macOS admin here. I'm still going around screaming "DON'T UPDATE IT WILL BREAK EVERYTHING" about Big Sur :'(
Apple is just bad at breaking things for enterprise and notoriously slow fixing bugs affecting enterprise users. Right now there's still a major bug affecting Mobile Active Directory accounts, causing users to be locked out if they're not in the office after they upgrade. Sigh.. Problem is the MDM profile that should apply to local users only is somehow affecting mobile AD user accounts since the upgrade. In Catalina and before this was not an issue. Apple support acknowledged this but is still working on a fix. Even in 11.3 it's still not fixed.
And they don't provide an MDM method for update blocking. You can only postpone them a number of days (but this will affect minor and major updates alike so is not what you'd want). You can get it if you provision an infrastructure of update servers but we can't in our place :( This is why admins like me can't stop those prompts appearing for you.
PS Our latest Macs are running without AD (using the new Kerberos SSO plugin) and they fare a lot better, unfortunately it took me a long time to convince our Windows-centric security team that it actually weakens our security and accomplishes nothing on Mac :)
This is the problem in enterprises. As an admin I know there's better ways to do things but many of these decisions are imposed on me by other teams.
Apple is just bad at breaking things for enterprise and notoriously slow fixing bugs affecting enterprise users. Right now there's still a major bug affecting Mobile Active Directory accounts, causing users to be locked out if they're not in the office after they upgrade. Sigh.. Problem is the MDM profile that should apply to local users only is somehow affecting mobile AD user accounts since the upgrade. In Catalina and before this was not an issue. Apple support acknowledged this but is still working on a fix. Even in 11.3 it's still not fixed.
And they don't provide an MDM method for update blocking. You can only postpone them a number of days (but this will affect minor and major updates alike so is not what you'd want). You can get it if you provision an infrastructure of update servers but we can't in our place :( This is why admins like me can't stop those prompts appearing for you.
PS Our latest Macs are running without AD (using the new Kerberos SSO plugin) and they fare a lot better, unfortunately it took me a long time to convince our Windows-centric security team that it actually weakens our security and accomplishes nothing on Mac :)
This is the problem in enterprises. As an admin I know there's better ways to do things but many of these decisions are imposed on me by other teams.