(experimental) No Tahoe for Sequoia

[bogdanw]

Update 4: another way - blocking gdmf.apple.com in hosts
https://forums.macrumors.com/threads/experimental-no-tahoe-for-sequoia.2480020/post-34543131
https://forums.macrumors.com/threads/experimental-no-tahoe-for-sequoia.2480020/post-34556209

Update 3: two ways, neither perfect
- enroll in Sequoia Public Beta program and defer updates
- set MobileAssetAssetAudience to a value that is not recognized by macOS
Details https://forums.macrumors.com/threads/experimental-no-tahoe-for-sequoia.2480020/post-34538369

Update 2: It doesn't work https://forums.macrumors.com/threads/experimental-no-tahoe-for-sequoia.2480020/post-34526279

Update1:
The initial post contained a fairly complicated method. In the meantime, a very simple way of hiding Tahoe seems to be working. From Terminal:

sudo defaults write /private/var/root/Library/Preferences/com.apple.MobileAsset.plist MobileAssetAssetAudience -string c8ba02c8-cc63-4388-99ee-a81d5a593283

To revert the change

sudo defaults delete /private/var/root/Library/Preferences/com.apple.MobileAsset.plist MobileAssetAssetAudience

Please make sure you have “Download new updates” and “Install macOS updates” turned off to avoid potentially automatic install of a macOS beta version. The best way is to enforce them with a configuration profile, like the one in post #13

Tentative explanation, with the information available so far.
When you enable beta updates two values are set, an “audience” and a beta catalog URL.
The command sudo defaults write /private/var/root/Library/Preferences/com.apple.MobileAsset.plist MobileAssetAssetAudience -string c8ba02c8-cc63-4388-99ee-a81d5a593283 only sets the audience, without setting the catalog. macOS probably gets confused, treats updates like betas, but searches for them in the regular catalog where they aren’t.

 

[Miles Fu]

Thanks! look forward to an official release

 

[bogdanw]

After a cup of coffee and some introspection, I might have worked for nothing 🙂

I will not be able to tell for sure until Apple releases another beta product for Sequoia, but there might be a very simple way. Just setting the MobileAssetAssetAudience to public beta, without changing the update catalog, makes Tahoe disappear from Software Update.

sudo defaults write /private/var/root/Library/Preferences/com.apple.MobileAsset.plist MobileAssetAssetAudience -string c8ba02c8-cc63-4388-99ee-a81d5a593283

To revert

sudo defaults delete /private/var/root/Library/Preferences/com.apple.MobileAsset.plist MobileAssetAssetAudience

 

[chrfr]

I can't imagine a world where running a local webserver to avoid a software update makes any sense whatsoever, especially considering how infrequently Apple actually patches the built in Apache.

 

[Grumpus]

...
Just setting the MobileAssetAssetAudience to public beta, without changing the update catalog, makes Tahoe disappear from Software Update.

Is this the same as setting Beta Updates to macOS Sequoia Public Beta in System Settings -> General -> Software Update?

 

[bogdanw]

I can't imagine a world where running a local webserver to avoid a software update makes any sense whatsoever, especially considering how infrequently Apple actually patches the built in Apache.

By that standard, we shouldn’t use any open source software Apple includes in macOS, starting with /bin/bash, that is version 3.2.57 released more than a decade ago.

The local web server shouldn’t be available from outside, and all unwanted connection could be blocked by the firewall. https://support.apple.com/guide/mac-help/change-firewall-settings-on-mac-mh11783/26/mac/26

Is this the same as setting Beta Updates to macOS Sequoia Public Beta in System Settings -> General -> Software Update?

Not exactly. Turning Beta updates in Software Update also changes the seed catalog to the beta version.
List of catalogs https://gist.github.com/b0gdanw/fe47eb02f861f509474be7a3840122b4
We will have to wait for Safari beta or Sequoia 15.7.6 beta to be released to see the differences between the two approaches.

 

[PotentPeas]

This is an interesting approach. I'm wondering about putting the catalog on an actual web server instead of a local one, with a script to keep it updated, and just pointing multiple machines to it. (I have a Linux web server in my basement which I use for various projects.)

 

[katbel]

After a cup of coffee and some introspection, I might have worked for nothing 🙂

I will not be able to tell for sure until Apple releases another beta product for Sequoia, but there might be a very simple way. Just setting the MobileAssetAssetAudience to public beta, without changing the update catalog, makes Tahoe disappear from Software Update.

sudo defaults write /private/var/root/Library/Preferences/com.apple.MobileAsset.plist MobileAssetAssetAudience -string c8ba02c8-cc63-4388-99ee-a81d5a593283

To revert

sudo defaults delete /private/var/root/Library/Preferences/com.apple.MobileAsset.plist MobileAssetAssetAudience

Your coffee must have been very good 😉
I run just this code without being on beta yet on my Mac and this is the result

 

[chrfr]

By that standard, we shouldn’t use any open source software Apple includes in macOS, starting with /bin/bash, that is version 3.2.57 released more than a decade ago.

The local web server shouldn’t be available from outside, and all unwanted connection could be blocked by the firewall. https://support.apple.com/guide/mac-help/change-firewall-settings-on-mac-mh11783/26/mac/26

bash isn't the same thing- it isn't by default accessible outside the local computer.

Your script doesn't turn on a firewall, and the firewall isn't enabled by default in macOS, so anyone starting up Apache on their local computer absolutely does have that open to anyone trying to access it unless the user knows enough about what your script does to turn on the firewall.
It just isn't a good idea for users to be blindly running a webserver on their computers.

 

[bogdanw]

bash isn't the same thing- it isn't by default accessible outside the local computer.

Your script doesn't turn on a firewall, and the firewall isn't enabled by default in macOS, so anyone starting up Apache on their local computer absolutely does have that open to anyone trying to access it unless the user knows enough about what your script does to turn on the firewall.
It just isn't a good idea for users to be blindly running a webserver on their computers.

That would only be true if the public IP address was assigned to the Mac running the web server.
The vast majority of Macs receive a local IP address from the router they connect to, like 192.168.0.69. Thus, the web server is only available in the local network, not by accessing the public IP address from the Internet.

Anyway, you must have missed the last line of the first post “At this stage, please consider it as experimental and try it in virtual machines.”

 

[msephton]

MobileAssetAssetAudience method working for me!

 

[Roberto Smera]

Also working for me. Thanks Bogdan.

 

[bogdanw]

Please make sure you have “Download new updates” and “Install macOS updates” turned off to avoid potentially automatic install of a macOS beta version.

The best way is to enforce them with a configuration profile
SoftwareUpdate.mobileconfig

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>AutomaticDownload</key>
            <false/>
            <key>AutomaticallyInstallMacOSUpdates</key>
            <false/>
            <key>PayloadDisplayName</key>
            <string>Software Update</string>
            <key>PayloadIdentifier</key>
            <string>com.apple.SoftwareUpdate.DAD08779-CA16-4ECC-B809-CC505B4EBF68</string>
            <key>PayloadType</key>
            <string>com.apple.SoftwareUpdate</string>
            <key>PayloadUUID</key>
            <string>DAD08779-CA16-4ECC-B809-CC505B4EBF68</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
        </dict>
    </array>
    <key>PayloadDisplayName</key>
    <string>SoftwareUpdate</string>
    <key>PayloadIdentifier</key>
    <string>iMazing-Profile-Editor.781142C3-EA49-4407-8229-926A7AD6788E</string>
    <key>PayloadScope</key>
    <string>System</string>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadUUID</key>
    <string>781142C3-EA49-4407-8229-926A7AD6788E</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
    <key>TargetDeviceType</key>
    <integer>5</integer>
</dict>
</plist>

Example created with https://apps.apple.com/app/imazing-profile-editor/id1487860882

 

[Roberto Smera]

The only update I still see is Safari 26.4. Is there a way to defer it? TIA.

 

[bogdanw]

The only update I still see is Safari 26.4. Is there a way to defer it? TIA.

No.

 

[katbel]

Please make sure you have “Download new updates” and “Install macOS updates” turned off to avoid potentially automatic install of a macOS beta version.

The best way is to enforce them with a configuration profile
SoftwareUpdate.mobileconfig

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>AutomaticDownload</key>
            <false/>
            <key>AutomaticallyInstallMacOSUpdates</key>
            <false/>
            <key>PayloadDisplayName</key>
            <string>Software Update</string>
            <key>PayloadIdentifier</key>
            <string>com.apple.SoftwareUpdate.DAD08779-CA16-4ECC-B809-CC505B4EBF68</string>
            <key>PayloadType</key>
            <string>com.apple.SoftwareUpdate</string>
            <key>PayloadUUID</key>
            <string>DAD08779-CA16-4ECC-B809-CC505B4EBF68</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
        </dict>
    </array>
    <key>PayloadDisplayName</key>
    <string>SoftwareUpdate</string>
    <key>PayloadIdentifier</key>
    <string>iMazing-Profile-Editor.781142C3-EA49-4407-8229-926A7AD6788E</string>
    <key>PayloadScope</key>
    <string>System</string>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadUUID</key>
    <string>781142C3-EA49-4407-8229-926A7AD6788E</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
    <key>TargetDeviceType</key>
    <integer>5</integer>
</dict>
</plist>

Example created with https://apps.apple.com/app/imazing-profile-editor/id1487860882

I already have this profile, created sometimes ago with one of your codes, still working
Still thanks 🙂

 

[chrfr]

That would only be true if the public IP address was assigned to the Mac running the web server.
The vast majority of Macs receive a local IP address from the router they connect to, like 192.168.0.69. Thus, the web server is only available in the local network, not by accessing the public IP address from the Internet.

That's true if they're on a network that's behind NAT, but not every network is.
As for the recommendation to test in a VM, lots of people will just ignore it, and will only be testing to see if the update they’re trying to block is blocked. They’re not testing for security exposure.

 

[bogdanw]

especially considering how infrequently Apple actually patches the built in Apache.

I haven’t even considered to check if that’s true, but the Apache version included in macOS 15.7.5 (24G624) is Apache/2.4.66 (apachectl -v). That is the latest available https://www.apachelounge.com/changelog-2.4.html

As for the recommendation to test in a VM, lots of people will just ignore it, and will only be testing to see if the update they’re trying to block is blocked. They’re not testing for security exposure.

If you read the comments, you will find that people ignored the script completely and tried the command from the third post instead. MacRumors users are more intelligent then you think ;-)

 

[chrfr]

I haven’t even considered to check if that’s true, but the Apache version included in macOS 15.7.5 (24G624) is Apache/2.4.66 (apachectl -v). That is the latest available https://www.apachelounge.com/changelog-2.4.html

And prior to last week’s updates, the built in Apache was 2.4.62. From 2024, with a lot of security vulnerabilities.

 

[PotentPeas]

After a cup of coffee and some introspection, I might have worked for nothing 🙂

sudo defaults write /private/var/root/Library/Preferences/com.apple.MobileAsset.plist MobileAssetAssetAudience -string c8ba02c8-cc63-4388-99ee-a81d5a593283

Where did that GUID string come from ("c8ba0....")? That is specific for macOS 15 public beta?
Just curious.

Also will have to see if this causes you to get the 15.7.6 per-release / RC updates. (I guess that's what you're waiting to check, once there actually is one.)

 

[bogdanw]

Seed Catalogs
https://github.com/ninxsoft/Mist/bl...6ef4d2323e3ac68c/Mist/Model/CatalogType.swift
MobileAssetAssetAudience
https://gist.github.com/dhinakg/047084eddf232ed61ad4864b789e7088
98df7800-8378-4469-93bf-5912da21a1e1 macOS 15 developer beta 374faeda-4d23-457d-9f73-ec84a286f4b3 macOS 15 AppleSeed beta c8ba02c8-cc63-4388-99ee-a81d5a593283 macOS 15 public beta

Here is something anyone can test:
Open a Terminal window and run

log stream --predicate 'subsystem == "com.apple.SoftwareUpdate"' --info | grep 'Using catalog'

open another window and run

softwareupdate -l

In the first window it should appear SUScan: Using catalog https://swscan.apple.com/content/catalogs/others/index-15-14-13-12-10.16-10.15-10.14-10.13-10.12-10.11-10.10-10.9-mountainlion-lion-snowleopard-leopard.merged-1.sucatalog.gz

That is the standard catalog (public release) and does not contain beta updates. I get the same catalog on an unmodified Sequoia, when using the MobileAssetAssetAudience values for macOS 15 developer beta or macOS 15 public beta.

We can assume that the method of hiding Tahoe by changing just the MobileAssetAssetAudience is working, but we will not know for sure until another Sequoia beta is released.

 

[LeVan]

After a cup of coffee and some introspection, I might have worked for nothing 🙂

I will not be able to tell for sure until Apple releases another beta product for Sequoia, but there might be a very simple way. Just setting the MobileAssetAssetAudience to public beta, without changing the update catalog, makes Tahoe disappear from Software Update.

sudo defaults write /private/var/root/Library/Preferences/com.apple.MobileAsset.plist MobileAssetAssetAudience -string c8ba02c8-cc63-4388-99ee-a81d5a593283

To revert

sudo defaults delete /private/var/root/Library/Preferences/com.apple.MobileAsset.plist MobileAssetAssetAudience

Thanks for all the hard work!
I have a simple question; on my M2 MBA, with the software update set to Security Updates and macOS Sequoia Developer Beta (I am signed in to an Apple Developers iCloud account), from at least a year ago, the Tahoe red badge update has never appeared.
Is that not true for everyone? What about having it set to macOS Sequoia Public Beta? A friend of mine has that set and he has never seen the Tahoe update prompt (but he may have used some other related code, I don't know about that).

 

[bogdanw]

Thanks for all the hard work!
I have a simple question; on my M2 MBA, with the software update set to Security Updates and macOS Sequoia Developer Beta (I am signed in to an Apple Developers iCloud account), from at least a year ago, the Tahoe red badge update has never appeared.
Is that not true for everyone? What about having it set to macOS Sequoia Public Beta? A friend of mine has that set and he has never seen the Tahoe update prompt (but he may have used some other related code, I don't know about that).

I’ve heard similar reports, that’s what partially inspired the above method.
I need my Macs for work, so I don’t enroll them in the Beta program.
You can easily switch from System Settings – Software Update to the macOS 15 Public Beta option and test.
If the beta menu does not appear, it can be opened from Terminal:

open "x-apple.systempreferences:com.apple.Software-Update-Settings.extension?action=showBetaUpdates"

A reminder from Apple:
“Install the beta software only on non-production devices that are not business critical. We strongly recommend installing on a secondary system or device, or on a secondary partition on your Mac.” https://beta.apple.com/faq

 

[LeVan]

I’ve heard similar reports, that’s what partially inspired the above method.
I need my Macs for work, so I don’t enroll them in the Beta program.
You can easily switch from System Settings – Software Update to the macOS 15 Public Beta option and test.
If the beta menu does not appear, it can be opened from Terminal:

open "x-apple.systempreferences:com.apple.Software-Update-Settings.extension?action=showBetaUpdates"

A reminder from Apple:
“Install the beta software only on non-production devices that are not business critical. We strongly recommend installing on a secondary system or device, or on a secondary partition on your Mac.” https://beta.apple.com/faq

Thanks for the reply. In my case, or similar, I don't really think running an active Developer's beta Software update sytem is that dangerous, despite Apple's warning. I agree that it could be the cause of trouble if you installed an early beta on a system used for work, but the Sequoia system is in the point 7 range, and by now, the new betas address older bugs and refinements, without introducing new, potentially problematic functions.
Your methods, aiming to work without having the bata program involved, are ideal, so I hope that page 3 method does the job! And thanks again for your expertise and the time and effort involved.

 

[golfnut1982]

I’ve heard similar reports, that’s what partially inspired the above method.
I need my Macs for work, so I don’t enroll them in the Beta program.
You can easily switch from System Settings – Software Update to the macOS 15 Public Beta option and test.
If the beta menu does not appear, it can be opened from Terminal:

open "x-apple.systempreferences:com.apple.Software-Update-Settings.extension?action=showBetaUpdates"

A reminder from Apple:
“Install the beta software only on non-production devices that are not business critical. We strongly recommend installing on a secondary system or device, or on a secondary partition on your Mac.” https://beta.apple.com/faq

For the code deficient types like me, but familiar with the profiles with imazing, is your current method working like the older 90 day one? It's confusing following all this. Can you explain how to get your working method to work with imazing? I did it once during the 90 day, but after updating to 15.7.5, I lost it, like others did. I switched to the betas, and that worked, but don't want to deal with RC's. I just don't see the need to have my M1 MBP looking like my iPhone. I know many people think it's nice and maybe I will too, but for the meantime, I wanna delay as long as possible, but still have security. Sorry if you may have explained this once before, but I can't seem to find it after looking for the past hour. Thanks in advance.