See below on how to block this upgrade with Jamf Pro.
As with any new OS release, you might have some required software titles which are not compatible with the new OS & especially some of the more security focused changes.
For example, today Adobe released a KB with some details around issues with Creative Cloud Packages & macOS Catalina, below is an excerpt.
The writing has been on the wall for 32-bit apps since 10.13.4, & at WWDC this year it was mentioned that Catalina would not support 32-bit apps.
So, you might need to block Catalina whilst some of these needed software titles are updated.
But we deferred?
Deferral only works for updates, not upgrades.
So, 10.14.x updates. Not the macOS 10.15 upgrade.
Enter Restricted Software
Restricted Software can be used here as one method to block folks from installing macOS Catalina.
Admittedly, there are methods to subvert this. But they are better discussed elsewhere.
To block macOS Catalina via Restricted Software, see the below:
You can tweak these options as per your requirements, but the above should be the bare minimum. The scope & message etc should all be set as per your organisational needs.
I will advise not to check “Delete Application” as from previous experience, Apple will push the install.app, if deleted.
Also, wildcards might not work currently as their appears to be a Jamf Pro PI around them at the moment.
There is no step 2!
Actually there is, the Restricted Software setting will only apply to devices within scope one their Management Framework has refreshed.
This happens periodically on macOS devices, but you can force this via the below when ran as sudo:
The above is handy for running locally when testing the Restricted Software setting, & once happy you can wait for the clients to perform their periodic Management Framework or push a policy that runs the above once per computer on your check-in interval.
So, there is no step 3? Right?
There is an optional step, as per:
With more steps:
When ready to release Catalina, you can then revert this via:
Is that it?
Well, not really.
Let alone methods outside of the booted OS, so you might want to look at setting a firmware password too.