Skip to main content

Minimum OS version for enrolling Apple devices via ADE

What

MDM servers have the ability to enforce a minimum operating system version on enrolling devices when using Automated Device Enrollment (ADE).  This feature was added in FileWave version 15.1.0 for macOS 14.0 Sonoma and iOS/iPadOS 17.0. Apple does not support this feature on older versions of macOS or iOS/iPadOS.

When/Why

Minimum OS version allows to ensure that devices are on the necessary OS version before being put into production. The MDM will send a JSON 403 response when the device requests the enrollment profile. If the minimum operating system version is needed, the user will be guided through a process of updating the device. Restarts will be performed automatically. Once completed, the device returns to Setup Assistant and the user can finish the enrollment and setup process.

How

With FileWave 15.1.0 support of minimum OS version was added. To specify minimum OS versions open DEP profile and go to Options → Requirements section. There are separate fields for macOS and iOS / iPadOS minimum OS versions.

image.png

The supplemental version identifiers can be specified in addition to standard MAJOR.MINOR.PATCH format (for example “17.1 (a)“).

What is displayed on the device?

When minimum OS version is requested by MDM server specific dialog appears on the device.

For macOS:

image.png

For iPadOS:

image.png

If macOS device cannot install requested OS version next dialog appears:

image.png

On iPadOS there is no specific dialog in this case, just “Next“ button is grey and no way to pass.

Digging Deeper

MachineInfo from the device is parsed on server side during DEP profile handling. If it contains MDM_CAN_REQUEST_SOFTWARE_UPDATE flag and it’s True, the specified minimum OS version from DEP profile is compared with OS_VERSION from MachineInfo according to the device type (macOS or iOS/iPadOS). Software update request is sent to the device by MDM server in 2 cases:

  1. If current OS version is less than minimum OS version

  2. If current OS version equals minimum OS version but current supplemental version identifier is less than required supplemental version identifier.

The software update request from the server looks like 403 JSON response with next body:

{
    "code": "com.apple.softwareupdate.required",
    "details": {"OSVersion": <minimum OS version> }
}

In this case enrollment is interrupted by dialogs mentioned above.