Skip to main content
Question

Prestage Ignoring Minimum required macOS version

  • June 11, 2026
  • 14 replies
  • 201 views

Forum|alt.badge.img+1

We purchased some M5 MacBook Airs with Tahoe with 26.2 installed and when we deploy them to a new staff person, they are required run a macOS update despite the fact we have the minimum required macOS version in the prestage set to “no enforcement”.  I don’t think this was happening in previous macOS’es.

This just prolongs the onboarding process.

14 replies

Chubs
Forum|alt.badge.img+26
  • Jamf Heroes
  • June 11, 2026

Do you have this allowed (unchecked) in your prestage?
 

 


Forum|alt.badge.img+1
  • Author
  • New Contributor
  • June 11, 2026

No we have that checked off.


Chubs
Forum|alt.badge.img+26
  • Jamf Heroes
  • June 12, 2026

Curious - how do you know what’s installed at runtime? Also, I bet it has something to do with the BSI - probably something from Apple requiring the BSI. 
 

So if you can find one that has 26.3+ and try to enroll it and see what happens, then you’ll know. 


Forum|alt.badge.img+1
  • Author
  • New Contributor
  • June 12, 2026

I pulled out a new M4 MacBook Air from last year which I updated to 26.4.1 and it does not prompt me to update the macOS to 26.5.1 at enrollment so I am suspecting it’s something in the properties of those new M5 Airs. 

BTW what is “BSI”?


mvu
Forum|alt.badge.img+22
  • Jamf Heroes
  • June 12, 2026

Maybe a Jamf bug? Are you able to just test 1 Mac for Latest version based on computer elgiblity. 

 

 


Chubs
Forum|alt.badge.img+26
  • Jamf Heroes
  • June 12, 2026

I pulled out a new M4 MacBook Air from last year which I updated to 26.4.1 and it does not prompt me to update the macOS to 26.5.1 at enrollment so I am suspecting it’s something in the properties of those new M5 Airs. 

BTW what is “BSI”?

Apple Background Security Improvements:

https://support.apple.com/en-us/126604


Forum|alt.badge.img+1
  • Author
  • New Contributor
  • June 12, 2026

These Macs are on 26.3 so it may be a property of that specific macOS.  I should download that specific installer and try it on a non M5 Air.


Forum|alt.badge.img+1
  • Author
  • New Contributor
  • June 12, 2026

I just got word from our Apple TAM that 26.3 could have been a build that was tagged to have a mandatory update. 

In fact, I am unable to download this build from Download Full Installer.


Chubs
Forum|alt.badge.img+26
  • Jamf Heroes
  • June 12, 2026

I just got word from our Apple TAM that 26.3 could have been a build that was tagged to have a mandatory update. 

In fact, I am unable to download this build from Download Full Installer.

Like I said, pretty sure the BSI is what is doing it….


MichielD
Forum|alt.badge.img+4
  • New Contributor
  • June 15, 2026

There where issues with M5 and network connections. Apple can flag a specific set of hardware that allows them to force an update during ADE. I think this is happening so that whatever M5 enrolls in your company gets the latest build so it can not cause any issues. 


sdagley
Forum|alt.badge.img+25
  • Jamf Heroes
  • June 15, 2026

The mandatory update during enrollment isn’t a BSI triggered update. As ​@MichielD indicated Apple can ship Macs with a version of macOS that will trigger an immediate update during Setup Assistant, whether or not the Mac is enrolled for MDM. This was the case for M5 Macs initially shipped with macOS 26.3 as reported by ​@dlee_PA’s Apple TAM and other Apple employees that frequent MacAdmins Slack.


Chubs
Forum|alt.badge.img+26
  • Jamf Heroes
  • June 15, 2026

BSI is the replacement for RSR.  At enrollment, it’s one of those things that could take place to resolve some ZDCVEs which were prevalent in that version of macOS. (Usually builds with outstanding CVEs are pulled and unsigned to protect people.)

But to each their own.  Without official “why” from Apple and not a “could have been...” approach, we are free to think what we want 😊. 


sdagley
Forum|alt.badge.img+25
  • Jamf Heroes
  • June 15, 2026

You’re certainly free to think what you want but given that Apple is notorious for not publicly documenting everything there’s no surprise they haven’t commented on the mandatory macOS update for M5 Macs shipped with 26.3. What you do have are the word of ​@dlee_PA’s Apple TAM that it was done intentionally, and if you check the #appleseed-private channel on MacAdmins Slack you’ll see the same information provided by an Apple employee in a position to know, so thinking it was BSI related would be incorrect in light of that information.


Chubs
Forum|alt.badge.img+26
  • Jamf Heroes
  • June 15, 2026

I usually do think for myself based off the data gathered 😊 - and there is some level of BSI/RSR updates happening due to the hardware (actually, kernel...) vulnerability that was patched with the m5.  You say it’s a hardware issue, I’m saying it’s software.  You say that it’s “flagged hardware”, I’m saying it’s flagged in the BSI for patching.  What I’m merely saying is that the mechanism they are using very well may be the BSI/RSR path to force these updates at enrollment - hence it being the required update/patch.

Regardless, this particular update is to fix the kernel holes that can be detrimental to the security of the device as a whole.  There’s a whole discussion about the m5 holes regarding older macOS versions (specifically from May and older) and how 26.5+ has bridged the gap.

Anywho, hope everyone has a wonderful day!