While I’ve been running Tahoe for testing purposes on a secondary Mac since WWDC 2025, my main Mac remains on Sequoia, and I intend to keep it that way for as long as possible. Unfortunately, the innovators in Cupertino have invented numerous ways to annoy users into updating, via notifications and Dock badges, or outright tricking users into updating via dark patterns. My way of stopping this madness is not for everyone. Perhaps it’s for no one but me. I don’t need my Mac to tell me when a software update is available, because I follow the Apple news religiously. In any case, my discussion may provide some insight into how macOS software updates work.
My weapon of choice is Little Snitch. I’ve created rules in Little Snitch to deny outgoing connections from the following processes:
/System/Library/CoreServices/Software Update.app/ Contents/ Resources/ softwareupdated
/System/Library/PrivateFrameworks/MobileSoftwareUpdate.framework/ Support/ softwareupdated
/System/Library/PrivateFrameworks/SoftwareUpdate.framework/ Versions/A/ Resources/ SoftwareUpdateNotificationManager.app
/usr/libexec/mobileassetd
There’s also a rule to deny outgoing connections from /usr/libexec/nsurlsessiond to the updates.cdn-apple.com hostname. Don’t block nsurlsessiond entirely, because it’s needed for other unrelated purposes.
All of these processes run in the background, though they can be triggered manually from System Settings or Terminal.
I never use System Settings to perform software updates and have disabled all automatic update settings:
Instead I perform all software updates in Terminal app with the /usr/sbin/softwareupdate command-line tool. Read the fine man page. When I need to update, I temporarily disable the softwareupdated and nsurlsessiond rules in Little Snitch. The mobileassetd rule also needs to be disabled for macOS updates. (And for installing Xcode simulators!) Indeed, denying outgoing connections to mobileassetd will prevent softwareupdate --list from showing Tahoe. But for other software updates such as Safari and Safari Technology Preview, mobileassetd can be blocked in Little Snitch.
After updating, I re-enable the Little Snitch rules. If you put the System Settings app in your Dock, and the Dock icon is badged for an update such as Tahoe, then running the softwareupdate tool again with all connections denied will make the badge disappear again.
By the way, softwareupdate has an undocumented command-line option --include-config-data that you need in order to install some minor updates related to XProtect. However, if you’re extremely careful about which software you install on your Mac, as you obviously are if you’re using Little Snitch, then these updates are not really urgent. In over 20 years of Mac use, I’ve never accidentally or intentionally installed malware. I’ll typically run softwareupdate --list --include-config-data only when I’m already installing some other software update.
This process is not for the faint of heart, or mind. Please don’t email me requesting that I hold your hand through software updates. Instead, email Tim Cook requesting that he cease and desist with the stupid annual update schedule.