen and dismissed that notification many times over the last few days, and not once has anything untoward happened – and I have also analysed the log from once such dismissal.
  Depending on your time zone, 14.3.1 was released on 8 February at around 1900 GMT, so would more probably have been after this upgrade.
  Howard.
  
  LikeLike
12

blm on February 13, 2024 at 8:06 am

Another way might be to install a profile using the iMazing Profile Editor. Before I install a profile, softwareupdate -l shows Sonoma available (I’m running Monterey). After I install a profile with a restriction to Defer Major OS Software Updates, softwareupdate -l says No new software available. I haven’t received the “upgrade to Sonoma” notification since I installed the profile, although I don’t know if that’s a coincidence or not, but Sonoma still shows up in the Software Update preferences pane. So softwareupdate -l not reporting Sonoma suggests it’s working, although like with most things Apple, it’s unclear if it’s actually working.

LikeLiked by 1 person
- 13
  
  hoakley on February 13, 2024 at 8:16 am
  
  Thank you.
  First, that’s an MDM profile. Unless your Mac is being managed in MDM, I don’t believe that it has any effect.
  Second, that deferral is only good for 90 days, which elapsed a good while ago now.
  During testing, as I showed in the screenshot above, I encountered the combination of softwareupdate not listing Sonoma as an available upgrade, and the Upgrade to Sonoma notification. And that was in Monterey. So I don’t think the absence of the upgrade from that list means anything.
  Howard.
  
  LikeLike
  - 14
    
    blm on February 13, 2024 at 8:26 am
    
    My Mac isn’t in an MDM, but I don’t think it’s MDM only. In iMazing’s tool there are some settings that are marked Supervised Only, implying that settings not so marked don’t require being in an MDM. And it definitely affects softwareupdate -l, although as you show, that probably doesn’t mean anything. I’ll leave the profile in place though, figure it can’t hurt :-)
    
    LikeLiked by 1 person
    - 15
      
      hoakley on February 13, 2024 at 9:08 am
      
      Without examining the log, I couldn’t say whether that profile affects checking for Sonoma upgrades, I’m afraid.
      Howard.
      
      LikeLike
16

Brian on February 13, 2024 at 4:31 pm

Thanks for another good summary. Also, blocking outgoing connections for softwareupdated, a component of the Software Update core service, seems to help. This is not blocking the notification, it’s blocking everything for that piece. Use a tool like Lulu or Little Snitch to accomplish this, until an update is wanted.

LikeLiked by 1 person
- 17
  
  hoakley on February 13, 2024 at 4:44 pm
  
  Thank you. Unfortunately, AFAIK that blocks macOS from even checking if there are updates available – not something you’d really want to do for long, I suggest.
  Howard.
  
  LikeLiked by 1 person
18

Richard Glaser on February 13, 2024 at 11:45 pm

FYI:

You can use Configuration Profile and set the

/Library/Preferences/com.apple.SoftwareUpdate.plist

key pair and distribute it via an MDM solution like Jamf Pro or manually install it per system.

I haven’t tried this, but in our environment, I am tempted to implement it and have us vs Apple allows users to be notified and install major/minor updates. Enterprises need to QA macOS updates and don’t want to notify users to update before its QA’d, and managed systems have solutions to prompt users to upgrade after that point like open source tools like SUPER , etc.

LikeLiked by 1 person
- 19
  
  hoakley on February 14, 2024 at 7:52 am
  
  Thank you, Richard. I believe that you’re referring to what Apple terms a deferral? If so, according to Apple’s docs that is only valid for a period of 90 days. I don’t know when those start, either with the release of the major update or when the deferral is applied, but they don’t appear to last indefinitely.
  Howard.
  
  LikeLike
  - 20
    
    Richard Glaser on February 15, 2024 at 10:01 pm
    
    Hi:
    
    No, I was referring to the user notification about a major update.
    
    You can create a configuration profile with your preferred date in the future like…
    
    AutoUpdateRetryCount
    
    MajorOSUserNotificationDate
    2027-02-07T23:22:47Z
    
    We haven’t tested this but we will as we would rather not notify users about updates, as in our environment users are standard users, and macOS updates can’t install or make configuration changes outside user space.
    
    The configuration profile would apply to host and userspace settings and enforce these keys.
    
    LikeLiked by 1 person
    - 21
      
      hoakley on February 15, 2024 at 10:24 pm
      
      Thank you, Richard. That’s the same key-value pair as detailed by Jeff Johnson. As I saw, all that appears to do is block the notification. Some of those who report undergoing forced upgrades did so without seeing or responding to any notification. That’s what concerns me with blocking the notification as a ‘solution’: if those reports are accurate, merely checking for updates using softwareupdate or Software Update could trigger the unwanted upgrade, should this bug/behaviour occur again.
      The other worrying behaviour here is that at least user suffered this on an Apple silicon Mac, and is insistent that they weren’t required to authenticate before the upgrade took place.
      Maybe in an MDM environment, none of these apply. But outside that, I’m unconvinced that merely muting the notification is a robust way to avoid a future forced upgrade.
      Howard.
      
      LikeLike
22

SarahB on February 18, 2024 at 3:40 pm

I came back to read this post since it relates to me more now and I need to be very careful not to upgrade from Ventura. Thank you for showing all the options. I wish on all apple devices it was easier to block an upgrade. I remember even on my apple tv’s on years past it always would end up upgrading.

Sad we can’t control better to block this from happening. I follow some music people on YouTube though who need to keep on an older OS for their plugin’s to work and they manage ok. I will just need to be more aware and careful.

LikeLiked by 1 person
23

Ted Dively on February 22, 2024 at 6:36 pm

I just scraped /var/log/install.log on a cheese grater Mac Pro in our shop that suffered this issue. The software update service, in a breathtaking breach of normal procedure, decided to download and install macOS Sonoma all on its own. Below are some useful snippets from /var/log/install.log. Note the lines with “override”, “RootInstallMode = YES”, and “Disabling local authentication requirement” in them.

2024-02-15 11:34:13-08 Mac-Pro softwareupdated[379]: BackgroundActivity: Starting Background Check Activity
2024-02-15 11:34:13-08 Mac-Pro softwareupdated[379]: BackgroundActivity: Starting background actions now.
2024-02-15 11:34:13-08 Mac-Pro softwareupdated[379]: BackgroundActions: Automatic check parameters: autoDownload=YES, autoConfigData=NO, autoCriticalInstall=NO
2024-02-15 11:34:13-08 Mac-Pro softwareupdated[379]: SoftwareUpdate: Fired early. Next check=2/15/24, 5:36 PM (interval=86280.000000, A/C=YES)
2024-02-15 11:34:13-08 Mac-Pro softwareupdated[379]: BackgroundActivity: Starting background download now.
2024-02-15 11:34:13-08 Mac-Pro softwareupdated[379]: BackgroundActivity: Run custom background action completion
2024-02-15 11:34:13-08 Mac-Pro softwareupdated[379]: SUOSUServiceDaemon: DO MSU BACKGROUND ACTIONS!
2024-02-15 11:34:13-08 Mac-Pro softwareupdated[379]: BackgroundActivity: Finished Background Check Activity
2024-02-15 11:34:13-08 Mac-Pro softwareupdated[379]: SUOSUServiceDaemon: BackgroundActivity: Perform background scan
2024-02-15 11:34:13-08 Mac-Pro softwareupdated[379]: SUOSUMobileSoftwareUpdateController: Set bridgeOS catalog override to catalogURL default

2024-02-15 13:54:27-08 Mac-Pro nbagent[73417]: NBUpdateController: Using catalog URL: https://swscan.apple.com/content/catalogs/others/index-noticeboard-10.10-noticeboard-10.9-noticeboard.merged-1.sucatalog
2024-02-15 13:54:27-08 Mac-Pro Software Update[73424]: Launched with args: {
RootInstallMode = YES;
}
2024-02-15 13:54:27-08 Mac-Pro Software Update[73424]: Starting post-logout mode (skipConfirm = 0, reconnectMode = 0, shouldShutdown = 0)
2024-02-15 13:54:27-08 Mac-Pro Software Update[73424]: SUOSUAuthenticationManager: Disabling local authentication requirement

2024-02-15 13:54:27-08 Mac-Pro Software Update[73424]: TO APPLY AT POSTLOGOUT: (
“”

LikeLiked by 1 person
- 24
  
  hoakley on February 22, 2024 at 8:44 pm
  
  Thank you. Unfortunately, there’s far too little in the install log to work out what might have happened: only the full log contains those details, and I suspect after this time the log has rolled well past 15 Feb.
  However, it prompts several questions:
  – as a cheese-grater Mac Pro, I presume this is using OCLP to be able to install Sonoma? Does that alter update/upgrade behaviour?
  – did you observe the forced upgrade yourself? Did it result from dismissing the Sonoma notification, or did it occur without any notification/etc. to the user?
  – are you certain the date on that log is correct? Forced upgrades happened in mid-January, and by 22 or 23 January the bug or misbehaviour that was apparently causing them had been fixed/removed. I have tried repeatedly to get a forced upgrade since then, without any success, and yours is the only report that I have seen of this occurring after 23 January.
  Howard.
  
  LikeLike
  - 25
    
    Ted Dively on February 22, 2024 at 8:57 pm
    
    I didn’t observe the forced upgrade, as I was off-site that day. The user reported that the computer was, “acting glitchy”, (yes, yes, I know, I know), so she rebooted it. When she rebooted it, the 14.2.1 installation began. This is why I was grepping my way through /var/log/install.log. The date and times in the log do align with when she rebooted the Mac Pro.
    
    Sorry, it’s a late model Mac Pro, which we still refer to around here as cheese-graters, similar to the 2012 and earlier units, and as such it fully supports Sonoma. No OCLP involved.
    
    LikeLiked by 1 person
    - 26
      
      hoakley on February 22, 2024 at 9:11 pm
      
      Thank you. Is it conceivable that the user might have been tricked into performing the upgrade, without being aware of what would happen?
      Howard.
      
      LikeLike
    - 27
      
      Ted Dively on February 22, 2024 at 9:13 pm
      
      She says, no. All she did is dismiss the notification, and when the computer got “glitchy” (how I loathe that word), she rebooted. That’s the extent of it. FWIW, the box was running macOS v12.7.3 beforehand.
      
      LikeLiked by 1 person
    - 28
      
      hoakley on February 22, 2024 at 9:19 pm
      
      Thank you. That remains a real puzzle, as by then I must have gone through the same sequence a dozen times in 12.7.3 VMs trying to reproduce this without success.
      Howard
      
      LikeLike
29

Ted Dively on February 22, 2024 at 9:15 pm

The reason we’ve been sitting on Monterey at this architecture firm is because many of the current projects aren’t yet migrated from ArchiCAD v.24 to v.26, so we need to keep the machines running an ArchiCAD v.24-compatible OS.

LikeLiked by 1 person
- 30
  
  hoakley on February 22, 2024 at 9:20 pm
  
  Thank you.
  Howard
  
  LikeLike
31

Henry Chandler on September 6, 2024 at 10:02 am

>

LikeLiked by 1 person
- 32
  
  hoakley on September 6, 2024 at 10:27 am
  
  Although there was a spate of users who experienced some form of forced upgrade in the past, I’m not aware that has continued. All you must do now is avoid choosing to upgrade in Software Update.
  Howard.
  
  LikeLike