Apple provides the ability to defer major macOS upgrades to prevent early adoption of major OS versions on managed devices. Having a major deferral in place that’s longer than an existing minor deferral may leave computers with an immediately pending macOS update after a macOS Upgrade, which could cause computers to rollback already applied security fixes. Computers will be left vulnerable to previously patched flaws until the available update is applied.
This article is written based on the following configuration:
- Minor Deferral (enforcedSoftwareUpdateMinorOSDeferredInstallDelay): 14 days
- Major Deferral (enforcedSoftwareUpdateMajorOSDeferredInstallDelay): 90 days
- Today’s date: December 16th, 2024.
- Upgrade: Major version change, example: macOS 14 -> macOS 15.
- Update: Minor version change, example macOS 15.0.1 -> macOS 15.1
How the rollback happens:
macOS 15 was released 91 days ago on September 16, 2024, so a Major deferral of 90 days has now expired. Computers running macOS 14 will now see the macOS 15.0 available update in System Settings. Note I say macOS 15.0, not macOS 15.0.1 or macOS 15.1.1. This is because the 90 day Major deferral logic fully defers all major versions for 90 days of their release. macOS 15.0.1 was released 74 days ago on Thursday, October 3, 2024 which is less than 90 days ago, so it remains deferred.
Since we have a 14 day minor deferral in place most of our computers should be on macOS 14.7.1 with Safari 18.1.1 update applied. Safari 18.1.1 Fixes CVE-2024-44308 and CVE-2024-44309, both of which are considered under active exploit for Intel systems. These vulnerabilities were also fixed in macOS 15.1.1, but our computers will be upgrading to macOS 15.0… So computers will go from a patched state to a vulnerable state on upgrade. After the upgrade the computer will need to then perform a minor update to macOS 15.1.1, which is allowed under the minor deferral configuration in place.
How to fix this:
Organizations should immediately reduce their major deferral to match their minor deferral. Systems will then upgrade to the version of macOS 15 with a similar patch level of their existing macOS 13 and macOS 14 systems. This needs to be done every release cycle.
Long term fix:
To avoid having this happen on an annual basis Apple would need to update the deferral logic. I’ve filed FB16108783 with Apple, and I encourage you to do the same. The current request is:
Major Deferrals decide if a computer can go between major OS versions (i.e. can the computer go from macOS 14 to macOS 15?) but it doesn’t decide the minor version available. Instead it uses the Minor deferral, if set, to decide which minor version of the upgrade is allowed (i.e. can it go from macOS 14 to macOS 15.1.1 or macOS 15.2?).
With this in our scenario of 90 days major/14 day minimum computers would upgrade directly to macOS 15.1.1 and assume similar security patches.
Thanks to Adam Codega and Eric Carr for assistance writing this!
IT Notes 
This scenario only occurs once a year, when Apple releases a major update. The crushing majority of institutions enforce the 90 deferral as room to maneuver, but rarely let it run to fruition. I would thus advise them to leave the deferral in place and set a reminder to deploy the proper target version of MacOS, via a Declarative Device Management policy, to the latest one week before the deferral deadline.
LikeLike