Standard user can update Ventura to Sonoma without admin privileges?

McWolfgang wrote:

Standard user can update Ventura to Sonoma without admin privileges?

Yes

Is this new?

Somewhat. Apple started doing this with macOS 12.3. See About software updates for Apple devices - Apple Support

How can this be?

Modern Apple security is significantly different than you might expect from previous versions or other operating systems.

No standard user should be allowed to do this.

Apple really doesn't support the traditional multi-user environment, at least for consumer configurations. If you had an MDM, you would have more control over things. But outside of that environment, Apple expects each device to belong to an individual user. There are very few reasons to ever need a standard user.

McWolfgang wrote:

Have 2 x Mac mini + MacBook Air M1 - macOS Ventura - for testing. All standard users can install upgrade to Sonoma via System settings -> Software Update.

Is this new? How can this be? No standard user should be allowed to do this. Perplexed.

Does it actually install —or you are halted at some point because to proceed further you need adm psswd...?

Are these "standard user" signed into the same AppleID..?

McWolfgang wrote:

Well I'm testing an MDM right now (Jamf). But neither with MDM nor with manually distributed profiles a control seems possible to me here. The key "restrict-software-update-require-admin-to-install" doesn't seem to work anymore. Only defer software updates - e.g. 30 days - is possible.

Can't help with that. Anytime I see MDM or Jamf, my eyes glaze over.

I am really perplexed and stunned.

But why? Apple's competitors and social media influencers have been very effective at convincing people that if they don't update immediately then their computer is going to be taken over by North Korean hackers. I guess a lot of other people are just swayed by any advertising. And there are the people who'll click on any pop-up button they see. These days, everybody is obsessed with constant upgrading. Apple is giving people what they want.

But nobody is ever forced to upgrade. The serenity that comes with not upgrading, and the entertainment from watching those who do, is delightful.

The only issue is with those people who manage the computer of someone else. That someone else can now upgrade their computer. But in those relationships, there are other ways to manage behaviour.

McWolfgang wrote:

What would those options be?

All you need is a statement saying, "Employees shall not perform system upgrades on their computers." Then if someone does that anyway, presto! They're not an employee anymore.

Our organization is able to restrict macOS upgrades to new major versions of macOS through our MDM (Jamf I believe) even for admin users. The way it is configured does have a loophole where an admin user can upgrade to a new major version of macOS through Internet Recovery Mode or using a bootable macOS USB installer as long....for newer Macs they do need to be able to authenticate is Monterey is currently installed or to the security enclave chip for 2018+ models. No idea if a standard user can utilize this loophole without a clean install anyway. The restriction for OS upgrades the way our organization has it configured (may be the only way it can be configured) is that macOS will prohibit the upgrade if begun within macOS itself.

I don't know how long that switch is good for, but I know we had it enabled for over six months while we verified our third party software & services were not impacted by the OS upgrade.

As others have mentioned, Apple designs their devices for a single consumer....not for multiple users or for a professional/enterprise environment.